Can't get HTTPS to work

November 5, 2013 19.7k views
Hi all, I'm new to this, so please be patient :-) I wanted to host a Ghost blog on DO, so I followed the guide and created a Ghost droplet. I got my domain name from GoogleApps, and my blog is now accessible via - so far so good. However, I wanted to enable encryption for the blog (no real reason other than to learn), so I got my pk & cert from StartSSL and installed them to nginx. I created a new server config in my default virtual host file for it: server { listen 443 ssl; root /usr/share/nginx/html; index index.html index.htm; server_name; ssl on; ssl_certificate /etc/nginx/ssl/ssl-unified.crt; ssl_certificate_key /etc/nginx/ssl/ssl.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp521r1; } after restarting nginx, "netstat -tulpn | grep 443" says nginx is listening to this port. I also added a rule to iptables to allow incoming ssl connections: ACCEPT tcp -- tcp dpt:443 at this point i would expect the port to be "open" from outside, but says port 443 is still closed, and going to hits a connection timeout. I can't see any mention of the https request in my nginx logs (but regular port 80 ones get logged out), so I assume it never reaches nginx. I tried adding some logging to iptables, but I haven't seen any output in /var/log/messages for this rule: LOG all -- limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: " so, either that rule is not doing what i wanted it to, or the request never even reaches the firewall? at this point I'm utterly confused and would really appreciate some help! thanks :-)
10 Answers
I'm not really sure about the firewall thing, whether it could cause the issue, but you could check / do the following things regarding your certs:

- check whether the .crt file contains 3 blocks beginning with -----BEGIN CERTIFICATE-----. If not, you have to add the missing certs to your file. It should contain: your cert, intermediate cert and the root cert in exactly this order
- Just for testing, remove every line containing ssl_ except: ssl_certificate and ssl_certificate_key.
- also make sure the user nginx running with is able to access these files. I'm not sure, whether it would even start w/o having access
I do have three certificates, and nginx is starting happily with them. i don't have access to another linux machine, so i tried running

openssl s_client -connect

which printed out lots of interesting stuff about the certificates, and no indication of a problem. also, if i do


i get

Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK

it seems that the problem is only connecting from outside? (there's also a separate problem that wget returns the nginx welcome page instead of ghost :-) )
solved it, sorry for the waste of time. apparently the default iptables config in the droplet has a DROP ALL as the last rule in the INPUT chain, so when i added the rule to allow 443, it had no effect. i've switched these two around and https is working! now i just need to figure out why I'm getting the nginx start page.
"now i just need to figure out why I'm getting the nginx start page."

What's the path to your Ghost installation? Your root directory is currently set as: root /usr/share/nginx/html. You may need to replace the root w/the path to your Ghost installation.
that was one mistake that i noticed earlier - i changed that to /usr/share/nginx/www. ghost is installed in /usr/share/nginx/www/ghost. it works fine over port 80, but 443 always gives my nginx welcome page.
Ghost doesn't work like that -- the pages are served by node so you can't use only nginx to serve them.
Did you follow a specific article on installing Ghost? Also, please pastebin your virtualhosts. Thanks.
i'm using a ghost application droplet, where nginx is acting as reverse proxy to ghost. the main config file includes sites-enabled/* and conf.d/*. there's only one virtual host file in sites-enabled, called default ( I've left the default server pretty much as it was, and created the ssl one. the actual 'reverse-proxying' bit happens in conf.d/default.conf ( I'm guessing the problem is with that config, but this is all new to me, so i might be well off.
p.s. the tutorial i started with was this one:
well, it kinda works now with these added to the 443 server config.location:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// https://;
proxy_pass http://localhost:2368/;

the problem now is that css is not loading. looking at the source of the page, the url to the css seems correct (, but it's not accessible. wonder what that is all about.
Please pastebin your virtualhost config.
Have another answer? Share your knowledge.