How can I secure a web application using Nginx and lets encrypt?

September 13, 2016 884 views
Let's Encrypt Ubuntu

Several months ago I built several ubuntu 14.04 servers hosting Odoo 9 applications and used nginx to direct https traffic to the default port (8069) forcing all connections through port 443, with SSL credentials generated by Letsencrypt using the webroot method. The DO tutorials I followed allowed this process to work without any problems. However my certificates have expired and so now I do not have SSL protection. I attempted to manually update my certificates but returning to the tutorials I used before, but the scripts and methodology have apparently changed.

I successfully renewed my certs using the old script "letsencrypt-auto renew" found in /opt/letsencrypt instead of "autobot-auto renew" but browsing to my application allows only a non encrypted connection through port 80. If I attempt to connect manually via HTTPS I get the browser error "This site can't be reached" I have done both internal and external port scans of the server and there is no evidence that anything is listening on port 443. Here is my nginx "/etc/nginx/sites-enabled/default" configuration. It has been edited to reflect example.com instead of my actual FQDN..

# HTTP - redirect all requests to HTTPS:
server {
        listen 80;
        server_name example.com www.example.com;
        #listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;

# HTTPS - proxy requests on to local odoo app:
server {
        listen 443;
        server_name example.com;

        ssl on;
        # Use certificate and key provided by Let's Encrypt:
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        # Pass requests for / to localhost:8069:
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://localhost:8069/;
                proxy_ssl_session_reuse off;
                proxy_set_header Host $http_host;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;

Once again these applications were functioning properly until after my cert expired. Another site using the same configuration that has yet to expire is continuing to work fine even after I requested a renewal. The above configuration file is the same. I have not seen any other output that show any errors in logs. Has anyone else had experience with this issue?

1 Answer
mnordhoff September 13, 2016
Accepted Answer

Have you reloaded Nginx since updating the certificate files? sudo service nginx reload

What error message do you receive? What are your real hostnames?

  • Thanks for the reply. I received no error or output with the reload command besides "reloading nginx configuration" . Visiting the application resulted in no change of behavior, no redirection to port 443. An internal port scan does show port 443 active, but from the web it is not visible.

  • Sorry darnellfarms.com www.darnellfarms.com another server is wnclug.com Both of theses were initially running fine the only change I can point to is that the certs had expired. I have not renewed wnclug's certs yet

Have another answer? Share your knowledge.