This is my first time to use let's encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 15002338190.com

I ran this command: tried to access my website with a browser.

It produced this output: HTTP parse error, malformed request (): #<Puma::HttpParserError: Invalid HTTP format, parsing fails, on my web server

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): route 53

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

There is no error messages during installation of certbot 0.31.0. But https://www.15002338190.com does not work.

If RAILS_SERVE_STATIC_FILES=true RAILS_ENV=production bundle exec rails server -p 443, the website won’t be accessible at all.

I do not even know where to debug…
Thanks in advance!

Denny

1 Like

Hi,

Please first check your network security group settings and make sure you’ve opened access to port 443.

Then, check if you have any sort of firewall or iptables installed on your server, make sure those are allowing port 443 access

Thanks

2 Likes


I have 443 port open both on AWS and on EC2 instance. I do not know if I have missed anything else.

Thanks for your reminder anyway!
Denny

Hi @danlideng

checking your domain, port 80 answers, port 443 not - https://check-your-website.server-daten.de/?q=15002338190.com

Domainname Http-Status redirect Sec. G
http://15002338190.com/
52.53.254.98 301 https://15002338190.com/ 0.360 A
http://www.15002338190.com/
52.53.254.98 301 https://www.15002338190.com/ 0.360 A
https://15002338190.com/
52.53.254.98 -2 1.547 V
ConnectFailure - Unable to connect to the remote server
https://www.15002338190.com/
52.53.254.98 -2 1.530 V
ConnectFailure - Unable to connect to the remote server

You have created a new certificate, so that part has worked.

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-12-12 2020-03-11 www.15002338190.com - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-12-12 2020-03-11 15002338190.com - 1 entries duplicate nr. 1

What says

certbot certificates
nginx -T

Works your https internal?

curl https://15002338190.com/
curl https://www.15002338190.com/

from a console of that machine.

ubuntu@ip-172-31-6-21:~⟫ curl https://15002338190.com
curl: (7) Failed to connect to 15002338190.com port 443: Connection refused
7 ubuntu@ip-172-31-6-21:~⟫ curl http://15002338190.com

You are being redirected.

1 ubuntu@ip-172-31-6-21:~⟫ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: 15002338190.com
Domains: 15002338190.com
Expiry Date: 2020-03-11 13:00:56+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/15002338190.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/15002338190.com/privkey.pem
Certificate Name: www.15002338190.com
Domains: www.15002338190.com
Expiry Date: 2020-03-11 13:16:01+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.15002338190.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.15002338190.com/privkey.pem


ubuntu@ip-172-31-6-21:~⟫ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;

}

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

font/woff                                        woff;
font/woff2                                       woff2;

application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;

application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /etc/nginx/conf.d/default.conf:

server {
#server_name 52.53.254.98;
server_name 15002338190.com;
#server_name localhost;

#charset koi8-r;
#access_log  /var/log/nginx/host.access.log  main;

location / {
    root   /root/xq234_version3;
    #root   /root/hello_app;
    #root   /usr/share/nginx/html;
    index  index.html index.htm;
}

#error_page  404              /404.html;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#    proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#    root           html;
#    fastcgi_pass   127.0.0.1:9000;
#    fastcgi_index  index.php;
#    include        fastcgi_params;
#}
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#    deny  all;
#}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/15002338190.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/15002338190.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
if ($host = 15002338190.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen       80;
server_name  15002338190.com;
return 404; # managed by Certbot

}

configuration file /etc/letsencrypt/options-ssl-nginx.conf:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_ciphers “ECDHE-ECDSA-since it says these are ciphers, I have omited some of them-CBC3-SHA:!DSS”;

I am sorry that it looks pretty bad. I have copied and pasted them a couple of time. I do not why it looks like this.

Denny :grinning: :grinning:

There you see the problem.

You have two server blocks with port 80 and server_name 15002338190.com. That’s wrong.

Every combination of port and server_name must be unique.

Merge these two vHosts in one, restart your nginx.

Then again nginx -T, to see, if there is only one server-block with that domain name.

PS: Formatting: Use three ``` then a return, at the end in a new line, the same.

1 Like

Do you mean it is either 15002338190.com or www.15002338190.com, not both?

If that is the case, what the file do I need to edit?

Thank you very much! JuergenAuer

Has two server blocks with the same server_name15002338190.com”.

which file structures in default.conf?

server { something {something else} }
or

server { … }
something { something else }
something { something else }

which one is correct structure, 1 or 2?
Thank you!
Denny

They would be technically equal if something can be used outside a server block.
But visually, 2 seems better although not quite complete.
Maybe more like option 3:

#first server
server {
 something {
  things...;
 }#end something
 somethingelse {
  more things...;
 }#end somethingelse
}#end server

#then another
server {
 …
}#end server

server {
if ($host = 15002338190.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen       80;
server_name  15002338190.com;
return 404; # managed by Certbot


#server_name  52.53.254.98;
#server_name  15002338190.com;
#server_name  localhost;

#charset koi8-r;
#access_log  /var/log/nginx/host.access.log  main;

location / {
    root   /root/xq234_version3;
    #root   /root/hello_app;
    #root   /usr/share/nginx/html;
    index  index.html index.htm;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#    proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#    root           html;
#    fastcgi_pass   127.0.0.1:9000;
#    fastcgi_index  index.php;
#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
#    include        fastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#    deny  all;
#}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/15002338190.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/15002338190.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

configuration file /etc/letsencrypt/options-ssl-nginx.conf:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

I have combined two server block togather. And it did not work neither.
Denny

Are you sure you used Nginx not puma?
Since the error message you showed doesn’t look like Nginx, and your webpage didn’t disclose any headers refering to Nginx.

I’ve modified some virtual hosts for you:

  1. Run the below command to make sure you are on the right server, because according to your Nginx configuration, the website should be redirected to https automatically.
    curl ifconfig.co (Basically, this would show you the IP of the machine, compare it with your A record)

  2. Expand your certificate (merge both hostnames into one certificate)
    Get one certificate contain both 15002338190.com and www.15002338190.com (Like the one below)
    -d 15002338190.com -d www.15002338190.com

  3. Edit Your HTTP Virtual Host

server {
if ($host = 15002338190.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

if ($host = www.15002338190.com) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80;
server_name  15002338190.com www.15002338190.com;
return 404; # managed by Certbot
}
  1. Edit your HTTPS virtual host
server {
server_name 15002338190.com;

#charset koi8-r;
#access_log  /var/log/nginx/host.access.log  main;

location / {
    root   /root/xq234_version3;
    #root   /root/hello_app;
    #root   /usr/share/nginx/html;
    index  index.html index.htm;
}

#error_page  404              /404.html;

error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#    proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#    root           html;
#    fastcgi_pass   127.0.0.1:9000;
#    fastcgi_index  index.php;
#    include        fastcgi_params;
#}
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#    deny  all;
#}

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/15002338190.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/15002338190.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
  1. test nginx and reload it
    nginx -t, then sudo systemctl reload nginx (Or service nginx reload if you don’t have systemctl)

Nginx is the webserver, and Puma is the application server.

  1. ubuntu@ip-172-31-6-21:~⟫ curl ifconfig.co
    52.53.254.98
    This is the public IP address which corresponding to my 15002338190.com domain name.

  2. Which file do I have to edit on for merging both host names into one certificate?

  3. I can do this by sudo vi /etc/nginx/conf.d/default.conf.

  4. Am I going to add another server block on the same file of /etc/nginx/conf.d/default.conf? or is there a similar file just like default.conf which I can edit the server block? Or both server blocks should be in the same default.conf file?

Thank you for your help!
Denny

  1. Good that is the expected IP.
  2. Edit both files.
    add both names to each.
    (once in the HTTP/80 file or block and once in the HTTPS/443 file or block)
  3. yes and the ssl file (if separate file)
  4. from the information provided in this thread it seems you only have one file and that is OK
    They can be in separate files of in the same file - they just have to be separate server blocks.

您确定现在服务器上运行的是Nginx, 不是Puma?
如果服务器运行的是Nginx的话,您网站应该会强制转到https并且在header内有Nginx字样… (根据Nginx已有设置)
您服务器不仅没有如上行为,而且还有X-Request-Header和X-Runtime…

I don’t think he’s currently using Nginx…
From the website header (and previous comment), he is using Puma.

It is hard to say for sure.
I’m not familiar with Puma.

1 Like

I had decided to go back to the very basic nginx webserver by pointing to default /usr/share/nginx/html index page, instead of my own application index page.

Let’s encrypt started to work for both 15002338190.com and www.15002338190.com. Now I have figured that the Puma is the main cause of the problem here.

JergenAuer, you are right about ONLY one server block.
stevenzhu, you are right about that I need to configure both 15002338190.com and www.15002338190.com.
rg305, you are right about it is a Puma problem.

Thank you all for your kind help!

here it is the correct and clean /etc/nginx/conf.d/default.conf

server {
listen 80;
server_name 15002338190.com;
server_name www.15002338190.com;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/15002338190.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/15002338190.com/privkey.pem; # managed by Certbot

ssl_certificate /etc/letsencrypt/live/www.15002338190.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.15002338190.com/privkey.pem; # managed by Certbot

include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

Puma is beyond what we should discuss here. However, other new users might want to know, I will post it here as soon as I have successfully configured Puma application server.

Sincerely,
Denny

2 Likes

Using such a combined file makes it difficult (if not impossible) to redirect HTTP to HTTPS.
I would recommend splitting the two; so that you can (easily) redirect HTTP to HTTPS.