Site not responding after adding certbot

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mamstr.com

I ran this command: sudo certbot --nginx -d mamstr.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator nginx, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): myemail
Please read the Terms of Service at [119/463]1│https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: A (Y)es/(N)o: Y Obtaining a new certificate Performing the following challenges: http-01 challenge for mamstr.com Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mamstr Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mamstr- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://mamstr.com You should test your configuration at: SSL Server Test: mamstr.com (Powered by Qualys SSL Labs) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mamstr.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mamstr.com/privkey.pem Your cert will expire on 2021-10-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew all of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation - We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

I tried to disable the Firewall as well, but it didn't work.

2

Hi @Arham-Aalam, and welcome to the LE community forum :slight_smile:

For the time being let's have a look at that file; So, we can disable redirection and get HTTP working while we fix HTTPS channel.

2 Likes
3

Thanks @rg305 ,
Here is my Nginx configuration:

upstream mams-backend {
 1
 2     server 0.0.0.0:8000;
 3 }
 4
 5 server {
 6     server_name mamstr.com;
 7     client_max_body_size 32M;
 8
 9     location = /favicon.ico { access_log off; log_not_found off; }
10     location /static {
11         alias /home/ubuntu/mamstr_server/static/;
12     }
13     location / {
14         alias /home/ubuntu/mamstr_server/public/;
15     }
16     location /media {
17         alias /home/ubuntu/mamstr_server/media/;
18     }
19     location ~^/(admin|api) {
20         include proxy_params;
21         #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
22         #proxy_set_header X-Forwarded-Proto $scheme;
23         #proxy_redirect off;
24         #proxy_pass_header       X-CSRFToken;
25         #proxy_set_header        Host $http_host;
26         #proxy_pass_header       Set-Cookie;
27         proxy_pass http://mams-backend;
28     }
29
30     listen 443 ssl; # managed by Certbot
31     ssl_certificate /etc/letsencrypt/live/mamstr.com/fullchain.pem; # managed by Certbot
32     ssl_certificate_key /etc/letsencrypt/live/mamstr.com/privkey.pem; # managed by Certbot
33     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
34     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
35
36 }
37
38
39 server {
40     if ($host = mamstr.com) {
41         return 301 https://$host$request_uri;
42     } # managed by Certbot
43
44
45     listen 80;
46     server_name mamstr.com;
47     return 404; # managed by Certbot
48
49
50 }

Above configuration was working perfectly before adding Certbot.

1 Like
4

Assuming that's just one file...
Change it to:

upstream mams-backend {
     server 0.0.0.0:8000;
}

 server {
     server_name mamstr.com;
     client_max_body_size 32M;

     location = /favicon.ico { access_log off; log_not_found off; }
     location /static {
         alias /home/ubuntu/mamstr_server/static/;
     }
     location / {
         alias /home/ubuntu/mamstr_server/public/;
     }
     location /media {
         alias /home/ubuntu/mamstr_server/media/;
     }
     location ~^/(admin|api) {
         include proxy_params;
         proxy_pass http://mams-backend;
     }

     listen 443 ssl; # managed by Certbot
     ssl_certificate /etc/letsencrypt/live/mamstr.com/fullchain.pem; # managed by Certbot
     ssl_certificate_key /etc/letsencrypt/live/mamstr.com/privkey.pem; # managed by Certbot
     include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
     ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }

 server {
     listen 80;
     server_name mamstr.com;

     location = /favicon.ico { access_log off; log_not_found off; }
     location /static {
         alias /home/ubuntu/mamstr_server/static/;
     }
     location / {
         alias /home/ubuntu/mamstr_server/public/;
     }
     location /media {
         alias /home/ubuntu/mamstr_server/media/;
     }
     location ~^/(admin|api) {
         include proxy_params;
         proxy_pass http://mams-backend;
     }
 }

OR
If you have a older/backup copy, then use that.

and restart nginx.

5

Then please show the output of:
netstat -pant | grep -Ei 'nginx|:80|:443'
AND
ufw status

6

Done.

$ netstat -pant | grep -Ei 'nginx|:80|:443'
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      13018/python
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 IP:80         IP:11728   ESTABLISHED -
tcp        0      0 127.0.0.1:42152         127.0.0.1:8000          TIME_WAIT   -
tcp        0      0 IP.109:80         IP:11853   ESTABLISHED -
tcp        0      0 IP:80         IP:12327   ESTABLISHED -
tcp        0      0 127.0.0.1:42154         127.0.0.1:8000          TIME_WAIT   -
tcp        0      0 IP:80         IP:12339   ESTABLISHED -
tcp        0      0 IP:80         IP:11962   ESTABLISHED -
tcp        0      0 127.0.0.1:42150         127.0.0.1:8000          TIME_WAIT   -
tcp6       0      0 :::80                   :::*                    LISTEN      -

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
443/tcp                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
80/tcp                     ALLOW       Anywhere
22                         ALLOW       Anywhere
443                        ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere
443/tcp (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
80/tcp (v6)                ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
OpenSSH (v6)               ALLOW       Anywhere (v6)
7

Try:
sudo netstat -pant | grep -Ei 'nginx|:80|:443'

8 
$ sudo netstat -pant | grep -Ei 'nginx|:80|:443'
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      15770/nginx: master
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      13018/python
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      15770/nginx: master
tcp        0      0 IP:80         IP:13360   ESTABLISHED 15771/nginx: worker
tcp6       0      0 :::80                   :::*                    LISTEN      15770/nginx: master
9

Well, so far, so good.
hmm...
Is there a NAT device in line?

Who is the hosting provider?
[AWS?]

[EMPTY RESPONSE]

10

Yes it is AWS Lightsail.

11

There should be an AWS control panel that must be configured to allow HTTPS (TCP port 443).

Then you can put back the previous config and restart nginx.

1 Like
12

Give me a sec. let me check.

13

Thanks @rg305 You saved my days :raised_hands:
For anyone who have same issue:
Just go to AWS Lighsail networking section and add port 443

image
image1025×231 19.4 KB

2 Likes
14

Now...
Some things to think about:

  • adding "www"
  • adding server cipher preference order
  • ordering "named groups"
  • hiding server signature
1 Like
15

Didn't get this one.

16 
curl -Iki https://mamstr.com/
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)

You don't need to tell the world what web server software (and version) you are using (and O/S).

1 Like
17

Seems like I'm still learning new things :slight_smile: , Any tutorial or guide to follow these best practices?

18

None that I have ever seen; it is more for the advanced security concerned than joe average

1 Like
19

Here are some settings I use (for nginx):

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve sect571r1:secp521r1:X448:sect409r1:secp384r1;
ssl_ciphers ECDHE+CHACHA20:ECDHE+ARIA:ECDHE+AESGCM;
ssl_prefer_server_ciphers  on;

[note: I'm the paranoid type]

20

Thanks for Note I will try to use them carefully. LOL

1 Like