Question

Trouble adding certificate to domain with certbot

Posted March 17, 2021 74 views
NginxNetworking

I recently attributed a domain name to my instance and added a certificate with certbot. Here are the steps I went through in order to add the certificate:

  1. added the server name to the default file in sites-available although I accidently mispelled the domain name
  2. ran certbot which and got a failed challenge
  3. corrected the domain name but forgot a semicolon.
  4. ran certbot which and got a failed challenge
  5. corrected missing semicolon
  6. successfully ran certbot
  7. restarted nginx

I am still getting a timed out connection error for https://loicslegos.xyz/

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi,

I would consider following places where a cause of the failure could possibly exist:

  • Server block (virtual host) configuration file of nginx. Something may be missing there or some mistake might be made,
  • Firewall. It looks like port TCP 443 is not open in a firewall or nginx is not listenning on it.
  • Let’s Encrypt certificate. Check it with certbot.

1. nginx server block (virtual host) configuration.
You mentioned you added your domain to /etc/nginx/sites-enabled/default file, and then you ran certbot. Here is an example of such file after its modification by certbot. Compare it to yours.

/etc/nginx/sites-enabled/default

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

# Virtual Host configuration for loicslegos.xyz
#
server {
        server_name loicslegos.xyz www.loicslegos.xyz;
        root /var/www/loicslegos.xyz/html;
        index index.html;
        location / {
                try_files $uri $uri/ =404;
        }
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/loicslegos.xyz/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


server {
    if ($host = www.loicslegos.xyz) {
}


server {

    if ($host = www.loicslegos.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = loicslegos.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;
        server_name loicslegos.xyz www.loicslegos.xyz;
        return 404; # managed by Certbot
}

2. Check if nginx is listenning on port TCP 443, and if this port is open in a firewall.

To check what ports nginx is listening on, run:

sudo ss --listening --tcp --numeric --processes | grep -i -e port -e nginx

If nginx is listening on port TCP 443, you should get result like that:

Output
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=2323,fd=6),("nginx",pid=1606,fd=6)) LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=2323,fd=12),("nginx",pid=1606,fd=12)) LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=2323,fd=7),("nginx",pid=1606,fd=7)) LISTEN 0 511 [::]:443 [::]:* users:(("nginx",pid=2323,fd=11),("nginx",pid=1606,fd=11))

If nginx is not listening on TCP 443, then you need to check and correct your server block configuration in nginx (go to point 1).
If nginx is listening on TCP 443, then you need to check if this port is open in your firewall. Here are the examples on how to list the rules for iptables and nftables, however, you may have installed and run one of the programs for dynamic managing firewall rules, like ufw or firewalld. In such case, you must look at their configuration rather than in iptables/nftables.

iptables
sudo iptables --table filter --list INPUT 
nftables
sudo nft list ruleset

3. Check Let’s Encrypt certificate(s) installed in your system.

Run the command:

sudo certbot certificates

If the certificate is installed, you should get the result like:

Output
Found the following certs: Certificate Name: loicslegos.xyz Domains: loicslegos.xyz www.loicslegos.xyz Expiry Date: 2021-06-16 10:45:47+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem Private Key Path: /etc/letsencrypt/live/loicslegos.xyz/privkey.pem

4. What else you can do ?

Check the logs of nginx and Let’s Encrypt. There may be some clue there. Here are the command examples for Ubuntu:

sudo tail -100 /var/log/nginx/error.log
sudo tail -100 /var/log/letsencrypt/letsencrypt.log

Let us know how it helps, pls.