I want traffic on my web server to be served securely. I'm running Ubuntu server 20.04 with Abyss Web Server, which has native support for using Let's Encrypt certificates.
I followed all the instructions found on their website exactly, but when trying to access it afterwards, it just gives a 403 error. When switching back to http, there are no problems - I can access the site perfectly fine. And the only thing I'm changing when switching from https to http is the dropdown box that says protocol (see the image below) then restarting the server.
443 is obviously open on my computer and router (otherwise I'd just be getting a timeout response)
No issues were encountered when generating the LE certificate. And the console is showing that everything is fine, when it's not.
All my web traffic goes through Cloudflare before reaching me - could that be what's causing the issue? If so, I'll just stick to http with Cloudflare, because of the extra security they provide, but this sounds like something that is wrong with my pc - something is not allowing https requests to actually access the website.
Cloudflare provides some encryption by themselves, however this is just between the user agent and the Cloudflare servers - there is none between Cloudflare and the origin server. I want end-to-end encryption.
So when you visit my site, it will say https, but this is only between the user and Cloudflare - the traffic between my server and Cloudflare is still plain old http on port 80.
To prove I followed the instructions correctly, here are what the main settings for my site in the main console look like (with my hostname):
Could it be some rule on my computer that I'm unaware of? It's a serverside issue I think, not anything to do with cloudflare. The documents path htdocs/ has never changed and is not in a position that requires elevated permissions to access on my computer. Like I said before - when I switch back to http on port 80, everything works fine. I don't change anything else.
For the time being, I have just switched my site back to http so it is accessible, until (hopefully) this issue can be solved.
Update:
Bypassing Cloudflare's proxying brought the same result - a 403 forbidden.
To provide some extra information which may help, here are my DNS records (with sensitive info crossed out):
My Let's Encrypt certificate has also now been fully verified, so it must be something like a permission or hostname issue.
Solved!
And it was the complete opposite of what I was expecting the solution to be.
The problem was not on my origin server's end, all the permissions and firewall rules were all set up correctly - this was an issue on Cloudflare's end.
Because I had configured the site to use https only, attempting to access the site via HTTP returned 403 forbidden because I didn''t allow HTTP traffic, only HTTPS.
As a result, Cloudflare, because of how I had set it up when I first put this site online, kept attempting to view my site via HTTP, and when getting that error, showed it to the user. Resetting all my Cloudflare settings and reconfiguring them so it would visit my site on HTTPS made it accessible, while still being proxied over Cloudflare.
It now also rewrites all HTTP requests to HTTPS, so no more 403 errors!