Trouble adding certificate to domain with certbot

Question

I recently attributed a domain name to my instance and added a certificate with certbot. Here are the steps I went through in order to add the certificate:

added the server name to the default file in sites-available although I accidently mispelled the domain name
ran certbot which and got a failed challenge
corrected the domain name but forgot a semicolon.
ran certbot which and got a failed challenge
corrected missing semicolon
successfully ran certbot
restarted nginx

I am still getting a timed out connection error for https://loicslegos.xyz/

Answer 1

Yannek March 18, 2021

Hi,

I would consider following places where a cause of the failure could possibly exist:

Server block (virtual host) configuration file of nginx. Something may be missing there or some mistake might be made,
Firewall. It looks like port TCP 443 is not open in a firewall or nginx is not listenning on it.
Let’s Encrypt certificate. Check it with certbot.

1. nginx server block (virtual host) configuration.
You mentioned you added your domain to /etc/nginx/sites-enabled/default file, and then you ran certbot. Here is an example of such file after its modification by certbot. Compare it to yours.

/etc/nginx/sites-enabled/default


# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

# Virtual Host configuration for loicslegos.xyz
#
server {
        server_name loicslegos.xyz www.loicslegos.xyz;
        root /var/www/loicslegos.xyz/html;
        index index.html;
        location / {
                try_files $uri $uri/ =404;
        }
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/loicslegos.xyz/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


server {
    if ($host = www.loicslegos.xyz) {
}


server {

    if ($host = www.loicslegos.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = loicslegos.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;
        server_name loicslegos.xyz www.loicslegos.xyz;
        return 404; # managed by Certbot
}

2. Check if nginx is listenning on port TCP 443, and if this port is open in a firewall.

To check what ports nginx is listening on, run:

sudo ss --listening --tcp --numeric --processes | grep -i -e port -e nginx

If nginx is listening on port TCP 443, you should get result like that:

OutputState     Recv-Q    Send-Q       Local Address:Port        Peer Address:Port    Process                                                                         
LISTEN    0         511                0.0.0.0:80               0.0.0.0:*        users:(("nginx",pid=2323,fd=6),("nginx",pid=1606,fd=6))                        
LISTEN    0         511                0.0.0.0:443              0.0.0.0:*        users:(("nginx",pid=2323,fd=12),("nginx",pid=1606,fd=12))                      
LISTEN    0         511                   [::]:80                  [::]:*        users:(("nginx",pid=2323,fd=7),("nginx",pid=1606,fd=7))                        
LISTEN    0         511                   [::]:443                 [::]:*        users:(("nginx",pid=2323,fd=11),("nginx",pid=1606,fd=11))

If nginx is not listening on TCP 443, then you need to check and correct your server block configuration in nginx (go to point 1).
If nginx is listening on TCP 443, then you need to check if this port is open in your firewall. Here are the examples on how to list the rules for iptables and nftables, however, you may have installed and run one of the programs for dynamic managing firewall rules, like ufw or firewalld. In such case, you must look at their configuration rather than in iptables/nftables.

iptables

sudo iptables --table filter --list INPUT

nftables

sudo nft list ruleset

3. Check Let’s Encrypt certificate(s) installed in your system.

Run the command:

sudo certbot certificates

If the certificate is installed, you should get the result like:

OutputFound the following certs:
  Certificate Name: loicslegos.xyz
    Domains: loicslegos.xyz www.loicslegos.xyz
    Expiry Date: 2021-06-16 10:45:47+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/loicslegos.xyz/privkey.pem

4. What else you can do ?

Check the logs of nginx and Let’s Encrypt. There may be some clue there. Here are the command examples for Ubuntu:

sudo tail -100 /var/log/nginx/error.log

sudo tail -100 /var/log/letsencrypt/letsencrypt.log

Let us know how it helps, pls.

Reply Report

Related

Question

Trouble adding certificate to domain with certbot

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Trouble adding certificate to domain with certbot

Related

Leave a comment

Related

question

Redirect one domain to a subfolder inside another domain

question

Can't Access Local Site pages from Local Network

question

SSH: Port 22 closed

question

my site i down please see http://www.cheri3a.com/

Looking for something else?