HTTPS issues using cloudflare and ubuntu 16.04 LEMP WordPress

Question

First, let me say that I am new to sysadmin stuff, and this is a site I am using to gain practice and experience.

I have an SSL through cloudflare, and i have uploaded it to /var/ssl/ssl.pem and /var/ssl/ssl.key. I changed the folder permissions to chmod 700 /var/ssl.

I can access my site via http://165.227.182.40/ and http://aaronstone.io/ but not https://aaronstone.io/

sudo ufw status returns:

WARN: / is group writable!
Status: active

To                         Action      From
--                         ------      ----
22                         LIMIT       Anywhere
443                        ALLOW       Anywhere
80                         ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22 (v6)                    LIMIT       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)

netstat -atpn shows

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1392/mysqld
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6504/nginx -g daemo
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1621/sshd
tcp        0      0 127.0.0.1:60484         127.0.0.1:3306          ESTABLISHED 5338/sshd: root
tcp        0      0 165.227.182.40:22       63.131.219.239:58963    ESTABLISHED 5338/sshd: root
tcp        0      0 127.0.0.1:3306          127.0.0.1:60484         ESTABLISHED 1392/mysqld
tcp        0    332 165.227.182.40:22       63.131.219.239:58846    ESTABLISHED 2096/sshd: aaron [p
tcp        0      0 165.227.182.40:80       108.162.216.205:14411   TIME_WAIT   -
tcp        0      0 127.0.0.1:60486         127.0.0.1:3306          ESTABLISHED 5338/sshd: root
tcp        0      0 127.0.0.1:3306          127.0.0.1:60486         ESTABLISHED 1392/mysqld
tcp6       0      0 :::80                   :::*                    LISTEN      6504/nginx -g daemo
tcp6       0      0 :::22                   :::*                    LISTEN      1621/sshd

My NginX config is as follows:

server {
    listen 80;
    listen [::]:80;

    # SSL configuration
    #
     listen 443 ssl;
     listen [::]:443 ssl;
         ssl_certificate /var/ssl/ssl.pem;
        ssl_certificate_key /var/ssl/ssl.key;

    root /var/www/html/;

    # Add index.php to the list if you are using PHP
    index index.php index.html index.htm index.nginx-debian.html;

    server_name aaronstone.io www.aaronstone.io;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        #try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.php$is_args$args;
    }

    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    #
             location ~ \.php$ {
        include snippets/fastcgi-php.conf;

        # With php7.0-cgi alone:
        #fastcgi_pass 127.0.0.1:9000;
        # With php7.0-fpm:
        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    #
    location ~ /\.ht {
        deny all;
    }
    location ~ /.well-known {
        allow all;
    }
}

nginx status:

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2018-02-07 19:22:19 UTC; 14min ago
  Process: 6492 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
  Process: 5588 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, stat
  Process: 6500 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCES
  Process: 6497 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status
 Main PID: 6504 (nginx)
    Tasks: 2
   Memory: 3.5M
      CPU: 505ms
   CGroup: /system.slice/nginx.service
           ├─6504 nginx: master process /usr/sbin/nginx -g daemon on; master_process on
           └─6505 nginx: worker process

Feb 07 19:22:19 aaronstone systemd[1]: Starting A high performance web server and a reverse proxy server
Feb 07 19:22:19 aaronstone systemd[1]: nginx.service: Failed to read PID from file /run/nginx.pid: Inval
Feb 07 19:22:19 aaronstone systemd[1]: Started A high performance web server and a reverse proxy server.

Answer 1

Nginx does not listen to port 443, as your netstat output shows. Your nginx config seems to be correct, in fact I tried it and it works for me. Do you have other webservers running? I suspect something running at port 80 (e.g. Apache/httpd) and nginx does not start up.

Does nginx start up without any error messages?

If you have nginx running as service, what is the output of sudo service nginx status?

If you add the parameter p to the netstat command, e.g. sudo netstat -atpn, it shows the process name of the listening addresses (see man netstat for more information). Does the line tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN belong to nginx?

Answer 2

My issue was that I had no symlink from /sites-available to /sites-enabled

$ cd /etc/nginx/sites-enabled
$ sudo ln -sf ../sites-available/default .
$ sudo service nginx reload