No install errors, but getting ERR_CONNECTION_TIMED_OUT


#1

Hi,

Ubuntu 16.04, Nginx, lightsail but I’ve been gleaning instructions from digitalocean and others.

/etc/nginx/conf.d/myconfig.conf
server {

listen 443 ssl;

server_name netplusdesign.net;

ssl_certificate /etc/letsencrypt/live/netplusdesign.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netplusdesign.net/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ‘log string of stuff’;
ssl_session_timeout 1d;

ssl_session_cache shared:SSL:50m;

ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

root /home/ubuntu/html/netplusdesign.net;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

# server_name _;

location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ =404;
}

location ~ /.well-known {
allow all;
}

}
server {
listen 80;
server_name netplusdesign.net;
return 301 https://$host$request_uri;
}

sudo letsencrypt certonly --webroot --force-renewal -w /home/ubuntu/html/netplusdesign.net -d netplusdesign.net -w /home/ubuntu/html/uphillhouse.netplusdesign.net -d uphillhouse.netplusdesign.net

No errors. But when I try to access https://netplusdesign I get ERR_CONNECTION_TIMED_OUT in Chrome. All worked fine using http before I ran lets encrypt command.

Just need help understanding how to troubleshoot this. Thanks for your help.


#2

Your server isn’t reachable on port 443. This could be a firewall thing or, if applicable, a portmap thing if behind a NAT router et cetera.


#3

I’ve run sudo ufw allow 443 so I don’t think it’s a firewall thing. Not sure how to diagnose a port map thing.


#4

hi uphillhouse

it’s definitely a fiewall thing (could be the provider firewall or your system fire-walling)

as an aside - please firewall SSH - you generally don’t want SSH access to the entire internet (limit SSH access to your home Static IP for example).

run > sudo ufw status and it should tell you what ports are open to whom (note for 443 and 80 you should allow all if this is going to be a web server)

compare your SSH and HTTP and HTTPS settings to give you an idea of how to configure it


#5

@ahaw021 Thanks for your help, I realize this is likely outside the scope of lets encrypt help.

I think you did your scan while I was trying a different server. Everything is switched back now. And re: ssh, I don’t have a static IP, thus open anywhere. Although I might be able to limit to a range. Will try that soon thx.

If I run, sudo ufw status verbose I get,

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
443                        ALLOW IN    Anywhere                  
22                         ALLOW IN    Anywhere                  
80                         ALLOW IN    Anywhere                  
443 (v6)                   ALLOW IN    Anywhere (v6)             
22 (v6)                    ALLOW IN    Anywhere (v6)             
80 (v6)                    ALLOW IN    Anywhere (v6)

I downloaded and installed nmap,thanks for the hint. nmap says…

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-05 08:30 EST
Nmap scan report for netplusdesign.net (34.198.163.201)
Host is up (0.030s latency).
rDNS record for 34.198.163.201: ec2-34-198-163-201.compute-1.amazonaws.com
Not shown: 98 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 2.17 seconds

That just doesn’t make sense.


#6

What are your Lightsail firewall rules set to? Did you add one for port 443? Was it included by default?

https://lightsail.aws.amazon.com/ls/docs/overview/article/understanding-firewall-and-port-mappings-in-amazon-lightsail


#7

That was it! I had enabled using ‘ufw’. I didn’t realize amazon was over ruling the setting. I had to use the UI to open the port. It was not open by default. Unbelievable how much time I spent on this simple thing. Thank you so much!


#8

well done config looks good for your cert :smiley:

providers like amazon don’t technically overwrite the rules they just block the traffic upstream :smiley:

as for your SSH investigate Port Knocking. Please run on a virtual machine first (in your lab) and note you may need to open some other ports as well


#9

I like! I’ll give it a try. Thanks for the advice.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.