How to practice
- Read the starting clue.
- Choose the first command before opening the answer.
- Predict what output would prove the likely cause.
- Open the answer key and write the next fix in a project note.
Practice diagnosing a static site that is live on a VPS but not loading the way a maker expects.
A good answer names the layer being tested, the command that tests it, the output pattern that would confirm or reject the hypothesis, and the next safe action. Do not stop at “DNS problem” or “Nginx problem.” Say what evidence made you think that.
For example, if the domain returns the wrong IP, the answer should stay in DNS. If DNS is correct and HTTP reaches Nginx, the answer should move to server-block routing, file paths, or certificates depending on the visible symptom.
A perfect score is less important than the habit: separate layers, read output, and avoid broad fixes until the evidence narrows the problem.
Use the table to pick a failure mode, then open the scenario and choose the smallest command that separates that layer.
| # | Scenario | Likely layer |
|---|---|---|
| 1 | Domain still shows the registrar parking page | The request is not consistently reaching the intended VPS for that hostname. |
| 2 | www works but the root domain fails | The root and www hostnames are not configured as one intentional pair. |
| 3 | HTTPS fails after HTTP starts working | The web route exists, but certificate coverage or TLS routing is not correct yet. |
| 4 | Nginx default page appears | The request reaches Nginx but falls through to the wrong server block or document root. |
| 5 | 403 forbidden after deploy | Nginx found the path but cannot traverse or read the file as the service user. |
| 6 | 404 after a fresh deploy | The web server is responding, but the requested path does not map to a generated file in the active release. |
| 7 | Stale release is still live | The deploy artifact exists, but the live symlink, cache, or generated asset reference is stale. |
| 8 | Certificate renewal failed | Renewal cannot prove domain control or cannot run its configured renewal path. |
Starting clue: The domain loads, but it shows a parked or default registrar page instead of your static site.
dig +short example.com Adig +short @1.1.1.1 example.com Acurl -I http://example.comcurl -I -H 'Host: example.com' http://SERVER_IPExpected output pattern: DNS returns a registrar, parking, or old hosting IP, or the direct Host-header check reaches different content than the domain.
Diagnosis: The request is not consistently reaching the intended VPS for that hostname.
Start by proving this layer: The request is not consistently reaching the intended VPS for that hostname.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Starting clue: https://www.example.com loads, but https://example.com does not, or the reverse happens.
dig +short www.example.com Adig +short example.com Acurl -I https://www.example.comcurl -I https://example.comExpected output pattern: One hostname resolves or redirects correctly while the other is missing, stale, or routed differently.
Diagnosis: The root and www hostnames are not configured as one intentional pair.
Start by proving this layer: The root and www hostnames are not configured as one intentional pair.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Starting clue: http://example.com returns a response, but https://example.com shows a certificate or connection failure.
curl -I http://example.comcurl -I https://example.comcertbot certificatesopenssl s_client -connect example.com:443 -servername example.com </dev/nullExpected output pattern: HTTP reaches the server, but HTTPS shows a missing, wrong, expired, or unmatched certificate.
Diagnosis: The web route exists, but certificate coverage or TLS routing is not correct yet.
Start by proving this layer: The web route exists, but certificate coverage or TLS routing is not correct yet.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Starting clue: The browser reaches Nginx, but it shows the default welcome page instead of your project.
sudo nginx -tsystemctl status nginx --no-pagergrep -RInE 'server_name|root|listen' /etc/nginx/sites-enabled /etc/nginx/conf.d 2>/dev/nullcurl -I -H 'Host: example.com' http://127.0.0.1Expected output pattern: Nginx is alive, but the matching server block or root path does not select your release.
Diagnosis: The request reaches Nginx but falls through to the wrong server block or document root.
Start by proving this layer: The request reaches Nginx but falls through to the wrong server block or document root.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Starting clue: The route exists, but Nginx returns 403 when loading the static site.
namei -l /srv/www/example.com/current/index.htmlstat -c '%A %U:%G %n' /srv/www/example.com/current/index.htmlsudo tail -80 /var/log/nginx/error.logid www-dataExpected output pattern: A parent directory lacks execute permission, the file is unreadable, or Nginx logs name a permission issue.
Diagnosis: Nginx found the path but cannot traverse or read the file as the service user.
Start by proving this layer: Nginx found the path but cannot traverse or read the file as the service user.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Starting clue: The domain loads but a page that should exist returns 404.
find /srv/www/example.com/current -maxdepth 2 -type f | sort | head -50readlink -f /srv/www/example.com/currentcurl -I https://example.com/missing-page/grep -RIn 'root' /etc/nginx/sites-enabled /etc/nginx/conf.d 2>/dev/nullExpected output pattern: The generated file is missing, the URL path differs, or Nginx points at a release without that file.
Diagnosis: The web server is responding, but the requested path does not map to a generated file in the active release.
Start by proving this layer: The web server is responding, but the requested path does not map to a generated file in the active release.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Starting clue: You deployed new content, but the live page still shows old text or an old asset version.
readlink -f /srv/www/example.com/currentcurl -sS https://example.com/ | grep -n 'expected text'curl -I 'https://example.com/?v=check'ls -lah /srv/www/example.com/releases | tailExpected output pattern: The current symlink, page body, or asset version does not match the release you expected.
Diagnosis: The deploy artifact exists, but the live symlink, cache, or generated asset reference is stale.
Start by proving this layer: The deploy artifact exists, but the live symlink, cache, or generated asset reference is stale.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Starting clue: The site worked before, but the browser now warns about an expired or invalid certificate.
certbot certificatessudo certbot renew --dry-runjournalctl -u certbot --since '7 days ago' --no-pagercurl -I http://example.com/.well-known/acme-challenge/testExpected output pattern: The certificate list, dry run, or logs name the failing domain, challenge route, or renewal hook.
Diagnosis: Renewal cannot prove domain control or cannot run its configured renewal path.
Start by proving this layer: Renewal cannot prove domain control or cannot run its configured renewal path.
Use the expected output pattern above to decide whether the problem stays in this layer or moves to the next check. Do not apply the checklist until the output supports it.
Use the same small template for every scenario: clue, layer tested, command, expected output, actual output, diagnosis, and next action. This makes the lab useful later when a real VPS issue happens.
Clue:
Layer tested:
Command:
Expected output:
Actual output:
Diagnosis:
Next action:
The answer key is not a script to paste. It is the evidence you should expect and the next safe fix direction. If your output differs, write down the difference before trying stronger commands.
When you use this lab with a real site, replace example domains and paths with your actual domain, server path, service name, and release folder. If the result is surprising, pause and inspect one layer closer instead of jumping to a larger edit.
TopicLadder is free to read. Support helps turn rough project paths into useful notes, cards, videos, and practice tasks.
Last reviewed: July 5, 2026. TopicLadder pages are curated for practical learning and may be updated as examples improve.