Unable to connect after Certbot installation
Hi,
I installed yesterday SSL certificates for my two domains on one linode using certbot. The installation was successful, but since I cannot access the two sites from my computer on WiFI, however I can access them from my cellphone on LTE.
The sites are: https://team.digital-possibilities.ca and https://digital-possibilities.ca
They are running on NGNIX web servers.
Thanks for you help!
4 Replies
Hello,
I think I've found the problem here, and it may have to do with your different firewall settings for IPv4 and IPv6. When I curl
the domains differentiating between IPv4 and IPv6, these are the results:
For https://team.digital-possibilities.ca
curl -4vIl https://team.digital-possibilities.ca/
* Trying [redacted]...
* TCP_NODELAY set
* connect to [redacted] port 443 failed: Connection refused
* Failed to connect to team.digital-possibilities.ca port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to team.digital-possibilities.ca port 443: Connection refused
curl -6vIl https://team.digital-possibilities.ca/
* Trying [redacted]...
* TCP_NODELAY set
* Connected to team.digital-possibilities.ca ([redacted]) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=digital-possibilities.ca
* start date: Mar 5 01:17:12 2019 GMT
* expire date: Jun 3 01:17:12 2019 GMT
* subjectAltName: host "team.digital-possibilities.ca" matched cert's "team.digital-possibilities.ca"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: team.digital-possibilities.ca
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 303 See Other
HTTP/1.1 303 See Other
< Date: Tue, 05 Mar 2019 13:08:10 GMT
Date: Tue, 05 Mar 2019 13:08:10 GMT
< Content-Length: 0
Content-Length: 0
< Connection: keep-alive
Connection: keep-alive
< location: /login
location: /login
< set-cookie: vapor-session=6ALFaSlf+0NCf0wCKGKkUQ==; Expires=Tue, 12 Mar 2019 13:08:10 GMT; Path=/
set-cookie: vapor-session=6ALFaSlf+0NCf0wCKGKkUQ==; Expires=Tue, 12 Mar 2019 13:08:10 GMT; Path=/
<
* Connection #0 to host team.digital-possibilities.ca left intact
For https://digital-possibilities.ca
curl -4vIl https://digital-possibilities.ca
* Rebuilt URL to: https://digital-possibilities.ca/
* Trying [redacted]...
* TCP_NODELAY set
* connect to [redacted] port 443 failed: Connection refused
* Failed to connect to digital-possibilities.ca port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to digital-possibilities.ca port 443: Connection refused
curl -6vIl https://digital-possibilities.ca
* Rebuilt URL to: https://digital-possibilities.ca/
* Trying [redacted]...
* TCP_NODELAY set
* Connected to digital-possibilities.ca ([redacted]) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=digital-possibilities.ca
* start date: Mar 5 01:17:12 2019 GMT
* expire date: Jun 3 01:17:12 2019 GMT
* subjectAltName: host "digital-possibilities.ca" matched cert's "digital-possibilities.ca"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
> HEAD / HTTP/1.1
> Host: digital-possibilities.ca
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 05 Mar 2019 13:10:38 GMT
Date: Tue, 05 Mar 2019 13:10:38 GMT
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 17086
Content-Length: 17086
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host digital-possibilities.ca left intact
Because the connection is available over IPv6 (the more common protocol for mobile devices) but not over IPv4, I believe you will want to either take a look at the differences you have between iptables
and ip6tables
or your will want to take a look at the nginx configurations regarding port 443 and make there there isn't anything separating IPv4 and IPv6.
Hope this helps!
Looks like your web servers are not listening on IPv4 - but only on IPv6 addresses.
Check your nginx config files - specifically the listen
directives.
listen 443 ssl http2;
listen [::]:443 ssl http2;
The first one is for IPv4 you definitely want that but it's probably missing.
The one with [::]
is for IPv6 and you've got that working fine.
Another possibility is firewall settings, maybe you only have allowed incoming traffic to port 443 over IPv6 but not IPv4.
To check on Debian / Ubuntu: ufw status
(on other Linux distros the command can be different).
ufw status
Status: active
To Action From
-- ------ ----
443 ALLOW Anywhere
443 (v6) ALLOW Anywhere (v6)
@kmansoft Thank you so much.
This was the answer:
listen 443 ssl http2;
listen [::]:443 ssl http2;
I don't know why certbot sets up Nginx this way.
Thank you again!
@scane Thank you!