Yes @schoen she did that and I see the server responding with a fresh chain 
Note the two commands were mixed in their response if you read carefully.
4 Likes
Whoops, sure enough, I just didn't look far enough down in the output to see that command mixed in.
Awesome!
3 Likes
hello
after I activate the Certificat the website downtime i don't know why?
please can you help me
502 Bad Gateway
nginx/1.15.5
That is bad news. Did it ever work after you restarted and got new cert?
Your DNS now points to 3.83.15.189 which is different than the IP you had yesterday. Was there anything else you changed since then?
If you could run sudo nginx -T and post the results we might be able to help identify the problem. I do not think the 502 is related to the new cert.
3 Likes
@seraj Oh, I just noticed your port 8080 for http-proxy is closed. Do you need that to be open?
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8080/tcp closed http-proxy
2 Likes
root@ip-172-31-47-28:~# sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
include /etc/nginx/sites-enabled/*;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
include /etc/nginx/conf.d/*.conf;
}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
server {
listen 80;
listen [::]:80 default_server ipv6only=on;
return 301 https://$host$request_uri;
}
server {
# Enable HTTP/2
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name library.mominoun.com;
# Use the Letβs Encrypt certificates
ssl_certificate /etc/letsencrypt/live/library.mominoun.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/library.mominoun.com/privkey.pem; # managed by Certbot
# Include the SSL configuration from cipherli.st
include snippets/ssl-params.conf;
location / {
proxy_hide_header X-Frame-Options;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://172.31.47.28:8080;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
location /backend {
rewrite /backend/(.*)$ /$1 break;
proxy_hide_header X-Frame-Options;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:3000;
proxy_ssl_session_reuse off;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
}
pagespeed on;
pagespeed FileCachePath "/var/cache/ngx_pagespeed/";
pagespeed RewriteLevel OptimizeForBandwidth;
location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
add_header "" "";
}
location ~ "^/pagespeed_static/" { }
location ~ "^/ngx_pagespeed_beacon$" { }
}
# configuration file /etc/nginx/snippets/ssl-params.conf:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
# Add our strong Diffie-Hellman group
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# configuration file /etc/nginx/sites-enabled/default.bak:
server {
listen 80;
server_name xlibrarys.com;
location / {
proxy_hide_header X-Frame-Options;
proxy_pass http://172.31.47.28:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
pagespeed on;
pagespeed FileCachePath "/var/cache/ngx_pagespeed/";
pagespeed RewriteLevel OptimizeForBandwidth;
location ~ "\.pagespeed\.([a-z]\.)?[a-z]{2}\.[^.]{10}\.[^.]+" {
add_header "" "";
}
location ~ "^/pagespeed_static/" { }
location ~ "^/ngx_pagespeed_beacon$" { }
}
# configuration file /etc/nginx/conf.d/default.conf:
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# configuration file /etc/nginx/conf.d/pagespeed.conf:
pagespeed on;
pagespeed FetchWithGzip on;
pagespeed FileCachePath /run/shm/pagespeed_cache;
pagespeed RewriteLevel CoreFilters;
root@ip-172-31-47-28:~#
how can i open it
1 Like
@seraj I am puzzled. Why does your DNS point to 34.255.45.199 but the nginx command you just ran was from 172.31.47.28. What is the DNS IP pointing to?
For your port 8080 I would look at your Security Group - inbound and outbound.
Your nginx.conf is confusing.
You have this line:
include /etc/nginx/sites-enabled/*;
This causes 3 files to be included. These are:
/etc/nginx/sites-enabled/default
(has port 80 default server)
(has port 443 for library.mominoun.com)
Update: And proxies to two destinations (see my next comment)
/etc/nginx/sites-enabled/default.bak
(has port 80 for xlibrarys.com)
(and proxies to 172.31.47.228:8080)
/etc/nginx/conf.d/default.conf
(has port 80 for localhost)
(is this even used?)
There is no server defined for the proxy 172.31.47.228:8080 (and the port is blocked as noted)
If somehow a request were made to xlibrarys.com port 80 it would proxy to a closed port with no known server. At least a server that is not shown or described. That could result in 502 Gateway error. I just do not know how anyone could make such a request from what you describe as the problem.
I cannot know which of these server conf files are valid. This is for you to know.
These are server configuration issues. It is hard to help when there are missing pieces. And, anyway, it is a complicated setup that is best handled in a forum for server configuration issues. I do not see anything wrong with the certificates for library.mominoun.com
3 Likes
Ah, I see now. You also have the above proxy_pass in the server for library.mominoun.com and port 443 (not just the xlibrarys.com server). This proxy request is failing which is why you get the 502 error. I do not know how I missed that.
But, I do not know what it should be. Your server conf should do what you need it to do. Only you know that.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.