By mantismamita
I recently attributed a domain name to my instance and added a certificate with certbot. Here are the steps I went through in order to add the certificate:
- added the server name to the default file in sites-available although I accidently mispelled the domain name
- ran certbot which and got a failed challenge
- corrected the domain name but forgot a semicolon.
- ran certbot which and got a failed challenge
- corrected missing semicolon
- successfully ran certbot
- restarted nginx
I am still getting a timed out connection error for https://loicslegos.xyz/
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi,
I would consider following places where a cause of the failure could possibly exist:
- Server block (virtual host) configuration file of nginx. Something may be missing there or some mistake might be made,
- Firewall. It looks like port TCP 443 is not open in a firewall or nginx is not listenning on it.
- Let’s Encrypt certificate. Check it with
certbot.
1. nginx server block (virtual host) configuration.
You mentioned you added your domain to /etc/nginx/sites-enabled/default file, and then you ran certbot. Here is an example of such file after its modification by certbot. Compare it to yours.
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
}
# Virtual Host configuration for loicslegos.xyz
#
server {
server_name loicslegos.xyz www.loicslegos.xyz;
root /var/www/loicslegos.xyz/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/loicslegos.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.loicslegos.xyz) {
}
server {
if ($host = www.loicslegos.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = loicslegos.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
listen [::]:80;
server_name loicslegos.xyz www.loicslegos.xyz;
return 404; # managed by Certbot
}
2. Check if nginx is listenning on port TCP 443, and if this port is open in a firewall.
To check what ports nginx is listening on, run:
sudo ss --listening --tcp --numeric --processes | grep -i -e port -e nginx
If nginx is listening on port TCP 443, you should get result like that:
OutputState Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=2323,fd=6),("nginx",pid=1606,fd=6))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=2323,fd=12),("nginx",pid=1606,fd=12))
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=2323,fd=7),("nginx",pid=1606,fd=7))
LISTEN 0 511 [::]:443 [::]:* users:(("nginx",pid=2323,fd=11),("nginx",pid=1606,fd=11))
If nginx is not listening on TCP 443, then you need to check and correct your server block configuration in nginx (go to point 1).
If nginx is listening on TCP 443, then you need to check if this port is open in your firewall. Here are the examples on how to list the rules for iptables and nftables, however, you may have installed and run one of the programs for dynamic managing firewall rules, like ufw or firewalld. In such case, you must look at their configuration rather than in iptables/nftables.
sudo iptables --table filter --list INPUT
sudo nft list ruleset
3. Check Let’s Encrypt certificate(s) installed in your system.
Run the command:
sudo certbot certificates
If the certificate is installed, you should get the result like:
OutputFound the following certs:
Certificate Name: loicslegos.xyz
Domains: loicslegos.xyz www.loicslegos.xyz
Expiry Date: 2021-06-16 10:45:47+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/loicslegos.xyz/privkey.pem
4. What else you can do ?
Check the logs of nginx and Let’s Encrypt. There may be some clue there. Here are the command examples for Ubuntu:
sudo tail -100 /var/log/nginx/error.log
sudo tail -100 /var/log/letsencrypt/letsencrypt.log
Let us know how it helps, pls.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.