SSL Certificate issue - site ok from 80 but inaccessible after SSL cert installation

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://www.test.shizuoka-kikoesupport.jp

I ran this command: sudo certbot --nginx -d test.shizuoka-kikoesupport.jp -d www.test.shizuoka-kikoesupport.jp --force-renewal

That was after intial install...in the hopes that I would be fixing the problem I am now inquiring about.

It produced this output: An inaccessible site (cannot connect...ssl protocol...or something like that) - I have reverted to serving on 80 only for now.

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.6

My hosting provider, if applicable, is: Self hosted - physical device on premises

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Use Webmin but not for installation of SSL certs

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.1.1

My problem is: I am serving a site from /home/specific-directory

The directory is one that is accessible via sftp (in a jail). I got everything set up and am able to serve via 80 without any issues. The problem is that when I install my certbot ssl certificate the site becomes inaccesible. I tried clearing caches, using a different browser, accessing from a different access point (turn off wifi on phone to bypass local network), using private browser windows...basically everything I could think of but nothing works. Even stranger is that checking the site with ssllabs gives it an A+ rating. Note - there were a handful of "handshake errors" which I assume are the root of my access issues...?

Currently I've reverted (via my nginx config file) back to using only 80 but can quickly retry by using the certbot formatted nginx conf as I have done nothing to the cert.

Note - in early stages of trying to get this setup I somehow installed two separate certs (one for www.test.... and one without www... jus test.shizuoka-kikoesupport.jp. I 'fixed' that by deleting one of the certs and having them reissued in 'combine' format.

I've worked on this off an on for about 7 days now...hoping for a Eureka moment but unfortunately have thus had no success. Any advice or ideas will be much appreciated.

Jason

2

is port 443 allowed too?

2 Likes
3

Thanks, yes, I should have pointed out that there is another site running on the same server that is being served from a directory in /var/www/html

It uses ssl issued from letsencrypt and works flawlessly. :slight_smile:

4

allow both ports and let's see whats wrong: it currently you are hosting wrong site over 443 but that's expected: I assume they are both on same nginx?

2 Likes
5

Thanks, yes, both on the same nginx. I have just now reverted to my config that uses ssl and am back in the same boat. I cannot access the site (maybe you can?) but oddly, again I get an A (hmm, not A+ this time) from SSLlabs. :frowning:

Also, I just noticed this error:

Revocation status Validation error
CRL ERROR: IOException occurred

I don't think that was there before when I checked with ssllabs

Also note this message from ssllabs --> This site works only in browsers with SNI support.

So, I guess that is my problem. I need to figure out how to allow my server to serve two different sites from the same machine....ah, that makes me realize that I misstated something in my original information. This is not an onsite sever (I forgot...duh) it is on a host. I'm not familiar with SNI so I guess I need to do a bit of reading.

6

443 still have wrong vhost: how your nginx config? if you don't mind nginx -T and post it here?

2 Likes
7

Thanks and sorry for the silence. I had to step away from this and just managed to get back to it here this morning (Japan time). Nginx never fails to confuse me...in the end I needed to add "default_server" after the listen 443 lines to get it to work. I'm not entirely sure that I understand why...as another site on this same server, also served by Nginx and also with a cert issued by letsencrypt, works fine without that specification but, for some reason, nginx seemed to be confused as to which block to serve when using ssl. Possibly I have something configured less than ideally elsewhere but, for now, everything is up and running. Whew....

The sad thing is that this was just a test...I hope I can transition to the 'real' domain now that the test has been successfully completed. :slight_smile:

Thanks again for you help.