Renew SSL of my website

Yes @schoen she did that and I see the server responding with a fresh chain :slight_smile:

Note the two commands were mixed in their response if you read carefully.

4 Likes

Whoops, sure enough, I just didn't look far enough down in the output to see that command mixed in.

Awesome!

3 Likes

hello

after I activate the Certificat the website downtime i don't know why?
please can you help me


502 Bad Gateway

nginx/1.15.5

That is bad news. Did it ever work after you restarted and got new cert?

Your DNS now points to 3.83.15.189 which is different than the IP you had yesterday. Was there anything else you changed since then?

If you could run sudo nginx -T and post the results we might be able to help identify the problem. I do not think the 502 is related to the new cert.

2 Likes

@seraj Oh, I just noticed your port 8080 for http-proxy is closed. Do you need that to be open?

PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
443/tcp  open   https
8080/tcp closed http-proxy
1 Like

root@ip-172-31-47-28:~# sudo nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    include /etc/nginx/sites-enabled/*;

    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    gzip on;
    gzip_disable "msie6";

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_min_length 256;
    gzip_types text/plain text/css application/json application/javascript  application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;



    include /etc/nginx/conf.d/*.conf;
}

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    application/font-woff                            woff;
    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/sites-enabled/default:
server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;
    return 301 https://$host$request_uri;
}

server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name library.mominoun.com;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/library.mominoun.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/library.mominoun.com/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
       proxy_hide_header X-Frame-Options;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://172.31.47.28:8080;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }

     location /backend {
        rewrite /backend/(.*)$ /$1 break;
        proxy_hide_header X-Frame-Options;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:3000;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }


     pagespeed on;
     pagespeed FileCachePath "/var/cache/ngx_pagespeed/";
     pagespeed RewriteLevel OptimizeForBandwidth;

     location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
     add_header "" "";
     }


     location ~ "^/pagespeed_static/" { }
     location ~ "^/ngx_pagespeed_beacon$" { }


}

# configuration file /etc/nginx/snippets/ssl-params.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;

# Add our strong Diffie-Hellman group
ssl_dhparam /etc/ssl/certs/dhparam.pem;

# configuration file /etc/nginx/sites-enabled/default.bak:
server {
    listen 80;
    server_name xlibrarys.com;

    location / {
       proxy_hide_header X-Frame-Options;
        proxy_pass http://172.31.47.28:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
     }
    pagespeed on;
 pagespeed FileCachePath "/var/cache/ngx_pagespeed/";
 pagespeed RewriteLevel OptimizeForBandwidth;

 location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
 add_header "" "";
 }


 location ~ "^/pagespeed_static/" { }
 location ~ "^/ngx_pagespeed_beacon$" { }
}


# configuration file /etc/nginx/conf.d/default.conf:
server {
    listen       80;
    server_name  localhost;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
    #
    #location ~ \.php$ {
    #    proxy_pass   http://127.0.0.1;
    #}

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
    #location ~ \.php$ {
    #    root           html;
    #    fastcgi_pass   127.0.0.1:9000;
    #    fastcgi_index  index.php;
    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
    #    include        fastcgi_params;
    #}

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    #location ~ /\.ht {
    #    deny  all;
    #}
}


# configuration file /etc/nginx/conf.d/pagespeed.conf:
pagespeed on;
pagespeed FetchWithGzip on;

pagespeed FileCachePath /run/shm/pagespeed_cache;
pagespeed RewriteLevel CoreFilters;

root@ip-172-31-47-28:~#

how can i open it

1 Like

@seraj I am puzzled. Why does your DNS point to 34.255.45.199 but the nginx command you just ran was from 172.31.47.28. What is the DNS IP pointing to?

For your port 8080 I would look at your Security Group - inbound and outbound.

Your nginx.conf is confusing.

You have this line:

include /etc/nginx/sites-enabled/*;

This causes 3 files to be included. These are:

/etc/nginx/sites-enabled/default
   (has port 80 default server)
   (has port 443 for library.mominoun.com)
   Update: And proxies to two destinations (see my next comment)
/etc/nginx/sites-enabled/default.bak
   (has port 80 for xlibrarys.com)
   (and proxies to 172.31.47.228:8080)
/etc/nginx/conf.d/default.conf
   (has port 80 for localhost)
   (is this even used?)

There is no server defined for the proxy 172.31.47.228:8080 (and the port is blocked as noted)

If somehow a request were made to xlibrarys.com port 80 it would proxy to a closed port with no known server. At least a server that is not shown or described. That could result in 502 Gateway error. I just do not know how anyone could make such a request from what you describe as the problem.

I cannot know which of these server conf files are valid. This is for you to know.

These are server configuration issues. It is hard to help when there are missing pieces. And, anyway, it is a complicated setup that is best handled in a forum for server configuration issues. I do not see anything wrong with the certificates for library.mominoun.com

2 Likes

Ah, I see now. You also have the above proxy_pass in the server for library.mominoun.com and port 443 (not just the xlibrarys.com server). This proxy request is failing which is why you get the 502 error. I do not know how I missed that.

But, I do not know what it should be. Your server conf should do what you need it to do. Only you know that.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.