How to setup LetsEncrypt SSL in Piwik with NGINX and subdomain?

General questions
1

Hello,

I’ve set up my piwik on my VPS cloud on Ubuntu 14.04 as stats..com successfully. It works perfectly and I can see the analytics. The piwik root directory can be found in /var/www/piwik which is separated from my /var/www/mydomain.
Now, I would like to setup the https or SSL for my piwik platform only. I got the certificates by typing

./certbot-auto certonly --webroot -w /var/www/piwik/ -d stats.mydomain.com

based on the instruction from Certbot.

For the NGINX setup I read and followed the instruction from DO: How To Secure Nginx with Let's Encrypt on Ubuntu 14.04 | DigitalOcean

After I modify my Nginx config, at the end I have such a config:

server {
    listen 443 ssl;
    root /var/www/piwik;
    server_name stats.mydomain.com;
    ssl_certificate /etc/letsencrypt/live/stats.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/stats.mydomain.com/privkey.pem;
    
    # use the strong Diffie-Hellman from /etc/ssl/certs/dhparam.pem
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-R$
    ssl_session_timeout 1d;        
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;

    access_log /var/log/nginx/statsaccess.log;
    error_log /var/log/nginx/stats_error.log;

    location / {
        index  index.php;
    }
    location /config.ini.php {
        root /etc/webapps/nginx;
        index config.ini.php;
    }
    location ~* \.php$ {
        try_files $uri =404;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/php5-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_intercept_errors on;
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_hide_header X-Powered-By;
        fastcgi_param HTTPS $https if_not_empty;  # additional config for SSL
    }
    location ~ /.well-known {
        allow all;
    }
}
server {
    listen 80;
    server_name stats.mydomain.com;
    return 301 https://$host$request_uri;
}

And then based on How do I force Piwik to use SSL (https) for improved security? - Analytics Platform - Matomo I added force_ssl = 1 the config.php.ini.

But I cannot access my stats.mydomain.com. My browser tries to connect until a connection timeout. I cannot find any log in /var/log/nginx for this connection.

Can someone help me?

Cheers,
Yogi

2

I’ve just found and fixed the issue.
Actually the configuration file above is correct. All the steps from certbot are done without issues.
The problem was that the firewall (of my server) blocks the port 443. Thus it explains that I could not see any NGINX logs access of https.
The command netstat shows me:

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -

However since I used ufw the port 443 is not open. I found it by test tho port with this command:

nmap -p 443 mydomain.com

and nmap shows me that the state of the port is filtered.