Question

I can't install the SSL certificate in nginx

I have a Node js application that listens to port 3000. I installed nginx and configured it so that it redirects the data from port 80 to 3000 using the following line:

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000

I also have an assigned domain name: okium.fun. Finally I bought an SSL certificate and configured the file /etc/nginx/sites-aviable/default to try to make it work. My default file looks like this:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 ssl;

  root /var/www/html;
  index index.html index.htm index.nginx-debian.html;
  
  server_name  okium.fun;

  ssl_certificate /root/okium.fun.chained.crt;
  ssl_certificate_key /root/okium.fun.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

  location / {
    try_files $uri $uri/ =404;
  }
}

When writing http://okium.fun or http://www.okium.fun in the browser the application is displayed correctly but when typing https://okium.fun or https://www.okium.fun I get the following message “The okium.fun page has rejected the connection. ERR_CONNECTION_REFUSED”. Any ideas of what may be happening?


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hey friend,

It sounds like you’re not actually using Nginx here, at least from what I gather. If you’re using iptables to redirect port 80 to 3000, then requests to port 80 are being forwarded directly to the app on port 3000. What you want to do here is remove the iptables rule and configure Nginx to reverse proxy requests to port 80 and 443 to port 3000.

Now, one interesting side note. If your Nginx was working properly with this setup, regardless of it not playing the intended role on port 80, you should be seeing something different. You could have Nginx listening on 80 and 443, iptables redirecting traffic from port 80, and Nginx still serving the https traffic properly over port 443. It would be like:

80 -> 3000 443 -> /var/www/html/index.{htm,html}

So you’d be seeing the Nginx default landing page if the application were working. Either it’s simply that Nginx isn’t running or it’s configuration is broken. So when you get rid of that iptables rule, expect the same error to follow on http request. However, that’s where you’ll need to be to accurately troubleshoot.

If it’s me, this is the first thing I’m doing:

sudo iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
systemctl start nginx

Then I’m running this to see if Nginx is running:

netstat -tulpn | grep nginx

If I get a return, I’m checking http and https requests to see if both display the Nginx default landing page. If they don’t, I’m checking Nginx config for errors:

nginx -t

Then I’d correct the errors, and start Nginx back up:

systemctl start nginx

Assuming you’ve done that, or that it was started already in the first place, then I’m moving forward to changing the Nginx configuration to reverse proxy to port 3000 instead of serving HTML from /var/www/html. For that, I’m using this tutorial:

https://www.keycdn.com/support/nginx-reverse-proxy

Of course, you’ll need to intelligently pick out what pieces of your existing server block to keep, rather than replacing it all with the server block given in the tutorial. The lines for listening on port 443, as well as the SSL certificate/key, are examples of lines that will need to stay.

Hope that helps :)

Jarland