Problems with Forge + SSL + Digital Ocean

Are you getting any error messages in your browser? Is there anything unusual in your log files on the server? Where did you generate the CSR?

Need to know the error message. If it's a connection refused it means your server isn't listening on port 443

Thanks for the responses.

@Graham My CSR was generated using Keychain Access. I've used this method before for other sites so I was comfortable knowing that it works.

@bashy Error code: ERR_CONNECTION_REFUSED

Yeah nothing to do with the certs. As of yet, they could be right or wrong.

For connection refused you need to check your Nginx config or settings via Forge as it's not got a virtual host that has listen 443 ssl; in. Is the site enabled in Nginx? /etc/nginx/sites-enabled should have a symlink to sites-available file.

Have you added a site for HTTPS? Not entirely sure how forge works as I don't use it. Here's an example of what they should look like https://bashy.im/blog/nginx-redirect-to-https-with-without-www-subdomain

If I post my nginx file here could that be useful to you?

And yes it is available in my sites-enabled.

I also notice when I type in mywebsite.com it tries to access http://www.mywebsite.com

However all versions of the URI give me the same error

server {
    listen 80;
    server_name mysite.com www.mysite.com;
    return 301 https://mysite.com$request_uri;
}

server {
    listen 443 ssl;
    server_name mysite.com www.mysite.com;
    root /home/forge/mysite.com/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/mysite.com/5772/server.crt;
    ssl_certificate_key /etc/nginx/ssl/mysite.com/5772/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
}

@Djbethel Try replacing your config with

server {
    listen 80;
    server_name mysite.com www.mysite.com;
    #return 301 https://mysite.com$request_uri;
    root /home/forge/mysite.com/public;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
}

server {
    listen 443 ssl;
    server_name mysite.com www.mysite.com;
    root /home/forge/mysite.com/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/mysite.com/5772/server.crt;
    ssl_certificate_key /etc/nginx/ssl/mysite.com/5772/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
}

Restart nginx and try to access http://mysite.com (w/o ssl)

Also, check the Network tab of the server and be sure that both ports (80 and 443) are in Active Firewall rules enabled from Any IP.

Well for one, this has a syntax error (no closing curly bracket)

location / {
        try_files $uri $uri/ /index.php?$query_string;

Should be

location / {
        try_files $uri $uri/ /index.php?$query_string;
}

Tried the suggest config from @developeritsme and fixed the syntax error from @bashy . Still nothing. Sigh.

Any other ideas as to what it could be? @JeffreyWay Any clue?

@Djbethel And you've made sure the vhost above is enabled? Would you like me to take a look?

Sure. Email?

Can contact me at the bottom here: https://bashy.im/about

Do not send any passwords, if you want to allow me access, I have a public key you can add https://github.com/bbashy.keys

Could you use the cPanel on your server?

Y'all get this resolved?

@patton517, cPanel assumes CentOS (I believe only CentOS) as a distribution, while Forge uses Ubuntu explicitly, so I don't believe that's an option here.

@fideloper He didn't contact me so I don't know :P

I'm having the same issue "This webpage is not available." "Reason: ERR_CONNECTION_REFUSED." New site installed on Forge, the non HTTPS is working but the HTTPS is giving me an error. Funny thing is, the http should redirect to https.

I've also restarted the server, restarted nginx etc. I would like to note I do have HHVM installed, not sure if that would cause the issue but I don't think it should.

Current nginx configuration:

server {
    listen 80;
    server_name my-site.com www.my-site.com;
    return 301 https://my-site.com$request_uri;
}

server {
    listen 443 ssl;
    server_name my-site.com www.my-site.com;
    root /home/forge/my-site.com/public;

    # FORGE SSL (DO NOT REMOVE!)
    ssl_certificate /etc/nginx/ssl/my-site.com/6257/server.crt;
    ssl_certificate_key /etc/nginx/ssl/my-site.com/6257/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    index index.html index.htm index.php;

    charset utf-8;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/my-site.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root;
        include fastcgi_params;
    }

    location ~ /\.ht {
        deny all;
    }
}

@AnthonyC "ERR_CONNECTION_REFUSED" means the port isn't being listened on by anything. By the looks of it, those files aren't being executed.

Have a check in netstat for port 80 and 443. I normally just grep 'nginx' to check all.

sudo netstat -plnt | grep 'nginx'

K, so for some reason nginx stopped and won't restart. It's failing and throwing this error into error log:

SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/my-site.com/6258/server.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

@AnthonyC Looks like the versions or values in the keys don't match. Do some searching for that error and you will see a few things you can try.

Sorry, I was away on business for a few days. Back now.

I completed the contact form @bashy and added your key.

Did you get this resolved? I'm now having the same issue.

same here

Dude, every time i try to do this it causes a redirect loop in my server.

I had problems with forge + digitalocean + ssl. I had to remove the passphrase from my server.key file. openssl rsa -in server.key -out server.key

Note that you will need the original passphrase, and once you're done you'll have to start nginx because it is most likely not even running.

Same problem! Is there a solution?

we fixed it by making a chained certificate as explained here http://nginx.org/en/docs/http/configuring_https_servers.html

$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt The resulting file should be used in the ssl_certificate directive:

server { listen 443 ssl; server_name www.example.com; ssl_certificate www.example.com.chained.crt; ssl_certificate_key www.example.com.key; ... }