Unable to install the certificate

My domain is: holonextapp.com

I ran this command: sudo certbot --nginx -d holonextapp.com -d www.holonextapp.com

It produced this output: IMPORTANT NOTES:

Unable to install the certificate
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/holonextapp.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/holonextapp.com/privkey.pem

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I used certbot and nginx to certificate my domain. However it says unable to install the certificate when I add to the domain. Here is my nginx configurations:

server {
listen 80;
server_name holonextapp.com www.holonextapp.com;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;

server_name holonextapp.com www.holonextapp.com;
ssl_certificate /etc/letsencrypt/live/holonextapp.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/holonextapp.com/privkey.pem; # managed by Certbot

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

location / {
proxy_pass http://172.31.22.33:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

My domain still looks insecure because of this I believe. Any suggestions?

Hi @Meloturkmen and welcome to the LE community forum

I suggest you focus on getting the HTTP site working again before continuing to work on HTTPS.
I get:

curl -Ii http://www.holonextapp.com
HTTP/1.1 502 Bad Gateway
Server: nginx/1.14.0 (Ubuntu)
Date: Wed, 29 Dec 2021 11:25:35 GMT
Content-Type: text/html
Content-Length: 182
Connection: keep-alive

Hi @rg305 ,

I forgot to run my node project so it is working now. Problem is I can't setup my project properly because it requires secure domain. (shopify app).

Now that HTTP is working, let's see what we can do to get HTTPS working.

I see:

curl -Ii https://www.holonextapp.com
curl: (7) Failed to connect to www.holonextapp.com port 443: Connection refused

Have you allowed HTTPS (in the firewall setting)?

Hey again,

Sorry for late reply, I was a bit busy.

I have enabled HTTP-HTTPS on AWS Security Groups like this:

Ekran Alıntısı1495×396 47.4 KB

Is this what you meant or should I do/check something else?

Yes.

Well, yes; As it seems there is more to be done.
I still get:

curl -Ii https://www.holonextapp.com
curl: (7) Failed to connect to www.holonextapp.com port 443: Connection refused

As @rg305 notes, we cannot connect to your server on port 443 (https). It looks like your nginx server is not listening on port 443. Your security group looks ok otherwise the state would say 'filtered' rather than 'closed' (that's what happens on my AWS setup).

22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

What is the result of these commands:

sudo nginx -t
sudo systemctl restart nginx
sudo systemctl status nginx
ps -eF | grep nginx

Please put 3 backticks before and after the output to format it nice. Like:
```
output
```

Hi @MikeMcQ ,

Sharing result of commands you mentioned:

sudo nginx -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

sudo systemctl restart nginx

sudo systemctl status nginx

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2022-01-28 08:39:04 UTC; 9s ago
     Docs: man:nginx(8)
  Process: 32323 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid (code=exited, s
  Process: 32336 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
  Process: 32324 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
 Main PID: 32337 (nginx)
    Tasks: 2 (limit: 1140)
   CGroup: /system.slice/nginx.service
           ├─32337 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           └─32339 nginx: worker process

Jan 28 08:39:03 ip-172-31-22-33 systemd[1]: Starting A high performance web server and a reverse proxy server...
Jan 28 08:39:04 ip-172-31-22-33 systemd[1]: nginx.service: Failed to parse PID from file /run/nginx.pid: Invalid argumen
Jan 28 08:39:04 ip-172-31-22-33 systemd[1]: Started A high performance web server and a reverse proxy server.

ps -eF | grep nginx

root     32337     1  0 35281  1552   0 08:39 ?                  00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 32339 32337  0 35949  6420   0 08:39 ?        00:00:00 nginx: worker process
root     32351 32178  0  3715  1060   0 08:40 pts/0         00:00:00 grep nginx

You need to use ``` not ...
[fixed it]

Thanks. That looks normal except something not quite right with your pid file for nginx. Does not look to be causing the problem with https connections so you can fix that later.

Can you show result of this?

sudo netstat -pant | grep -Ei ':80|:443|nginx' | grep -i listen

(using same formatting with backticks)

Sure,

sudo netstat -pant | grep -Ei ':80|:443|nginx' | grep -i listen

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 32337/nginx: master

Well, now we know why nginx does not respond to https requests - it is not listening on port 443. Your earlier nginx conf info showed it should be.

Let's look at the full active nginx config. Can you show result of this (note: capital T this time):

sudo nginx -T

sudo nginx -T

nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip.conf:
load_module modules/ngx_http_geoip_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/default:
  server{
        listen 80;
        server_name _;

  location / {
    proxy_pass http://172.31.22.33:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

OK, that is different than what you showed at the start. I will need a minute to re-assess.

Thanks for info.

In your original post you showed the server blocks (partial bit below) for this domain. What file or place did you get that conf info from? It does not appear in the active nginx -T:

server {
listen 80;
server_name holonextapp.com www.holonextapp.com;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;

server_name holonextapp.com www.holonextapp.com;
(rest omitted)

Hmm that is very interesting. In original post I got this conf info from:

/etc/nginx/sites-available/default

But when I checked it now it looks like

        listen 80;
        server_name _;

  location / {
    proxy_pass http://172.31.22.33:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

So I believe one of the commands that we used overwrite default file probably. If this kind of thing is a problem what is the correct way to define custom nginx conf file like the one I shared on original post. Thanks for great help btw Atleast now I know what is the problem related.

There are various reasonable ways to manage nginx configs.

Here is a post about using the Ubuntu sites-available and sites-enabled setup

If this is the only domain you will be using, you could just create a file in sites-enabled with the server conf from your first post. Some may call this cheating

Thanks Mike, I have managed to solve problem and my server running perfect now! I appreciate your effort for helping me with @rg305 .

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.