SSL Certifcation installed but HTTPS not working

Question

I checked many blogs, but nowhere I am able to resolve. Please help

Problem: I have an ec2 machine and A record for my subdomain subdomain.website.com. My code is running at port 5000 on ec2 machine.

I have done all the steps to make my subdomain https:


sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx

sudo certbot --nginx -d sudomain.website.com
#Some QnA

#Finally received msg
Congratulations! You have successfully enabled https://sudomain.website.com
.... /etc/letsencrypt/live/sudomain.website.com/fullchain.pem
.... /etc/letsencrypt/live/sudomain.website.com/privkey.pem

Then I changed my nginx conf i have one conf file in /etc/nginx/sites-available/webhook.conf

I updated the file to

server {
    if ($host = sudomain.website.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


 listen 80;
 listen [::]:80;
 server_name sudomain.website.com;

 ssl_certificate /etc/letsencrypt/live/sudomain.website.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/sudomain.website.com/privkey.pem;

 location / {
   proxy_pass http://localhost:5000;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection 'upgrade';
   proxy_set_header Host $host;
   proxy_cache_bypass $http_upgrade;
  }


}

server {
 listen 443 ssl;
 server_name sudomain.website.com;
 listen [::]:443 ssl;
 ssl_certificate /etc/letsencrypt/live/sudomain.website.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/sudomain.website.com/privkey.pem; # managed by Certbot
}

Then i restarted nginx

sudo nginx -t
sudo service nginx restart

Still https://sudomain.website.com is not working,

if I comment the return 301 line, http://sudomain.website.com is working fine

Can you please let me know if I am missing anything?

Note: sudomain.website.com is for example

````server { listen 443 ssl; server_name webhookdev.emitrr.com; ssl_certificate /etc/letsencrypt/live/webhookdev.emitrr.com-0001/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/webhookdev.emitrr.com-0001/privkey.pem; location / { proxy_pass http://localhost:5000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } ```` tried this as well — stackjohnny, Jun 16 '19 at 19:12
Are you sure port 443 is free in your server? This may be within the ephemeral port range and another process may be using that port already. Refer here : https://stackoverflow.com/questions/28573390/how-to-view-and-edit-the-ephemeral-port-range-on-linux — darkDragon, Jun 16 '19 at 19:15

bartomeu · Answer 1 · 2019-06-16T19:33:01.290

There are several missconfigurations here.

The main problem is that you have the proxy to your backend (port 5000) in the HTTP server instead of having it on the HTTPS server. You are redirecting the HTTP traffic to the HTTPS (with the return 301 https://$host$request_uri;) but your HTTPS configuration is empty.
Remember to create symlinks inside sites-enabled pointing to sites-available.
The certbot configuration is not included (only the certificates) so probably you'll have problems with the renovation if you use HTTP validation.
Is better to handle different server names with different servers, so the if ($host ...) can be deleted.
There is no need to put the SSL certs on the NON HTTPS servers.

The config should be something like this:

server {
 listen 80;
 listen [::]:80;
 server_name sudomain.website.com;

 # Redirect all http traffic to https
 return 301 https://$host$request_uri;

}

server {
 listen 443 ssl;
 server_name sudomain.website.com;
 listen [::]:443 ssl;

 ssl_certificate /etc/letsencrypt/live/sudomain.website.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/sudomain.website.com/privkey.pem; # managed by Certbot

 location / {
   proxy_pass http://localhost:5000;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection 'upgrade';
   proxy_set_header Host $host;
   proxy_cache_bypass $http_upgrade;
  }

}

I'm not sure if you really need those proxy_set_headers.

A common and simple way to do protocol upgrade and proxy to backend assuming Cerbot validation NOT using HTTP (with DNS or other) would be:

Create a file in /etc/nginx/sites-available called sudomain.website.com.conf with the content above.
Create a symlink from /etc/nginx/sites-available/sudomain.website.com.conf to /etc/nginx/sites-available/sudomain.website.com.conf to enable the site.

It would be like:

server {
 listen 80;
 server_name sudomain.website.com;

 # Redirect all http traffic to https
 return 301 https://$host$request_uri;
}

server {
 listen 443 ssl;
 server_name sudomain.website.com;

 # Managed by Certbot
 ssl_certificate /etc/letsencrypt/live/sudomain.website.com/fullchain.pem; 
 ssl_certificate_key /etc/letsencrypt/live/sudomain.website.com/privkey.pem;

 location / {
   include proxy_params;
   proxy_pass http://localhost:5000;
  }
}

Thanks. But it didnt worked for me. I updated the conf file as per the line you mentioned. Just wanted to check as I am using letsecrypt, so is there any issue? Because when I am using paid SSL in my other system, its working fine. — stackjohnny, Jun 17 '19 at 06:22
The Certbot / Lets encrypt has two parts. One is the configuration once the certificate is issued which I've mentioned in the explanation. The other configuration is to issue and renew the certificate. You need to add configurations to the nginx to make available several files created by the Certbot i order to generate and renew the certificates. Look at some tutorial matching your operating system: https://certbot.eff.org/all-instructions Finally if you can pay an ELB on Amazon they can have certificates with the ACM (Amazon Certificate Manager) for free. — bartomeu, Jun 17 '19 at 17:04
no hope, i tried the above approach as well, but https one is not working — stackjohnny, Jun 28 '19 at 08:39

SSL Certifcation installed but HTTPS not working

1 Answers1