SSL with specific port on Nginx server

Hi there,

On my Nginx server I’ve got a node app running with pm2 on port 6000.
I would like to get Let’s Encrypte up and running om this domain, but I wasn’t able to find a good how-to guide on this.
I’ve found https://mozilla.github.io/server-side-tls/ssl-config-generator/, but this is based on existing certificates right?

Anyone got experience with this and give some heads up?
Or send me a link to a good tutorial I can follow? Thanks in advanced! :slight_smile:

Have you got a normal website on port 80 / 443 ? If so you would generate the certificate as normal, then simply point the config for your port 6000 application to use the certificate.

If you don’t have anything running on port 80, you could use certbot in standalone mode (where it would listen and respond on port 80 ) to obtain the certificate.

If you have an API to your DNS ( so that you have an automatic way of adding a TXT record to your DNS ), then you could also use the dns-01 challenge to obtain the certificate.

Thanks for your reply @serverco!
I’m kinda new(bie) in the server / let’s encrypte things, so can you point out a few things for me?

I’m running Ubuntu 16.04 so I’ll have to follow this steps using certbot: https://certbot.eff.org/#ubuntuxenial-nginx
After doing the apt-get I’ll have to set my path. My node project is running in /home/ronny so I have to replace all /var/www routes to home/ronny right?

$ letsencrypt certonly --webroot -w /home/www/domain -d domain.nl -d www.domain.nl

Then I need to run:
$ letsencrypt certonly --standalone -d domain.nl -d www.domain.nl

In my /etc/nginx/sites-available there’s also a domain.nl file currently containing:

server {
  listen 80;

  server_name domain.nl;

  location / {
    proxy_pass http://localhost:6000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

Do I have to add the listen 443 ssl http2; code block from https://mozilla.github.io/server-side-tls/ssl-config-generator/ here? What will the path to my certificate be?

Is this correct?

Yes. Just checking that your path is /home/ronny or /home/ronnyzzzz (as you have it with the zzzz on the end in the command. Also, can I check that's where the main index.html file is for your site ( and it's not in a /public folder within there ).

No. If you are running the webroot method above ( which should work fine as you already have a website on port 80 ) you don't need to use the standalone method ( that's for if you didn't have your own nginx website or anything )

For the moment I'd make no changes to your nginx config, and obtain the certificate. You shouldn't need to do any changes for that.

Once you have obtained the certificate - it should place the certs you need in /etc/letsencrypt/live/domain.nl/
You can then edit the nginx config to use that certificate. (using tethe code block from the mozilla link )

I do not specifically have an index.html. In my home directory /home/ronny there's a folder called domain.nl. This folder contains a node app which's index is located at /dist/server/index.js. With the npm package pm2 I'm running this process on port 6000.
I will try to set it up during your suggestions and the generator from Mozilla.

EDIT:
I've tried adding the certificate, but when running:
sudo letsencrypt certonly --webroot -w /home/ronny -d domain.nl -d domain.nl

I get the following errors:

Failed authorization procedure. domain.nl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.nl/.well-known/acme-challenge/frU8k1SdHc8a-XT9w2aBkB1cuot2iIgqIWsT9cIWOGc [95.85.21.130]: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.nl
   Type:   unauthorized
   Detail: Invalid response from http://domain.nl/.well-known/acme-
   challenge/frU8k1SdHc8a-XT9w2aBkB1cuot2iIgqIWsT9cIWOGc
   [95.85.21.130]: 404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Does anyone know how to fix this?
My website is up and running on the domain so it's accessible.

What runs your main website at http://domain.nl ? is this nginx ? or is it nodejs ?

It looks as if http://domain.nl is nginx - so the webroot isn’t /hoome/ronny ( from what you describe). Where are the files for http://domain.nl located on your server ?

I’ve got a VPS running with Nginx and Ubuntu 16.04.
On this server I’m running a nodejs application which contains my website http://www.domain.nl/. This node app runs on port 6000 with pm2 process manager. So mainly my files are located in /home/ronny/domain.nl/dist/.

My Nginx config file in /etc/nginx/sites-available/domain.nl looks like the code I’ve already showed in my second post. I would like to add SSL to this file.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.