-1

Using a Digital Ocean LEMP Ubuntu 16.04 installation with one site example.com. Visting http://example.com works normally.

Installed Let's Encrypt using https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04 successfully without running into any errors.

When visiting https://example.com the browser says, "example.com refused to connect."

What is the best steps to diagnosis Let's Encrypt issues when not seeing any errors?

To note, in /var/etc/nginx/sites-available/ there is "default" and "digitalocean". Default has "www.example.com and example.com" in it. But do not see any lines in regards to Let's Encrypt before or after installation. I had thought the LE install would update that config with LE lines. No changes to "digitalocean" config either. Don't see any errors in /var/log/nginx/error.log.

When running, "sudo lsof -iTCP -sTCP:LISTEN -P" It mentions items listening on 22 and 80 but none say 443. Running "sudo ufw status" shows 443 allow and "443 (v6)", "Nginx Full (v6)" etc.

Wondering if someone can recommend how to start diagnosing the issue?

UPDATE: Reverted to snapshot before installing and tried again. This time noticed one new error: "Cannot find a VirtualHost matching domain example.com. In order for Certbot to correctly perform the challenge please add a corresponding server_name directive to your nginx configuration: https://nginx.org/en/docs/http/server_names.html"

That would clearly cause the issue, but in /etc/nginx/sites-available/default "server_name example.com www.example.com;" are there and as noted the http site loads without a problem. Is there a reason why Let's Encrypt can't see that?

cchiera
  • 358
  • 1
  • 6
  • 17
  • restart nginx, nginx is your https host, not letsencrypt, LE only issues certs. – Jacob Evans Dec 04 '17 at 18:20
  • https://serverfault.com/questions/725262/what-causes-the-connection-refused-message – user9517 Dec 04 '17 at 18:20
  • @JacobEvans Do you mean restarting nginx versus reloading nginx is required? That is, as noted was able to follow the instructions for installing above without any issues which included, "sudo systemctl reload nginx". But if you are saying I need to restart nginx rather than reload, I can try that to. – cchiera Dec 04 '17 at 18:30
  • @user430214 Thanks your reply. Looked through that link but not finding anything helpful for my issue. As noted, the firewall seems to be working correct, though as I also noted seems like its not listening on :443 but don't know how to resolve that and not seeing information on how to resolve that in that link. Unless I'm missing something? Thank you! – cchiera Dec 04 '17 at 18:33
  • Are you confident you used the `--nginx ` flag, and yes you must restart nginx to load the certificate – Jacob Evans Dec 04 '17 at 18:38
  • @JacobEvans Yes, I'm confident I copied and pasted the exact commands in the link above and did not get an errors when running any of them. I'll try restarting nginx rather than reloading. Interesting that the Digital Ocean instructions say reload and dont require restarting and looks like countless people have done it successfully. So thinking that may not be required, but definitely worth a shot! – cchiera Dec 04 '17 at 18:42
  • @JacobEvans Tried restarting Nginx instead of reloading but appears to not be making any difference. Thanks for the suggestion though to try. – cchiera Dec 04 '17 at 18:47
  • The link tells you what the problem is - not listening on 443. Now you should start looking in your logs to see why it's not listening on 443 - yeesh wadda ya want me to come and think for you – user9517 Dec 04 '17 at 18:47
  • Is nginx even configured to listen on 443? Did you uncomment the server block? Did letsencrypt actually configure an SSL server block? Did you post configs? Is your certificate references by any nginx configs? – Jacob Evans Dec 04 '17 at 18:48
  • @JacobEvans Those all are things I'm trying to determine. The only steps I took were the ones in the link above. They do not mention any additional nginx configurations or uncommenting anything. And as noted, I don't see any changes made to the config after installing LE. This server is for only one site only. So I believe that LE while didnt show any errors didnt fully setup as it should so hoping to find commands or things to run to see exactly what may have gone wrong and then i can further research on why and how to resolve. – cchiera Dec 04 '17 at 19:02
  • Please don't refer to `the link above`. It does not help in any way as we don't know what in there you did or did not do. If you need help with your configuration, post your actual configuration files so people can take a look at it and see what's wrong. But before you do that, try to enable SSL on your nginx yourself. There are lots of tutorials on how to do that. – Gerald Schneider Dec 05 '17 at 14:59
  • Possible duplicate of [What causes the 'Connection Refused' message?](https://serverfault.com/questions/725262/what-causes-the-connection-refused-message) – kasperd Dec 25 '17 at 02:28

1 Answers1

0

In my searching discovered many others running into the same issue, and finally found a post with the solution.

DigitalOcean creates a special config, "DigitalOcean" that appears should be used instead of "Default". This confused me, since I had been using "Default". But upon closer examination while both were in /etc/nginx/sites-available only "DigitalOcean" was in /etc/nginx/sites-enabled which explains why it was not working. I applied the changes I made to Default into DigitalOcean config and now works! Hope this helps others running into the same issue.

cchiera
  • 358
  • 1
  • 6
  • 17
  • It might still be helpful for others to know what he actual issue was and what you did to fix it. As I mentioned in my earlier comment, please add the relevant parts of your configuration files to your question and answer. – Gerald Schneider Dec 05 '17 at 16:12
  • Hi yes, I've noted the issue in my answer above. It's unique to Digital Ocean where DO creates a special config along with default, at least when using the LEMP one click setup. Using /etc/nginx/sites-available/default does not work, but using their custom /etc/nginx/sites-available/digitalocean does. In regards to the config files, I just used the default, so as long as people using the DO config instead should resolve the issue. – cchiera Dec 05 '17 at 19:24