Unable to connect after Certbot installation

Hello,

I think I've found the problem here, and it may have to do with your different firewall settings for IPv4 and IPv6. When I curl the domains differentiating between IPv4 and IPv6, these are the results:

For https://team.digital-possibilities.ca

curl -4vIl https://team.digital-possibilities.ca/
*   Trying [redacted]...
* TCP_NODELAY set
* connect to [redacted] port 443 failed: Connection refused
* Failed to connect to team.digital-possibilities.ca port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to team.digital-possibilities.ca port 443: Connection refused

curl -6vIl https://team.digital-possibilities.ca/
*   Trying [redacted]...
* TCP_NODELAY set
* Connected to team.digital-possibilities.ca ([redacted]) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=digital-possibilities.ca
*  start date: Mar  5 01:17:12 2019 GMT
*  expire date: Jun  3 01:17:12 2019 GMT
*  subjectAltName: host "team.digital-possibilities.ca" matched cert's "team.digital-possibilities.ca"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: team.digital-possibilities.ca
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 303 See Other
HTTP/1.1 303 See Other
< Date: Tue, 05 Mar 2019 13:08:10 GMT
Date: Tue, 05 Mar 2019 13:08:10 GMT
< Content-Length: 0
Content-Length: 0
< Connection: keep-alive
Connection: keep-alive
< location: /login
location: /login
< set-cookie: vapor-session=6ALFaSlf+0NCf0wCKGKkUQ==; Expires=Tue, 12 Mar 2019 13:08:10 GMT; Path=/
set-cookie: vapor-session=6ALFaSlf+0NCf0wCKGKkUQ==; Expires=Tue, 12 Mar 2019 13:08:10 GMT; Path=/

<
* Connection #0 to host team.digital-possibilities.ca left intact

For https://digital-possibilities.ca

curl -4vIl https://digital-possibilities.ca
* Rebuilt URL to: https://digital-possibilities.ca/
*   Trying [redacted]...
* TCP_NODELAY set
* connect to [redacted] port 443 failed: Connection refused
* Failed to connect to digital-possibilities.ca port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to digital-possibilities.ca port 443: Connection refused

curl -6vIl https://digital-possibilities.ca
* Rebuilt URL to: https://digital-possibilities.ca/
*   Trying [redacted]...
* TCP_NODELAY set
* Connected to digital-possibilities.ca ([redacted]) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=digital-possibilities.ca
*  start date: Mar  5 01:17:12 2019 GMT
*  expire date: Jun  3 01:17:12 2019 GMT
*  subjectAltName: host "digital-possibilities.ca" matched cert's "digital-possibilities.ca"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: digital-possibilities.ca
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 05 Mar 2019 13:10:38 GMT
Date: Tue, 05 Mar 2019 13:10:38 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 17086
Content-Length: 17086
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host digital-possibilities.ca left intact

Because the connection is available over IPv6 (the more common protocol for mobile devices) but not over IPv4, I believe you will want to either take a look at the differences you have between iptables and ip6tables or your will want to take a look at the nginx configurations regarding port 443 and make there there isn't anything separating IPv4 and IPv6.

Hope this helps!

Looks like your web servers are not listening on IPv4 - but only on IPv6 addresses.

Check your nginx config files - specifically the listen directives.

    listen 443 ssl http2;
    listen [::]:443 ssl http2;

The first one is for IPv4 you definitely want that but it's probably missing.

The one with [::] is for IPv6 and you've got that working fine.

Another possibility is firewall settings, maybe you only have allowed incoming traffic to port 443 over IPv6 but not IPv4.

To check on Debian / Ubuntu: ufw status (on other Linux distros the command can be different).

ufw status
Status: active

To                         Action      From
--                         ------      ----
443                        ALLOW       Anywhere
443 (v6)                   ALLOW       Anywhere (v6)

@kmansoft Thank you so much.

This was the answer:

listen 443 ssl http2;
listen [::]:443 ssl http2;

I don't know why certbot sets up Nginx this way.

Thank you again!

@scane Thank you!