How can I secure a web application using Nginx and lets encrypt?

Posted September 13, 2016 4.4k views
UbuntuLet's Encrypt

Several months ago I built several ubuntu 14.04 servers hosting Odoo 9 applications and used nginx to direct https traffic to the default port (8069) forcing all connections through port 443, with SSL credentials generated by Letsencrypt using the webroot method. The DO tutorials I followed allowed this process to work without any problems. However my certificates have expired and so now I do not have SSL protection. I attempted to manually update my certificates but returning to the tutorials I used before, but the scripts and methodology have apparently changed.

I successfully renewed my certs using the old script “letsencrypt-auto renew” found in /opt/letsencrypt instead of “autobot-auto renew” but browsing to my application allows only a non encrypted connection through port 80. If I attempt to connect manually via HTTPS I get the browser error “This site can’t be reached” I have done both internal and external port scans of the server and there is no evidence that anything is listening on port 443. Here is my nginx “/etc/nginx/sites-enabled/default” configuration. It has been edited to reflect instead of my actual FQDN..

# HTTP - redirect all requests to HTTPS:
server {
        listen 80;
        #listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;

# HTTPS - proxy requests on to local odoo app:
server {
        listen 443;

        ssl on;
        # Use certificate and key provided by Let's Encrypt:
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        # Pass requests for / to localhost:8069:
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://localhost:8069/;
                proxy_ssl_session_reuse off;
                proxy_set_header Host $http_host;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;

Once again these applications were functioning properly until after my cert expired. Another site using the same configuration that has yet to expire is continuing to work fine even after I requested a renewal. The above configuration file is the same. I have not seen any other output that show any errors in logs. Has anyone else had experience with this issue?

edited by kamaln7

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

Have you reloaded Nginx since updating the certificate files? sudo service nginx reload

What error message do you receive? What are your real hostnames?

  • Thanks for the reply. I received no error or output with the reload command besides “reloading nginx configuration” . Visiting the application resulted in no change of behavior, no redirection to port 443. An internal port scan does show port 443 active, but from the web it is not visible.

  • Sorry another server is Both of theses were initially running fine the only change I can point to is that the certs had expired. I have not renewed wnclug’s certs yet