Hello there,
I’m fresh new to HTTS and certificates / SSL issues, so maybe i’m acting dumb, but can’t manage to make it run.
Context : VPS in a hoster (LWS), Debian 8, Nginx Server, one domain (for starting), and a fresh from yesterday staging certificate from lets encrypt, generated via the GUI client of CERTBOT.
The certificate did generate, little issue on the screen size, but could manage it by myself.
Set up the nginx server to listen to port 443, via the following directives :
listen 80;
listen 443 ssl;
The web site on http port 80 is fine, but when i try to access it on https, no web repsonse. Through, i thnk port 443 is open, because when i try to Telnet www.mydomain.net 443, i have an empty answer, although when i try the same on, for example, 444, i have no answer at all.
On the DNS Side, didn’t make any modifications, but i don’t think i had to, right ?
Any help appreciated on what i can do to test in order to know what’s wrong with my configuration ?
Thanks,
Olivier.
Hello serverco,
Thanks for this fast answer.
After looking at your given link, the only line i added to my nginx configuration is the listening on port 443, nothing else.
looks like i have to add other directives to tell, for example, where are the different files (certificate, private key …).
Might it be the reason i obtain these errors ?
Just tried, thanks a lot, worked like a charm !
A few more questions, so :
I generated letsencrypt certificates via certbot gui, how to check if these are stagings certificates or real ones ?
all files (cert.pem chain.pem fullchain.pem privkey.pem) were generated in /etc/letsencrypt/archive/www.mydomain.net, and links were created in /etc/letsencrypt/live/www.mydomain.net. Should i put /etc/letsencrypt/live/www.mydomain.net/cert.perm and privkey.pem in my nginx config file directly ? Or, should i copy them elsewere, or create hard or symbolic links elsewere,and refer to those links in my nginx config file ? What would be best practice on this point ?
They won't be staging unless you asked certbot to make staging certificates, by passing --staging or --test-cert. Here are a couple ways to check after the fact:
If they say staging = False and the issuer is Let's Encrypt Authority X3, it's not staging. If they say staging = True or the issuer is Fake LE Intermediate X1, it's a staging certificate, and you should make a new one without passing --staging or --test-cert.
I would suggest using ssl_certificate /etc/letsencrypt/live/www.mydomain.net/fullchain.pem (not cert.pem) and ssl_certificate_key /etc/letsencrypt/live/www.mydomain.net/privkey.pem. That's the easy, typical setup.
You should issue a new certificate, passing -d www.mydomain.net -d mydomain.net to certbot this time (and whatever other options you used).
Thank U so much.
I’ve learned lot of things, very interesting.
So, a few more questions, just to be sure :
i generated this certificate with the certbot gui. I didn’t see anything for generating staging certificate, or generating multi-domains certificates (like, in my example, generating one certificate for www.mydomain.net AND mydomain.net). I missed something, or it’s not possible with the GUI ? Anyway, i’ll make further certificates with the CLI, no probleme on this, it’s just to have more knowledge.
during this certificate creation, a new folder ‘.well-known’ was created in my website root. But it’s empty. Is it normal ? Anything to do with it ?
Thx.
Yes, this is perfectly normal. The process needs to place a specific token on your website to proove ownership ( see How It Works - Let's Encrypt ). This is done within the .well-known directory.
==> Yes, the real question here was to know if this was possible through CERTBOT GUI, just for curiosity. I now understant it's possible through Certbot CLI, and will make it this way.
Indeed, that's why i'm surprised this directory is empty. Is this normal ?
Yes, i launched it via command line "certbot certonly". I can add switches to this command line too, which will be taken ba the gui ? Didn't understand that, thanks for your explanation.
Perfect, all right on this.
So, i think i now get the entire process clear, now just have to duplicate this on other websites ...
Thx very much !
OKay, i finally need some more help ...
I ran this command to get certificate for two domains names :
certbot certonly --webroot -w /var/www_mydomain -d www.mydomain.net -d mydomain.net
This works fine, for the www.mydomain.net URL.
But, when i access https://mydomain.net, i get an error. On google, it says more or less (translated from french) :
Unable to check on the server that you're really on the mydomain.net domain, because its certificate was issued for www.mydomain.net. Might be due to a misconfiguration, or to a hacker intercepting your connexion.
The certificate is only for www.zzzzz.com ( and not for zzzzz.com ). Why the commend didn’t produce a certificate for both domains I don’t know. Can you post the log from when you created the cert ?
For full information, when i ran that command, i had a gui interface telling me that a certificate was currently runnning for the www domain, and asked me if i wanted to expand it, which a accepted. Might be the cause ? Maybe revoking it, and asking for a fresh new one for both addresses ?
Yes, honestly i’d rather remove sooner or later the logs, pretty “nervous” (not the good word, but that’s the idea) when giving all this public.
Also, if i can ask you to remove referencesto my domainin your lasts posts,i’d be glad
To answer your question, i didn’t change anything in nginx configuration about certificate path, as the new one replaced the old one in the same place and filenames.
Ow fuck !
How stupid, i forgot this.
I just restarted nginx service, and of course, it works fine
Really sorry for this, should have thought about this by myself !
thanks very much for your help, really appreciated this !
