Website down

Someone told me my website was down. He was probably the only one using anything there: it isn't anything critical. That is why up to then I was unconcerned that it was running on an Always Free instance that was never updated since it was set up.

But now it is throwing connection refused errors. (PS this blog is a subdomain of that website, but is just a CNAME DNS-record pointing to, so that still works.)

I kind of guessed the Let's Encrypt certificate wasn't renewed for some reason. I can still connect with SSH etc. When I tried to force a refresh from the command line, there was some kind of message regarding an outdated version of OpenSSL (the python package). When I tried to update that, I noticed all of this was still using Python 2.7... That is when I decided to start a new webserver from scratch.

So, I stopped an instance that I wasn't really using and spun up a new one. Apparently, the Always free instances are Ampères these days? The 6GB of RAM won't hurt. I created some users (one in my name, one called webserver).

I installed NginX, according to Install the NginX webserver in Oracle Linux ( but diverted a bit to also apply the security settings described in NginX and PHP-FPM what my permission should be (

I added a separate /etc/nginx/conf.d/, setting up a separate server to handle requests for, and My DNS was already pointing and to the old server (the one that started refusing connections recently); I added a new A-record pointing to the public IP address of the newly created Ampère.

From the server itself, curl and curl 141.*.*.* (the public IP) both resulted in the default NginX page, as expected: the separate server only serves domain name-based requests. And, lo and behold, curl resulted in the separate little index.html that I set up. great!

On my laptop, I have WSL running an Ubuntu. Doing curl from there also resulted in the expected html. Nice, everything works! Joy, joy joy!

So eventually I opened a browser (Vivaldi in my case) to surf to and I got a connection refused error. Bummer.

At first, I thought it was a DNS problem. Doing an nslookup from both Ubuntu (under WSL) and a command prompt indeed showed my ISPs DNS being used from Ubuntu and Google.dns from Windows. But both returned the same correct IP address.

After calling out on Reddit (see this topic) it turned out to (probably) be SHTS, a browser (+webservder) security feature. The Network tab of the Developers Console in Chrome showed my HTTP request resulting in a 307 Internal Rederect to an HTTPS request...

And since nothing regarding HTTPS is set up on that NginX yet, it will be blocked.

Opening the chrome://net-internals/#hsts "page" and querying (the top-level domain) shows that SHTS is being applied, including for subdomains:

So, while the old server itself ( can't serve anything anymore, it is still capable of requiring the usage of HTTPS on all its subdomains, even on, which didn't exist when it was set up.

So, now I hope that when I set up Let's Encrypt it will take into account the other two domains as well. I guess/hope that changing the DNS-records for the existing domains (pointing them to the new server) should do the trick.