Still can't connect on my nginx webserver in HTTPS?


#1

Hello there,
I’m fresh new to HTTS and certificates / SSL issues, so maybe i’m acting dumb, but can’t manage to make it run.
Context : VPS in a hoster (LWS), Debian 8, Nginx Server, one domain (for starting), and a fresh from yesterday staging certificate from lets encrypt, generated via the GUI client of CERTBOT.
The certificate did generate, little issue on the screen size, but could manage it by myself.
Set up the nginx server to listen to port 443, via the following directives :
listen 80;
listen 443 ssl;

The web site on http port 80 is fine, but when i try to access it on https, no web repsonse. Through, i thnk port 443 is open, because when i try to Telnet www.mydomain.net 443, i have an empty answer, although when i try the same on, for example, 444, i have no answer at all.
On the DNS Side, didn’t make any modifications, but i don’t think i had to, right ?
Any help appreciated on what i can do to test in order to know what’s wrong with my configuration ?
Thanks,
Olivier.


#2

Hi Olivier,

You shouldn’t need to make any DNS changes for https to work, no.

Can you tell us your domain name, so we can check things ?

How did you configure nginx for https ? the link https://mozilla.github.io/server-side-tls/ssl-config-generator/ may help you check what sort of settings should be in your config


#3

Hello serverco,
Thanks for this fast answer.
After looking at your given link, the only line i added to my nginx configuration is the listening on port 443, nothing else.
looks like i have to add other directives to tell, for example, where are the different files (certificate, private key …).
Might it be the reason i obtain these errors ?


#4

Definitely.

Add the rest of the required config, and it should start to work ( remember to restart nginx of course )


#5

Just tried, thanks a lot, worked like a charm !
A few more questions, so :

  • I generated letsencrypt certificates via certbot gui, how to check if these are stagings certificates or real ones ?
  • all files (cert.pem chain.pem fullchain.pem privkey.pem) were generated in /etc/letsencrypt/archive/www.mydomain.net, and links were created in /etc/letsencrypt/live/www.mydomain.net. Should i put /etc/letsencrypt/live/www.mydomain.net/cert.perm and privkey.pem in my nginx config file directly ? Or, should i copy them elsewere, or create hard or symbolic links elsewere,and refer to those links in my nginx config file ? What would be best practice on this point ?
  • And finally (i think), my nginx config file is server for two webdomains : www.mydomain.net, and mydomain.net, via directive : server_name www.mydomain.net mydomain.net;, but the certificate is only for www.mydomain.net. What is the best option here ?

Once more, thanks very much for all your answers :wink:
Oliv.


#6

They won’t be staging unless you asked certbot to make staging certificates, by passing --staging or --test-cert. Here are a couple ways to check after the fact:

grep staging /etc/letsencrypt/renewal/www.mydomain.net.conf

or

sudo cat /etc/letsencrypt/live/www.mydomain.net/cert.pem | openssl x509 -noout -text | grep Issuer:

If they say staging = False and the issuer is Let's Encrypt Authority X3, it’s not staging. If they say staging = True or the issuer is Fake LE Intermediate X1, it’s a staging certificate, and you should make a new one without passing --staging or --test-cert.

I would suggest using ssl_certificate /etc/letsencrypt/live/www.mydomain.net/fullchain.pem (not cert.pem) and ssl_certificate_key /etc/letsencrypt/live/www.mydomain.net/privkey.pem. That’s the easy, typical setup.

You should issue a new certificate, passing -d www.mydomain.net -d mydomain.net to certbot this time (and whatever other options you used).


#7

Thank U so much.
I’ve learned lot of things, very interesting.
So, a few more questions, just to be sure :

  • i generated this certificate with the certbot gui. I didn’t see anything for generating staging certificate, or generating multi-domains certificates (like, in my example, generating one certificate for www.mydomain.net AND mydomain.net). I missed something, or it’s not possible with the GUI ? Anyway, i’ll make further certificates with the CLI, no probleme on this, it’s just to have more knowledge.
  • during this certificate creation, a new folder ‘.well-known’ was created in my website root. But it’s empty. Is it normal ? Anything to do with it ?
    Thx.

#8

There are various command line options with certbot, just use --test-cert or --staging to use the test / staging server. see https://certbot.eff.org/docs/using.html#commands

Yes, this is perfectly normal. The process needs to place a specific token on your website to proove ownership ( see https://letsencrypt.org/how-it-works/ ). This is done within the .well-known directory.


#9

==> Yes, the real question here was to know if this was possible through CERTBOT GUI, just for curiosity. I now understant it’s possible through Certbot CLI, and will make it this way.

Indeed, that’s why i’m surprised this directory is empty. Is this normal ?


#10

How are you accessing the certbot GUI ? I was assuming you were starting it from the command line.

Yes, the tokens are deleted once successfully verified.


#11

Yes, i launched it via command line “certbot certonly”. I can add switches to this command line too, which will be taken ba the gui ? Didn’t understand that, thanks for your explanation.

Perfect, all right on this.
So, i think i now get the entire process clear, now just have to duplicate this on other websites …
Thx very much !


#12

OKay, i finally need some more help …
I ran this command to get certificate for two domains names :
certbot certonly --webroot -w /var/www_mydomain -d www.mydomain.net -d mydomain.net

This works fine, for the www.mydomain.net URL.
But, when i access https://mydomain.net, i get an error. On google, it says more or less (translated from french) :

Unable to check on the server that you’re really on the mydomain.net domain, because its certificate was issued for www.mydomain.net. Might be due to a misconfiguration, or to a hacker intercepting your connexion.

What did i mss ?
thanks.
Olivier.


#13

What’s the actual domain name ?


#14

Here it is : www.mydomain.net


#15

The certificate is only for www.zzzzz.com ( and not for zzzzz.com ). Why the commend didn’t produce a certificate for both domains I don’t know. Can you post the log from when you created the cert ?


#16

For full information, when i ran that command, i had a gui interface telling me that a certificate was currently runnning for the www domain, and asked me if i wanted to expand it, which a accepted. Might be the cause ? Maybe revoking it, and asking for a fresh new one for both addresses ?


#17

You don’t need to revoke to obtain a new cert.

I’ve downloaded the log ( I don’t think there is anything private there, but feel free to remove it … I haven’t checked it all yet )

When it expanded it - are you using the latest cert ? or are you still using the old cert - from before you expanded it ?


#18

Yes, honestly i’d rather remove sooner or later the logs, pretty “nervous” (not the good word, but that’s the idea) when giving all this public.
Also, if i can ask you to remove referencesto my domainin your lasts posts,i’d be glad :wink:

To answer your question, i didn’t change anything in nginx configuration about certificate path, as the new one replaced the old one in the same place and filenames.


#19

I’ve edited my previous post.

Have you restarted nginx to load the new cert ?


#20

Ow fuck !
How stupid, i forgot this.
I just restarted nginx service, and of course, it works fine :wink:
Really sorry for this, should have thought about this by myself !
thanks very much for your help, really appreciated this !