Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rumplenj.com

I ran this command:certbot --nginx

It produced this output: I do not have it, but it did say it got and installed 2 certs.

My web server is (include version): nginx/1.22.1

The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

I see things I think are wrong here: rumplenj.com - Make your website better - DNS, redirects, mixed content, certificates

But I have no idea how to read this.

I had a simple HTML Hello World page in before I ran certbot, and it worked, for what it was.

Thanks for any advice.

Hello @RumpleNJ, welcome to the Let's Encrypt community.

You are filtering Port 443 thus HTTPS cannot be successfully made from the Internet.

$ nmap -Pn -p80,443 rumplenj.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-26 01:20 UTC
Nmap scan report for rumplenj.com (69.125.208.53)
Host is up (0.092s latency).
rDNS record for 69.125.208.53: ool-457dd035.dyn.optonline.net

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.15 seconds

Also you are redirecting HTTP to HTTPS (this is a good thing)

$ curl -Ii http://rumplenj.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.22.1
Date: Mon, 26 Feb 2024 01:19:49 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://rumplenj.com/

Side notes:

Here is a list of issued corticates crt.sh | rumplenj.com

Testing and debugging are best done using the Staging Environment.

Also see Rate Limits - Let's Encrypt and Failed Validation Limit - Let's Encrypt

Okay, I added a new port forward for 443 to both routers (yes, it's complicated here, sorry.) And I think the certbot turned on the auto forward to HTTPS.

Although I add the new forwarding rules, the site still does not work.

Does that sort of thing take time to go out, like a DNS change?

Thanks

I still see filtered

$ nmap -Pn -p80,443 rumplenj.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-26 01:31 UTC
Nmap scan report for rumplenj.com (69.125.208.53)
Host is up (0.092s latency).
rDNS record for 69.125.208.53: ool-457dd035.dyn.optonline.net

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.00 seconds

Here is an online tool to check for open ports Open Port Check Tool - Test Port Forwarding on Your Router
This is what I see for your domain using that tool

image1084×915 54.3 KB

Digging in now.

You might want to update that.
They're up to version: 2.9.0

Also, please show the entire nginx config, with:

nginx -T

Please show the output of:

certbot certificates

}
# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

root@d13659a46c68:/# certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: rumplenj.com
    Serial Number: 38434aaaf73b4d9fef5e9b7f934567e2a45
    Key Type: ECDSA
    Domains: rumplenj.com www.rumplenj.com
    Expiry Date: 2024-05-25 23:51:06+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/rumplenj.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/rumplenj.com/privkey.pem

root@d13659a46c68:/# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

No updates here.

Check here for Certbot installation Certbot Instructions | Certbot

That's just the tail end of the nginx configuration.

Don't use apt [to manage certbot].
Use the recommended installation instructions:

nginx.txt (11.1 KB)

Should I uninstall what's there first, or will this just replace it?

Read the instructions.
[uninstall first]

The nginx config looks good

Cert look good