SSL Certificate Not Working

K2GHub · August 13, 2024, 5:47pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: harmonyapp.org

I ran this command: sudo certbot --nginx

It produced this output: (thought_sync_django-channels) [ec2-user@ip-172-31-38-94 thought_sync_django-channels]$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): malnatim@lafayette.edu

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server. Do you agree?

(Y)es/(N)o: y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: y
Account registered.
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): harmonyapp.org
Requesting a certificate for harmonyapp.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: harmonyapp.org
Type: connection
Detail: 3.217.114.187: Fetching http://harmonyapp.org/.well-known/acme-challenge/0HeBIdmxMKy2YuXlbFJZVWwE3BHJSDn2iWcUVj0I2tg: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): AWS Amazon Linux 2023

The operating system my web server runs on is (include version): Centos7 (unsure)

My hosting provider, if applicable, is: (unsure)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, I am using a terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.11.0

Osiris · August 13, 2024, 5:58pm

You're using the --nginx plugin. Please make sure your nginx webserver is reachable on port 80 (HTTP) before trying to get a certificate.

K2GHub · August 13, 2024, 6:38pm

Still same error

Osiris · August 13, 2024, 6:38pm

Still no working nginx (HTTP) webserver from my perspective.

Port 22 (SSH) and port 8001 seem to be open indeed, but no port 80 for HTTP.

K2GHub · August 13, 2024, 6:39pm

Seems to be running on my end:

Osiris · August 13, 2024, 6:42pm

Also not working when testing with Let's Debug.

I see your CLI mentions some "internal" hostname with a private range IP address. Is there some weird routing/mapping required perhaps to make nginx publicly accessible? I'm not familiar with AWS Amazon myself, but maybe there needs to be done something else too.

K2GHub · August 13, 2024, 6:43pm

Is port 80 not opened by my security group?
Also does the status show that nginx is reversed proxy or do I need to reverse proxy it myself? Will this make it publicly accessible?

Osiris · August 13, 2024, 6:50pm

That might not be enough. As said, I personally don't know anything about AWS.

If you mean the part after "Starting nginx.service", that's just the name/description of the nginx software.

No.

MikeMcQ · August 13, 2024, 6:52pm

Let's check the public IP for your EC2 instance. It must match what is in the DNS

You can use the AWS EC2 console. Or, just show output of this command

curl -4 https://ifconfig.io

You had a rule allowing all ports inbound so shouldn't need one for just HTTP. Usually you do just allow certain ports and not use a catch-all inbound. So, there is something more going on here.

K2GHub · August 13, 2024, 7:00pm

Should I remove the catch-all inbound for now or remove it later?

MikeMcQ · August 13, 2024, 7:02pm

Later is fine. If you could copy/paste the data from your terminal to these posts that makes it easier for us. We often want to copy/paste your info to our own tools and using pics makes that harder.

So, what does this say

sudo ss -pant | grep -i listen | grep -Ei ':80|:443'

K2GHub · August 13, 2024, 7:05pm

Like this? Let me know if you want to change the formatting:
(thought_sync_django-channels) [ec2-user@ip-172-31-38-94 thought_sync_django-channels]$

LISTEN 0      511          0.0.0.0:80           0.0.0.0:*     users:(("nginx",pid=233737,fd=8),("nginx",pid=28208,fd=8))
LISTEN 0      511             [::]:80              [::]:*     users:(("nginx",pid=233737,fd=9),("nginx",pid=28208,fd=9))

(thought_sync_django-channels) [ec2-user@ip-172-31-38-94 thought_sync_django-channels]$

MikeMcQ · August 13, 2024, 7:13pm

Yes, thanks. I added 3 backticks before and after to get the nice scrolled-box effect. You get bonus points for that
```
info
```

So, nginx is listening on port 80. So far the DNS, EC2 and nginx looks okay.

Did you setup iptables at all? What does this show?

sudo iptables --list

K2GHub · August 13, 2024, 7:17pm

What is prot opt source? I assume we want that to say our port?

(thought_sync_django-channels) [ec2-user@ip-172-31-38-94 thought_sync_django-channels]$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
(thought_sync_django-channels) [ec2-user@ip-172-31-38-94 thought_sync_django-channels]$

MikeMcQ · August 13, 2024, 7:23pm

No, it's fine empty. That is for "fancy" things not the basic.

Hmmm. How did you setup the VPC? Did you make any VPC Network ACLs? Or firewall groups? Or, anything really?

It has been a long time since I setup my VPC so don't remember AWS defaults. Is yours a new AWS account?

The VPC console has these options (and more ...)

K2GHub · August 13, 2024, 7:30pm

I may be forgetting what I did but from what I can remember I am using an Elsatic IP and a firewall

 sudo firewall-cmd --add-port=8001/tcp --permanent

MikeMcQ · August 13, 2024, 7:32pm

Hang on. What's that then? Where did that command come from?

Are you running Docker containers?

K2GHub · August 13, 2024, 7:38pm

I am not using Docker containers, I ran this on AWS

Osiris · August 13, 2024, 7:42pm

You probably also want to allow port 80 (HTTP) and port 443 (HTTPS).

MikeMcQ · August 13, 2024, 7:42pm

Then you need to configure that firewall to also allow port 80 and port 443 (for HTTPS later)

Also any other ports you want inbound traffic on

I'll add that since you have EC2 Security Groups, and even VPC ACL Rules available, you don't need a firewall in the o/s itself. But, it's up to you as to how your organize and manage your system

Topic		Replies	Views
Site not responding after adding certbot Help	23	2414	August 5, 2021
The nginx plugin is not working; Help	2	99	August 27, 2024
Certbot error instead of ssl Help	8	848	December 22, 2020
容器部署脚本申请ssl证书，直接报错了 Help	26	1451	March 11, 2023
Certbot SSL Certification Failing Help	7	102	January 22, 2025

SSL Certificate Not Working

Related topics