SSL setup fails

Hello team I have following the documentation at System Administration Document for the configuration of ssl.

Having followed the documentation thoroughly yet unable to access the instance on https.

My setup

  1. Every setup is done. (Creation of user, postgresql, java, tomcat.). The tomcat is listening to port 80
  2. server.xml at /tomcat/conf/server.xml uses port 8080
  3. both port 80 and 8080 /apache full and nginx full are enabled in ufw
  4. Now nginx server also listening default port 80 with reserverProxy at http://localhost:8080

With either apache2 or nginx can start at a time since they are listening to port 80.
When either apache port or nginx port is changed, application port to default apache page

Page SSL confirmation

Please what am I doing wrong.
Could someone share note on apache and nginx as ssl proxy setup?

Thank you all for helping.

Could it be that you’re being redirected to this default page because you’ve configured it at localhost rather than http://localhost:8080/<instance-name>?

I’m asking this question because I read this before mentioned in the LetsEncrypt installation when using ng-tools:

Web proxy

By default you will have installed an apache2 reverse proxy server with an SSL/TLS certificate from letsencrypt. You will be able to browse to your DHIS2 instances with https://<server_name>/<instance_name>. You will also be able to browse to the system monitor at https://server_name>/munin. It should soon be also possible to use an nginx proxy, but the apache2 one is currently the best tested.

If you browse to home page at https//:<server_name> you will reach the apache2 default page.

@fosuhene , I’m not really sure, just guessing, but I think it might help other experts and community members with more experience to help you if you share configuration settings (without sensitive info)






@fosuhene, also please, did you go over these steps from the docs:

Now, lets configure Apache by enabling the SSL modules and creating a default site.

a2enmod ssl
a2ensite default-ssl

Now, we need to edit the default-ssl (located at /etc/apache2/sites-enabled/default-ssl) file in order to enable the SSL transfer functionality of Apache.

<VirtualHost *:443>
    ServerAdmin wemaster@mydomain.org
    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl/server.key
    ...

Be sure that the *:80 section of this file is changed to port *:443, which is the default SSL port. Also, be sure to change the ServerAdmin to the webmaster’s email. Lastly, we need to be sure that the hostname is setup properly in /etc/hosts. Just under the “localhost” line, be sure to add the server’s IP address and domain name.

127.0.0.1 localhost
XXX.XX.XXX.XXX foo.mydomain.org

Now, just restart Apache and you should be able to view https://foo.mydomain.org/dhis.

/etc/init.d/apache2 restart

Good morning and thank you all for the swift response.
Here is what I am doing.

  1. I am not using apache as the reverse proxy instead I am using nginx according to the documentation.
    NB: I would be happy if a team member can share with me his apache proxy configuration.

  2. This implies that I am not using the /etc/apache2/sites-available/default-ssl.conf but /etc/nginx/nginx.conf and /etc/nginx/sites-available/default

NB: I getting a bit confuse as @Gassim suggesting I should use the apache instead of the nginx since the apache has been tested and tried whiles the documentation is stating otherwise. I need someone to share with me his notes.

I am attaching my configuration files.



Thank you for the assistance.

1 Like

Here is a proposed reference setup for Nginx (1.18.0) + SSL. We assume that you already have your SSL certificates (from Letsencrypt or any other provider) in place.

Your /etc/nginx/sites-enabled/YOUR.HOST.NAME should contain:

server {
    # Listen to the HTTP port both on IPv4 and IPv6
    # (comment out the 2nd line if you have IPv4 only)
    listen 80;
    listen [::]:80;

    # Listen to the HTTPS port both on IPv4 and IPv6
    # (comment out the 2nd line if you have IPv4 only)
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Paths to SSL certificate
    # (specific to Letsencrypt, can have different paths on other systems)
    ssl_certificate /etc/letsencrypt/live/YOUR.HOST.NAME/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/YOUR.HOST.NAME/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/YOUR.HOST.NAME/chain.pem;

    # Redirect all HTTP requests to HTTPS
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }

    # Your virtual host name and root directory
    # (should be empty, if you use a reverse proxy)
    server_name YOUR.HOST.NAME;
    root /var/www/YOUR.HOST.NAME;

    # Ensure that you have a reasonable log rotation policy in place
    # to avoid running out of disk space
    access_log  /var/log/nginx/YOUR.HOST.NAME.access.log;
    error_log  /var/log/nginx/YOUR.HOST.NAME.error.log;

    # Specific to Letsencrypt, may be not needed in your configuration
    location /.well-known/ {
        alias /var/www/html/.well-known/;
    }

    location / {
        # Pass all requests to our backend
        proxy_pass http://localhost:8080/;
    }
}

Tomcat with the DHIS2 backend application should run only as a non-privileged user on a port higher than 1024/tcp for security reasons. Requests are accepted on 80/tcp (redirected to HTTPS) and 443/tcp and then sent via reverse proxy (Nginx) to the backend.

Your /home/dhis/config/dhis.conf should contain the following lines:

# ----------------------------------------------------------------------
# Server
# ----------------------------------------------------------------------

# Enable secure settings if deployed on HTTPS, default 'off', can be 'on'
server.https = on

# Server base URL
server.base.url = https://YOUR.HOST.NAME

You can check if you have configured ports properly with the netstat command. In this example we assume that both Nginx and Tomcat are running on the same machine, and use only IPv4.

root@ubuntu:~# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address  Foreign Address   State   PID/Program name    
tcp   0      0    0.0.0.0:443      0.0.0.0:*         LISTEN  11082/nginx: master 
tcp   0      0    0.0.0.0:80       0.0.0.0:*         LISTEN  11082/nginx: master 
tcp   0      0    127.0.0.1:8005   0.0.0.0:*         LISTEN  1018/java           
tcp   0      0    127.0.0.1:8080   0.0.0.0:*         LISTEN  1018/java           
1 Like

Thank you all, community for your immersed responses on this issues. All has been good now. Apache has worked without nginx support.

1 Like

Dear @fosuhene,
Please mark this topic as solved and create a new topic post for the new issue:

Thank you! :pray: