Question

How can I secure a web application using Nginx and lets encrypt?

Several months ago I built several ubuntu 14.04 servers hosting Odoo 9 applications and used nginx to direct https traffic to the default port (8069) forcing all connections through port 443, with SSL credentials generated by Letsencrypt using the webroot method. The DO tutorials I followed allowed this process to work without any problems. However my certificates have expired and so now I do not have SSL protection. I attempted to manually update my certificates but returning to the tutorials I used before, but the scripts and methodology have apparently changed.

I successfully renewed my certs using the old script “letsencrypt-auto renew” found in /opt/letsencrypt instead of “autobot-auto renew” but browsing to my application allows only a non encrypted connection through port 80. If I attempt to connect manually via HTTPS I get the browser error “This site can’t be reached” I have done both internal and external port scans of the server and there is no evidence that anything is listening on port 443. Here is my nginx “/etc/nginx/sites-enabled/default” configuration. It has been edited to reflect example.com instead of my actual FQDN…

# HTTP - redirect all requests to HTTPS:
server {
        listen 80;
        server_name example.com www.example.com;
        #listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;
}

# HTTPS - proxy requests on to local odoo app:
server {
        listen 443;
        server_name example.com;

        ssl on;
        # Use certificate and key provided by Let's Encrypt:
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

        # Pass requests for / to localhost:8069:
        location / {
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-NginX-Proxy true;
                proxy_pass http://localhost:8069/;
                proxy_ssl_session_reuse off;
                proxy_set_header Host $http_host;
                proxy_cache_bypass $http_upgrade;
                proxy_redirect off;
        }
}

Once again these applications were functioning properly until after my cert expired. Another site using the same configuration that has yet to expire is continuing to work fine even after I requested a renewal. The above configuration file is the same. I have not seen any other output that show any errors in logs. Has anyone else had experience with this issue?


Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Have you reloaded Nginx since updating the certificate files? sudo service nginx reload

What error message do you receive? What are your real hostnames?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.