vilhelmas
By:
vilhelmas

Can't get HTTPS to work

November 5, 2013 19.7k views
Hi all, I'm new to this, so please be patient :-) I wanted to host a Ghost blog on DO, so I followed the guide and created a Ghost droplet. I got my domain name from GoogleApps, and my blog is now accessible via karmaisaword.com - so far so good. However, I wanted to enable encryption for the blog (no real reason other than to learn), so I got my pk & cert from StartSSL and installed them to nginx. I created a new server config in my default virtual host file for it: server { listen 443 ssl; root /usr/share/nginx/html; index index.html index.htm; server_name karmaisaword.com; ssl on; ssl_certificate /etc/nginx/ssl/ssl-unified.crt; ssl_certificate_key /etc/nginx/ssl/ssl.key; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp521r1; } after restarting nginx, "netstat -tulpn | grep 443" says nginx is listening to this port. I also added a rule to iptables to allow incoming ssl connections: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 at this point i would expect the port to be "open" from outside, but http://www.yougetsignal.com/tools/open-ports/ says port 443 is still closed, and going to https://karmaisaword.com hits a connection timeout. I can't see any mention of the https request in my nginx logs (but regular port 80 ones get logged out), so I assume it never reaches nginx. I tried adding some logging to iptables, but I haven't seen any output in /var/log/messages for this rule: LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: " so, either that rule is not doing what i wanted it to, or the request never even reaches the firewall? at this point I'm utterly confused and would really appreciate some help! thanks :-)
10 Answers
I'm not really sure about the firewall thing, whether it could cause the issue, but you could check / do the following things regarding your certs:

- check whether the .crt file contains 3 blocks beginning with -----BEGIN CERTIFICATE-----. If not, you have to add the missing certs to your file. It should contain: your cert, intermediate cert and the root cert in exactly this order
- Just for testing, remove every line containing ssl_ except: ssl_certificate and ssl_certificate_key.
- also make sure the user nginx running with is able to access these files. I'm not sure, whether it would even start w/o having access
I do have three certificates, and nginx is starting happily with them. i don't have access to another linux machine, so i tried running

openssl s_client -connect karmaisaword.com:443

which printed out lots of interesting stuff about the certificates, and no indication of a problem. also, if i do

wget https://karmaisaword.com/

i get

Connecting to karmaisaword.com (karmaisaword.com)|82.196.8.212|:443... connected.
HTTP request sent, awaiting response... 200 OK

it seems that the problem is only connecting from outside? (there's also a separate problem that wget returns the nginx welcome page instead of ghost :-) )
solved it, sorry for the waste of time. apparently the default iptables config in the droplet has a DROP ALL as the last rule in the INPUT chain, so when i added the rule to allow 443, it had no effect. i've switched these two around and https is working! now i just need to figure out why I'm getting the nginx start page.
"now i just need to figure out why I'm getting the nginx start page."

What's the path to your Ghost installation? Your root directory is currently set as: root /usr/share/nginx/html. You may need to replace the root w/the path to your Ghost installation.
that was one mistake that i noticed earlier - i changed that to /usr/share/nginx/www. ghost is installed in /usr/share/nginx/www/ghost. it works fine over port 80, but 443 always gives my nginx welcome page.
Ghost doesn't work like that -- the pages are served by node so you can't use only nginx to serve them.
Did you follow a specific article on installing Ghost? Also, please pastebin your virtualhosts. Thanks.
i'm using a ghost application droplet, where nginx is acting as reverse proxy to ghost. the main config file includes sites-enabled/* and conf.d/*. there's only one virtual host file in sites-enabled, called default (http://pastebin.com/MFia0HL7). I've left the default server pretty much as it was, and created the ssl one. the actual 'reverse-proxying' bit happens in conf.d/default.conf (http://pastebin.com/AUFajXwT). I'm guessing the problem is with that config, but this is all new to me, so i might be well off.
p.s. the tutorial i started with was this one: https://www.digitalocean.com/community/articles/how-to-use-the-digitalocean-ghost-application
well, it kinda works now with these added to the 443 server config.location:

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// https://;
proxy_pass http://localhost:2368/;

the problem now is that css is not loading. looking at the source of the page, the url to the css seems correct (https://karmaisaword.com/assets/css/screen.css), but it's not accessible. wonder what that is all about.
Please pastebin your virtualhost config.
Have another answer? Share your knowledge.