Related

NGINX Config Generator Tool

Easily configure a performant, secure, and stable NGINX server.

 Learn More
Redirect one domain to a subfolder inside another domain Question Question
Can't Access Local Site pages from Local Network Question Question

Question

Trouble adding certificate to domain with certbot

Posted March 17, 2021 74 views
NginxNetworking

I recently attributed a domain name to my instance and added a certificate with certbot. Here are the steps I went through in order to add the certificate:

  1. added the server name to the default file in sites-available although I accidently mispelled the domain name
  2. ran certbot which and got a failed challenge
  3. corrected the domain name but forgot a semicolon.
  4. ran certbot which and got a failed challenge
  5. corrected missing semicolon
  6. successfully ran certbot
  7. restarted nginx

I am still getting a timed out connection error for https://loicslegos.xyz/

Add a comment
mantismamita
By:
mantismamita

Related

NGINX Config Generator Tool

Easily configure a performant, secure, and stable NGINX server.

 Learn More
Redirect one domain to a subfolder inside another domain Question Question
Can't Access Local Site pages from Local Network Question Question

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer
Yannek March 18, 2021

Hi,

I would consider following places where a cause of the failure could possibly exist:

  • Server block (virtual host) configuration file of nginx. Something may be missing there or some mistake might be made,
  • Firewall. It looks like port TCP 443 is not open in a firewall or nginx is not listenning on it.
  • Let’s Encrypt certificate. Check it with certbot.

1. nginx server block (virtual host) configuration.
You mentioned you added your domain to /etc/nginx/sites-enabled/default file, and then you ran certbot. Here is an example of such file after its modification by certbot. Compare it to yours.

/etc/nginx/sites-enabled/default

# Default server configuration
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        root /var/www/html;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
        }
}

# Virtual Host configuration for loicslegos.xyz
#
server {
        server_name loicslegos.xyz www.loicslegos.xyz;
        root /var/www/loicslegos.xyz/html;
        index index.html;
        location / {
                try_files $uri $uri/ =404;
        }
        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/loicslegos.xyz/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}


server {
    if ($host = www.loicslegos.xyz) {
}


server {

    if ($host = www.loicslegos.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = loicslegos.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;
        server_name loicslegos.xyz www.loicslegos.xyz;
        return 404; # managed by Certbot
}

2. Check if nginx is listenning on port TCP 443, and if this port is open in a firewall.

To check what ports nginx is listening on, run:

sudo ss --listening --tcp --numeric --processes | grep -i -e port -e nginx

If nginx is listening on port TCP 443, you should get result like that:

Output
State     Recv-Q    Send-Q       Local Address:Port        Peer Address:Port    Process                                                                         
LISTEN    0         511                0.0.0.0:80               0.0.0.0:*        users:(("nginx",pid=2323,fd=6),("nginx",pid=1606,fd=6))                        
LISTEN    0         511                0.0.0.0:443              0.0.0.0:*        users:(("nginx",pid=2323,fd=12),("nginx",pid=1606,fd=12))                      
LISTEN    0         511                   [::]:80                  [::]:*        users:(("nginx",pid=2323,fd=7),("nginx",pid=1606,fd=7))                        
LISTEN    0         511                   [::]:443                 [::]:*        users:(("nginx",pid=2323,fd=11),("nginx",pid=1606,fd=11))

If nginx is not listening on TCP 443, then you need to check and correct your server block configuration in nginx (go to point 1).
If nginx is listening on TCP 443, then you need to check if this port is open in your firewall. Here are the examples on how to list the rules for iptables and nftables, however, you may have installed and run one of the programs for dynamic managing firewall rules, like ufw or firewalld. In such case, you must look at their configuration rather than in iptables/nftables.

iptables
sudo iptables --table filter --list INPUT
nftables
sudo nft list ruleset

3. Check Let’s Encrypt certificate(s) installed in your system.

Run the command:

sudo certbot certificates

If the certificate is installed, you should get the result like:

Output
Found the following certs:
  Certificate Name: loicslegos.xyz
    Domains: loicslegos.xyz www.loicslegos.xyz
    Expiry Date: 2021-06-16 10:45:47+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/loicslegos.xyz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/loicslegos.xyz/privkey.pem

4. What else you can do ?

Check the logs of nginx and Let’s Encrypt. There may be some clue there. Here are the command examples for Ubuntu:

sudo tail -100 /var/log/nginx/error.log

sudo tail -100 /var/log/letsencrypt/letsencrypt.log

Let us know how it helps, pls.

Reply Report

Related

Looking for something else?

Ask a new question Search for more help