SSL Certificate Problem With Digital Ocean Ghost Droplet

August 26, 2014 3.5k views
kev.kirsche+DigitalOcean
By:
kev.kirsche+DigitalOcean

Hi Everyone,

I'm trying to setup a StartSSL certificate on my server. My server is the Ghost one-click application image. I have updated Ghost to the newest version though if that makes a difference.

I have followed StartSSL's instructions first and then opened port 443 in IPTables. I have also looked at other configuration tutorials such as https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04

In an effort to better debug, I have done the following:

If I do sudo netstat -plunt

I see these lines:

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      9431/nginx      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      9431/nginx

This to me looks as though nginx is correctly looking on both port 80 and port 443.

If I do nmap 192.241.136.177 this being the server's IP address, I get:

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

My nginx configuration is:

PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
root@NodeJSGhostBlog:/etc/nginx/conf.d# nano default.conf 

  GNU nano 2.2.6                      File: default.conf                                                  

server {
    listen 80;
    server_name kevinkirsche.com;

    client_max_body_size 10M;

    location / {
            proxy_pass http://localhost:2368/;
            proxy_set_header Host $host;
            proxy_buffering off;
    }
}

# HTTPS Server

server {
    listen 443 ssl;
    server_name kevinkirsche.com;

    ssl on;
    ssl_certificate LOCATION/TO/CERT/HERE;
    ssl_certificate_key LOCATION/TO/KEY/HERE;

    ssl_session_timeout 5m;
}

Yet if I try to load https://kevinkirsche.com/, it fails with:
Error code: ERR_CONNECTION_TIMED_OUT

It correctly loads http://kevinkirsche.com almost instantly though.

Any help about what I'm missing would be greatly appreciated.

Thank you!

Log In to Comment
2 Answers
alekjed780004 August 26, 2014

Hi, look into your unified cert. It may be this error:
http://drewsymo.com/2013/11/fixing-openssl-error/

Reply
kev.kirsche+DigitalOcean August 26, 2014

Fixed! What happened was the IPTables rule was not in the correct order:

To check this:

iptables -nL --line-numbers

Then I had to put it before the DROP rule by using the following commands:

iptables -I INPUT 6 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
service iptables-persistent save
service iptables-persistent restart

The IPTables output then looks something like this (modified for safety reasons)

REJECT     all  --  anywhere             127.0.0.0/8          reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:https
DROP       all  --  anywhere             anywhere
Reply
Have another answer? Share your knowledge.