I can't figure out how to troubleshoot this. Whenever I try opening a website using HTTP, I get something like:

$ wget example.com
Connecting to example.com (example.com)|<IP_HERE>|:80... failed: No route to host.

Meanwhile, HTTPS works fine:

$ wget https://example.com
Connecting to example.com (example.com)|<IP_HERE>|:443... connected.

Of course, my first places to look were my firewall and nginx configs. However, ufw shows port 80 as an already open port:

$ ufw allow http
Skipping adding existing rule
Skipping adding existing rule (v6)

...and the logic behind redirecting to HTTPS in my nginx config seems rather good to me:

listen 80; # managed by Certbot

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

if ($scheme != "https") {
    return 301 https://$host$request_uri;
} # managed by Certbot

I have also tried nmap-ing the (Ubuntu 16.04) server both from the machine itself (nmap localhost) and from the external location (nmap <ip-here>). Surprisingly, HTTP seems to be closed from the external location. Disabling firewall also didn't help. netstat -lnp | grep "80" shows me that nginx is indeed listening on port 80:

tcp        0      0    *               LISTEN      8845/nginx -g daemo

There's nothing written in the nginx logs.

I'm not sure where else to look. I can't pinpoint this issue.

  • Check your firewall. – Michael Hampton Jan 16 '18 at 20:26
  • In addition to @MichaelHampton’s comment, I’d try to open the address in chrome browser and then inspecting the page then choosing Network, that will show you what happens in the background. Also, just to understand if it’s a firewall issue, I would stop the firewall service, retry wget and restart the firewall but that would tell me if it’s a firewall issue or not. – Itai Ganot Jan 16 '18 at 20:32
  • Did you enable a [firewall in Hetzner-Robot](https://i.stack.imgur.com/zekXr.png)? – Michael Hampton Jan 16 '18 at 20:34
  • Disabling firewall and trying `wget` again did nothing. Also something weird is that even `wget localhost` from the server gives me `...(localhost)||:80... failed: No route to host.`, which most definitely doesn't sound like a firewall problem. Firewall in Hetzner-Robot was enabled (by default I think, I don't remember turning it on), but disabling it also did nothing. – r3bl Jan 16 '18 at 21:07
  • what does `ip a s` and `ip r s` show you? and whats in `/etc/hosts` and `/etc/resolv.conf` (you may mask your public ip by xxx.xxx.xxx.xxx or similar) – Phillip -Zyan K Lee- Stockmann Jan 16 '18 at 21:40
  • just to make sure we won't work on a problem already solved: I can wget your blog via http and https without errors... – Phillip -Zyan K Lee- Stockmann Jan 16 '18 at 21:50

Upon a server re-start, I've discovered that there was something wrong with nginx (I couldn't start it).

I then looked at journalctl -xe and discovered that nginx was missing one of the dependencies for a separate nginx config (php7.0-mbstring), which was preventing it from starting. The weird thing here is that doing nginx -t and restarting nginx via systemd didn't discover that error before the restart.

After the restart, I've made sure to install that missing PHP dependency. That made nginx start properly and the HTTP traffic forwarded to HTTPS from that point on.

My assumption to the core of this problem is that some PHP process had to be restarted (perhaps php7.0-fpm, I'm really not familiar with the PHP ecosystem) for the nginx to notice the dependency change, and that a combo of those two problems caused some really unexpected consequences.

