Debian 9 Nginx HTTPS not working (Let's Encrypt, Debian 9.6)

Question

Hi,

I have followed this tutorial and I am having trouble getting SSL to work.
Normal HTTP works fine, but when I try to use HTTPS I get an ERR_ADDRESS_UNREACHABLE error, or via curl: curl: (7) Failed to connect to mydomain.com port 443: No route to host. The HTTPS requests don’t even come up /var/log/nginx/access.log .

Here are the relevant files:

# /etc/nginx/sites-available/mydomain.com
server {
        listen 80;
        listen [::]:80;

        root /var/www/mydomain.com/html;
        index index.html;

        server_name mydomain.com www.mydomain.com;

        location / {
        root /var/www/mydomain.com/html;
                try_files $uri $uri/ =404;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

# /var/www/mydomain.com/html/index.html
<html>
<head>
testing
</head>
</html>

My firewall (ufw) is inactive, port 443 is forwarded on my router, nginx -t runs fine. Here are my dns (GoDaddy) records. Both point to my ip.

I’m running Debian 9.6 (stretch) and Nginx 1.10.3.

Answer 1

joshpw January 27, 2019

Found my mistake (a dumb one)…

The SSL port’s destination ip was not my server’s ip address. Fixed, thanks for all the help.

Reply Report

Answer 2

jasonjpeters January 26, 2019

try separating your server blocks into SSL and NON-SSL definitions like so…

server {
    listen 80;

    server_name mydomain.com www.mydomain.com;

    root /var/www/mydomain.com/html;
    index index.html;

    location / {
        try_files $uri $uri/ /index.html =404;
    }

    access_log /var/logs/nginx/mydomain_access.log; 
    error_log /var/logs/nginx/mydomain_error.log;
}


server {
    listen 443 ssl http2;

    server_name mydomain.com www.mydomain.com;

    root /var/www/mydomain.com/html;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem; 

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;

    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff; 

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location / {
        try_files $uri $uri/ /index.html =404;
    }

    access_log /var/logs/nginx/mydomain_access_ssl.log;
    error_log /var/logs/nginx/mydomain_error_ssl.log;
}

The final two lines in each block will provide you with access/error logs for each consideration.
Ensure to replace “mydomain” with your real domain name.

As well I am not to sure what you mean by your router is pointed to 443.

Reply Report

jasonjpeters January 26, 2019

… once you have SSL/443 working you can update your NON-SSL/80 server block like so to redirect all traffic canonically.

server {
    listen 80;

    server_name mydomain.com www.mydomain.com;

    location / {
        return 301 https://www.mydomain.com$request_uri;
    }

    access_log /var/logs/nginx/mydomain_access.log; 
    error_log /var/logs/nginx/mydomain_error.log;
}

Reply Report

joshpw January 27, 2019
Hey, thanks for your reply.

I separated the blocks but the problem persists. Nothing in the SSL access logs…

As well I am not to sure what you mean by your router is pointed to 443.

I meant that the port 443 is open. I uploaded a picture of my dns setup where you can see the type and name records, just in case.
Reply Report
- joshpw January 27, 2019
  
  [deleted]
  
  Reply Report
- jasonjpeters January 27, 2019
  
  … I am happy you found your answer. If possible you should leave it here so that if anyone else runs into the same issue, they can read the resolution.
  
  Reply Report

Answer 3

jasonjpeters January 26, 2019

… once you have SSL/443 working you can update your NON-SSL/80 server block like so to redirect all traffic canonically.

server {
    listen 80;

    server_name mydomain.com www.mydomain.com;

    location / {
        return 301 https://www.mydomain.com$request_uri;
    }

    access_log /var/logs/nginx/mydomain_access.log; 
    error_log /var/logs/nginx/mydomain_error.log;
}

Reply Report

joshpw January 27, 2019
Hey, thanks for your reply.

I separated the blocks but the problem persists. Nothing in the SSL access logs…

As well I am not to sure what you mean by your router is pointed to 443.

I meant that the port 443 is open. I uploaded a picture of my dns setup where you can see the type and name records, just in case.
Reply Report
- joshpw January 27, 2019
  
  [deleted]
  
  Reply Report
- jasonjpeters January 27, 2019
  
  … I am happy you found your answer. If possible you should leave it here so that if anyone else runs into the same issue, they can read the resolution.
  
  Reply Report

Related

Question

Debian 9 Nginx HTTPS not working (Let's Encrypt, Debian 9.6)

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Debian 9 Nginx HTTPS not working (Let's Encrypt, Debian 9.6)

Leave a comment

Related

question

Connect to DB installed into dedicated VPS (private networking)

question

my site i down please see http://www.cheri3a.com/

question

How do I get a SSL certificate for my WSGI Flask server so it can send data over HTTPS?

question

Tutorial for let's encrypt wildcard?

Looking for something else?