Setup https on nginx

Question

I’ve tried following three or four tutorials, but I still can’t get my site to load with https. I bought a ssl certificate from namecheap and they gave me three files when I generated the ssl. A Key, A Certificate and the csr. I have saved each in
/root/example.com.crt
/root/example.com.key
/root/example.com.csr

Following along the tutorial found at https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority
I have rebuilt my /etc/nginx/sites-available/example.com file to be this:

#Redirect from 80
server {
    listen 80;
    server_name example.com;
    rewrite ^/(.*) https://example.com/$1 permanent;
}

server {
  listen 443 ssl;
  server_name example.com;
  ssl_certificate /root/example.com.crt;
  ssl_certificate_key /root/example.com.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  root /var/www/html;
  index index.html;
  default_type "text/html";

  location / {
    try_files $uri $uri/ /index.html;
  }

#redirect for api's to node server.
  location /api {
    # Serve api requests here. This will connect to your node
    # process that is running on port 3001.
    proxy_pass http://localhost:3001;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
  }
}

Before I tried to get this running on ssl everything was running fine. When I run sudo service nginx restart. Currently it restarts just fine. 

I have changed /etc/nginx/sites-available/default to

server {
 listen 443 ssl default_server;
 root /var/www/html;
 index index.html index.htm index.nginx-debian.html;
 server_name _;
 location / {
   try_files $uri $uri/ =404;
 }
}

Any thoughts?

Answer 1

bobbyiliev May 29, 2020

Hi there @gabrielsuttner,

The configuration file looks correct, what happens when you try to visit your domain via https? Are you getting any errors?

Also what happens when you run an Nginx config test:

sudo nginx -t

I would also recommend checking your Nginx error log as well:

sudo tail -100 /var/log/nginx/error.log

Another thing that I could suggest is taking a look at this Nginx Config tool here which would help you to generate a correct Nginx configuration file:

https://www.digitalocean.com/community/tools/nginx

Regards,
Bobby

Reply Report

gabrielsuttner May 30, 2020
I just ran sudo nginx -t and it says
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If I try to get the url of my site via http or https, I get the
Hmmm… can’t reach this page
example.com took too long to respond
page.

I checked my error.log and it was empty so then I checked a file called error.log.1 and it had a bunch of lines that should be unrelated to this issue, but the last 10 lines should be part of this issue. This is what they were.

2020/05/28 23:08:37 [emerg] 4727#4727: PEM_read_bio_X509_AUX("/root/example.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) 2020/05/28 23:09:58 [emerg] 4738#4738: PEM_read_bio_X509_AUX("/root/example.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) 2020/05/28 23:10:49 [emerg] 4750#4750: PEM_read_bio_X509_AUX("/root/example.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) 2020/05/28 23:17:24 [emerg] 4778#4778: SSL_CTX_use_PrivateKey_file("/root/example.com.key") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib) 2020/05/28 23:18:04 [notice] 4797#4797: signal process started 2020/05/28 23:18:04 [error] 4797#4797: open() "/run/nginx.pid" failed (2: No such file or directory) 2020/05/28 23:22:36 [emerg] 4855#4855: SSL_CTX_use_PrivateKey_file("/root/example.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) 2020/05/28 23:22:48 [emerg] 4868#4868: SSL_CTX_use_PrivateKey_file("/root/example.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) 2020/05/28 23:26:24 [notice] 4882#4882: signal process started 2020/05/28 23:26:24 [error] 4882#4882: open() "/run/nginx.pid" failed (2: No such file or directory) 2020/05/28 23:26:35 [notice] 4904#4904: signal process started 2020/05/28 23:33:08 [notice] 4912#4912: signal process started 2020/05/28 23:33:55 [notice] 4934#4934: signal process started 2020/05/28 23:44:27 [alert] 4993#4993: *3 open socket #3 left in connection 3 2020/05/28 23:44:27 [alert] 4993#4993: aborting

The highlighted error I was getting when I would try to reload my server , but If I restart my server and then reloaded it, it would work fine.

The preconfig link that you sent, would that build a new server? If so that is fine, and I’ll go through it the stuff I just posted doesn’t give you any insights.

Also, we have a subdomain on our site that isn’t https and it is working fine. so if I go to http://example.com or https://example.com it can’t find it. but if I go to http://sub.example.com it works just fine.
Reply Report
- bobbyiliev June 1, 2020
  
  Hi there @gabrielsuttner,
  
  As your subdomain name is working as expected but your main site is not loading, I could suggest a couple of things:
  
  As you have enabled https, make sure that port 443 is open via your firewall
  
  Make sure that your main domain name is actually pointing to the Droplet’s IP address
  
  Let me know how it goes!
  Regards,
  Bobby
  
  Reply Report
  
  gabrielsuttner June 1, 2020
  
  Bobby, thank you so much!
  I’ve finally been able to get this working. If anyone is reading this because they are having issues, this is what my issues were. As Bobby stated, my on server firewall was only letting in traffic from port 80 to go ssl you need to open port 443. I followed the tutorial here: https://stackoverflow.com/questions/20669404/install-ssl-certificate-nginx-port-443-refuse-connection.
  
  After I got that firewall working I added a firewall on digital ocean found here: https://cloud.digitalocean.com/networking/firewalls/new?i=e6d12a
  
  It still wasn’t working So I redid my certificate just to make sure that wasn’t an issue and then ran
  
  sudo nginx -t
  
  It said everything was okay but it actually wasn’t. I looked around some more and found this article https://serverfault.com/questions/844161/ssl-ngnix-no-ssl-certificate-is-defined-in-server-listening-on-ssl-port-whi
  
  and voila it worked. Thank you Bobby for pointing me in the right direction.
  
  Reply Report
  
  bobbyiliev June 2, 2020
  
  Hi there @gabrielsuttner,
  
  No problem at all! I am happy to hear that you’ve got it all working! And thank you for sharing the additional details here with the community on how you solved the problem.
  
  Regards,
  Bobby
  
  Reply Report

Answer 2

gabrielsuttner May 30, 2020
I just ran sudo nginx -t and it says
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

If I try to get the url of my site via http or https, I get the
Hmmm… can’t reach this page
example.com took too long to respond
page.

I checked my error.log and it was empty so then I checked a file called error.log.1 and it had a bunch of lines that should be unrelated to this issue, but the last 10 lines should be part of this issue. This is what they were.

2020/05/28 23:08:37 [emerg] 4727#4727: PEM_read_bio_X509_AUX("/root/example.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) 2020/05/28 23:09:58 [emerg] 4738#4738: PEM_read_bio_X509_AUX("/root/example.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) 2020/05/28 23:10:49 [emerg] 4750#4750: PEM_read_bio_X509_AUX("/root/example.com.crt") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) 2020/05/28 23:17:24 [emerg] 4778#4778: SSL_CTX_use_PrivateKey_file("/root/example.com.key") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib) 2020/05/28 23:18:04 [notice] 4797#4797: signal process started 2020/05/28 23:18:04 [error] 4797#4797: open() "/run/nginx.pid" failed (2: No such file or directory) 2020/05/28 23:22:36 [emerg] 4855#4855: SSL_CTX_use_PrivateKey_file("/root/example.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) 2020/05/28 23:22:48 [emerg] 4868#4868: SSL_CTX_use_PrivateKey_file("/root/example.com.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch) 2020/05/28 23:26:24 [notice] 4882#4882: signal process started 2020/05/28 23:26:24 [error] 4882#4882: open() "/run/nginx.pid" failed (2: No such file or directory) 2020/05/28 23:26:35 [notice] 4904#4904: signal process started 2020/05/28 23:33:08 [notice] 4912#4912: signal process started 2020/05/28 23:33:55 [notice] 4934#4934: signal process started 2020/05/28 23:44:27 [alert] 4993#4993: *3 open socket #3 left in connection 3 2020/05/28 23:44:27 [alert] 4993#4993: aborting

The highlighted error I was getting when I would try to reload my server , but If I restart my server and then reloaded it, it would work fine.

The preconfig link that you sent, would that build a new server? If so that is fine, and I’ll go through it the stuff I just posted doesn’t give you any insights.

Also, we have a subdomain on our site that isn’t https and it is working fine. so if I go to http://example.com or https://example.com it can’t find it. but if I go to http://sub.example.com it works just fine.
Reply Report
- bobbyiliev June 1, 2020
  
  Hi there @gabrielsuttner,
  
  As your subdomain name is working as expected but your main site is not loading, I could suggest a couple of things:
  
  As you have enabled https, make sure that port 443 is open via your firewall
  
  Make sure that your main domain name is actually pointing to the Droplet’s IP address
  
  Let me know how it goes!
  Regards,
  Bobby
  
  Reply Report
  
  gabrielsuttner June 1, 2020
  
  Bobby, thank you so much!
  I’ve finally been able to get this working. If anyone is reading this because they are having issues, this is what my issues were. As Bobby stated, my on server firewall was only letting in traffic from port 80 to go ssl you need to open port 443. I followed the tutorial here: https://stackoverflow.com/questions/20669404/install-ssl-certificate-nginx-port-443-refuse-connection.
  
  After I got that firewall working I added a firewall on digital ocean found here: https://cloud.digitalocean.com/networking/firewalls/new?i=e6d12a
  
  It still wasn’t working So I redid my certificate just to make sure that wasn’t an issue and then ran
  
  sudo nginx -t
  
  It said everything was okay but it actually wasn’t. I looked around some more and found this article https://serverfault.com/questions/844161/ssl-ngnix-no-ssl-certificate-is-defined-in-server-listening-on-ssl-port-whi
  
  and voila it worked. Thank you Bobby for pointing me in the right direction.
  
  Reply Report
  
  bobbyiliev June 2, 2020
  
  Hi there @gabrielsuttner,
  
  No problem at all! I am happy to hear that you’ve got it all working! And thank you for sharing the additional details here with the community on how you solved the problem.
  
  Regards,
  Bobby
  
  Reply Report

Related

Question

Setup https on nginx

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Setup https on nginx

Related

Leave a comment

Related

question

Nginx, Prestashop - TTFB too much slow

question

Nginx users list - how to display

question

Error when starting Nginx

question

Having problems with DNS setup

Looking for something else?