Question

LetsEncrypt cannot connect to domain + ERR_CONNECTION_REFUSED

Unable to connect to server after following this setup tutorial for nginx with ssl over http2 on my Ubuntu droplet.

DNS records at Namecheap.com are set to Custom DNS pointing to: ns1.digitalocean.com ns2.digitalocean.com ns3.digitalocean.com

I have the following records at the Domain Name Control Panel @ Digital Ocean Droplet: type / hostname / value /ttl A - *.plasticsrev.club - 104.131.129.214 - 3600 A - plasticsrev.club - 104.131.129.214 - 3600 NS - plasticsrev.club - ns1.digitalocean.com - 1800 NS - plasticsrev.club - ns2.digitalocean.com - 1800 NS - plasticsrev.club - ns3.digitalocean.com - 1800

Ping test for plasticsrev.club:

PING plasticsrev.club (104.131.129.214): 56 data bytes
64 bytes from 104.131.129.214: icmp_seq=0 ttl=57 time=51.727 ms
64 bytes from 104.131.129.214: icmp_seq=1 ttl=57 time=52.775 ms
64 bytes from 104.131.129.214: icmp_seq=2 ttl=57 time=54.574 ms
64 bytes from 104.131.129.214: icmp_seq=3 ttl=57 time=53.471 ms
64 bytes from 104.131.129.214: icmp_seq=4 ttl=57 time=56.712 ms
64 bytes from 104.131.129.214: icmp_seq=5 ttl=57 time=53.874 ms

--- plasticsrev.club ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.727/53.856/56.712/1.556 mscode

Ping test for www.plasticsrev.club:

PING www.plasticsrev.club (104.131.129.214): 56 data bytes
64 bytes from 104.131.129.214: icmp_seq=0 ttl=57 time=52.069 ms
64 bytes from 104.131.129.214: icmp_seq=1 ttl=57 time=52.484 ms
64 bytes from 104.131.129.214: icmp_seq=2 ttl=57 time=53.466 ms
64 bytes from 104.131.129.214: icmp_seq=3 ttl=57 time=54.178 ms
64 bytes from 104.131.129.214: icmp_seq=4 ttl=57 time=53.623 ms
64 bytes from 104.131.129.214: icmp_seq=5 ttl=57 time=50.825 ms

--- www.plasticsrev.club ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 50.825/52.774/54.178/1.122 ms

Nginx config file /etc/nginx/sites-available/default :

server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name plasticsrev.club www.plasticsrev.club;

        location ~ /.well-known {
                allow all;
        }

When I run $ sudo ufw status I get: Status: inactive.

Thanks for your help!


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

@julsgud

First, I’d recommend cleaning up the file and getting rid of all the commented directives that you don’t need. That’d leave us with:

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /var/www/html;

    index index.html index.htm index.php index.nginx-debian.html;

    server_name plasticsrev.club www.plasticsrev.club;

    location ~ /.well-known {
        allow all;
    }
}

Now, the first issue depends on if you have other configurations (server blocks) in the same directory as this one. If you do and you’ve modified them, we’d need to look at them too.

The second issue is that you’ve not actually setup SSL for this domain. You’re not defining the path to the SSL Certificate, you’re missing the SSL configuration, and there’s no redirect to push requests on port 80 to 443 so that all traffic gets served over SSL.

There’s also the default location block missing to tell how to handle incoming requests.

To properly serve content over SSL, you’d want to use something such as what I’m showing below, which has been customized for your domain, so it’s basically a copy and paste. You’d paste all of this in to a single file.

server {
    listen 80;
    listen [::]:80;
    server_name plasticsrev.club www.plasticsrev.club;

    location ~ /.well-known {
        allow all;
    }

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name plasticsrev.club www.plasticsrev.club;

    root /var/www/html;

    index index.html index.htm index.php index.nginx-debian.html;

    ssl on;
    ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
    ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 5m;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }
}

You’d need to modify these two lines:

    ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
    ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;

… and replace the paths to match the location of your certificate and private key. The location block I have setup is just a starter. What you’d actually use depends on the type of site you’re hosting. We can modify that as needed.

Hey! Thanks for your response!

I get the following when doing sudo tail -20 /var/log/nginx/error.log

2017/05/24 16:37:33 [emerg] 29864#29864: unexpected "}" in /etc/nginx/sites-enabled/default:68
2017/05/24 16:49:39 [error] 29898#29898: *1 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 187.234.204.41, server: 0.0.0.0:443

Here is my full /etc/nginx/sites-enabled/default file:

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name plasticsrev.club www.plasticsrev.club;

        location ~ /.well-known {
                allow all;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
        #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

Can’t see where that extra ‘}’ appears!

@julsgud

We’d need to see the full server block to take a look at the configuration. It looks like the one you’ve posted has been cut off :-).

Also, please run the following command and post the output in a code block as well:

tail -20 /var/log/nginx/error.log