Letsencrypt & SSL Hell


#1

Hi, firstly thanks for the great tool. Let nothing that follows preclude the fact that I immensely appreciate your efforts. Getting back to the point -

I was trying to upgrade a simple html site to SSL. Upgraded the EE version to latest. Dropped in the commands and it says all done. However when I try to open website Chrome says server “Refused to connect”

After breaking my head over it. Getting rate limited by letsencrypt and what not, I realized the issue was in the conf file.

In /etc/nginx/sites-available the site’s conf file did not have any configuration for ssl / https.

On adding listen 443 ssl; ssl on; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

It started working properly.

Another problem that caused significant delay in trouble shooting was that there was redirect conf file that wasnt deleted when the letsencrypt option was switched off. So Then letsencrypt bot was trying to validate the domain using https cause nginz sent it there via conf file which wasnt removed. It doesnt have cause https cause letsencrypt is switched off. and the circle goes on. Eventually you get rate limited by letsencrypt for an hour cause of multiple failed attempts (limit is 5).

Is there a way this can be solved?


#2

I am very new to EE, so this could be wrong. But, from what I recall and understand, the SSL directives are included into the Vhost conf via the various include files. From what I recall, in my case there is an ssl.conf file in the /var/www/mydomain.com/conf/nginx/ folder. This file is included by the following line in the vhost conf file (/etc/nginx/sites-enabled/mydomain.conf)

include /var/www/mydomain.com/conf/nginx/*.conf;

I have assumed this ssl.conf file was created in the /var/www/mydomain.com/conf/nginx/ when I use the EE Let’s Encrypt installation process. So I am not sure why it’s not worked for you. The content of that file should be:

listen 443 ssl http2;
ssl on;
ssl_certificate     /etc/letsencrypt/live/mydomain.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/mydomain.com/privkey.pem;

I can’t help with the redirect.conf file issue. Sorry.