Let's Encrypt SSL issues


#1

Hello all,

I’ve just started using ee and I am very impressed so far I just need a little help configuring Let’s Encrypt SSL please.

My config so far:

  1. Google Cloud Compute instance running Ubuntu 16.04 LTS
  2. ee installed WordPress with PHP7: ee site create example.com --wp --php7
  3. Manually activated multisite and installed this plugin
  4. Added three networks and tested the three sites in the different networks - all working on HTTP
  5. ee installed Let’s Encrypt using: ee site update example.com --letsencrypt
  6. Tested the primary site and it’s working with HTTPS and HTTP/2
  7. Added additional certificates for the two other sites: ./certbot-auto certonly --standalone -d devsite.com -d www.devsite.com --email systems@devsite.com --text --agree-tos
  8. Keys for all three sites are in: /etc/letsencrypt/live but I don’t know how to make nginx use them!

I’ve tried adding server blocks into sites-enabled and I’ve tried adding additional .conf files in /var/www/example.com/conf/nginx when I do this nginx will not restart, now i’m kinda stuck! any help would be very much appreciated.

Thank you


#2

I figured it out - don’t use EasyEngine’s Lets Encrypt!


#3

@JeffC Can you please share the nginx configuration you are using. So that we can have a look into it and if possible fix incase of any issue.

p.s: You can use pastebin or similar website to share long results.

Thank you.


#4

@ssalil

OK so having got Let’s Encrypt working by using the version not provided by EE I decided to persevere on a test server to get this working with EE. It’s a little hacky but it works so here goes.

  1. ee installed Let’s Encrypt using: ee site update example.com --letsencrypt
  2. service nginx stop
  3. rm -r /etc/letsencrypt/live/ && rm -r /etc/letsencrypt/keys && rm -r /etc/letsencrypt/archive && rm -r /etc/letsencrypt/renewal
  4. cd /opt/letsencrypt
  5. ./certbot-auto certonly --standalone -d site1.com -d www.site1.com -d site2.co.uk -d www.site2.co.uk --email systems@site.com --text --agree-tos
  6. service nginx start

Then I edit my server block: nano /etc/nginx/sites-available/site1

server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name site1.com www.site1.com site2.co.uk www.site2.co.uk;

access_log /var/log/nginx/site1.access.log rt_cache;
error_log /var/log/nginx/site1.error.log;

ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers On;
ssl_trusted_certificate /etc/letsencrypt/live/site1/chain.pem;
add_header Strict-Transport-Security 'max-age=31557600; includeSubDomains';
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Xss-Protection "1";
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8;
root /var/www/site1/htdocs;
index index.php index.html index.htm;

include common/php7.conf;
include common/wpcommon-php7.conf;
include common/locations-php7.conf;
include /var/www/site1/conf/nginx/*.conf;

} server { listen 80; listen [::]:80; server_name site1.com www.site1.com site2.co.uk www.site2.co.uk; return 301 https://$server_name$request_uri; }

I then delete the force ssl server block: rm /etc/nginx/conf.d/force-ssl-site1.com.conf

Hopefully this will help other who want to use EE in a multisite setup. Let me know what you think and if I’ve missed anything

Thanks


#5

Interesting - I’ve just tested again this morning and a request to site2 over HTTP is being redirected to site1 HTTPS…

Guess the listen on port 80 isn’t catching site2


#6

Hi @JeffC,

Is your multisite setup with Let’s Encrypt SSL still working?

I have also tried the similar thing what you have mentioned here and though https is working on all my sudomain, mapped domains etc but when I open the same websites without HTTPS ( like http://domain1.com) , it gives 400 BAD REQUEST ERROR saying The plain HTTP request was sent to HTTPS port.

Here is the link to my thread where I have explained all my set-up :slight_smile:

I think there is some issue with my SSL configuration. You said you have deleted the force-ssl.conf file. Right?

But then what about /var/www/domain.com/conf/nginx/ssl.conf ? Don’t you use SSL.conf? if yes, what is it’s configuration? Mine is: listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;

Have you edited /etc/nginx/sites-enabled/domain.com or /etc/nginx/sites-available/domain.com ?

My config here is:

`# Uncomment the following line for domain mapping listen 80 default_server;

server_name presspeace.com *.presspeace.com;

Uncomment the following line for domain mapping

server_name_in_redirect off;

access_log /var/log/nginx/presspeace.com.access.log rt_cache; error_log /var/log/nginx/presspeace.com.error.log;

root /var/www/presspeace.com/htdocs;

index index.php index.html index.htm;

include common/wpfc.conf;
include common/wpcommon.conf; include common/locations.conf; include /var/www/presspeace.com/conf/nginx/*.conf; subs_filter http:// https://;`

Kindly give a look to my issues here: 400 Bad Request after installing LetsEncrypt SSL on WordPress Multisite installation and see if you can see any resolution.

Thank you.


#7