Cannot create a certificate using Lets encrypt in Nginx Proxy Manager or SSH

Help
#1

Hello, I want to access my server outside my but my isp has CGNAT on ipv4 so Ipv6
was the only option for me so I tried to reverse to my domain prayagnet.tk with a cname record adding Minecraft inplace of www, so my domain is minecraft.prayagnet.tk
but when I try to create an SSL cert for it in Nginx Proxy Manager it gives me an "internal error"
logs for Nginx Proxy manager:

[1/31/2021] [2:58:13 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/31/2021] [3:00:48 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/31/2021] [3:00:48 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates
for Cert #19: minecraft.prayagnet.tk
[1/31/2021] [3:00:57 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[1/31/2021] [3:00:57 AM] [Express  ] › ⚠  warning   Command failed: /usr/bin/certbot 
certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-19" --agree- 
tos --email "prayagprajapati.17@gmail.com" --preferred-challenges "dns,http" -- 
domains "minecraft.prayagnet.tk" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for minecraft.prayagnet.tk
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched 
domains.
Waiting for verification...
Challenge failed for domain minecraft.prayagnet.tk
http-01 challenge for minecraft.prayagnet.tk
Cleaning up challenges
Some challenges have failed.

When I use command it gives me this error(command included):

[root@docker-315a52f05d38:/app]# /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-19" --agree-tos --email "prayagprajapati.17@gmail.com" --preferred-challenges "dns,http" --domains "minecraft.prayagnet.tk" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for minecraft.prayagnet.tk
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain minecraft.prayagnet.tk
http-01 challenge for minecraft.prayagnet.tk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: minecraft.prayagnet.tk
   Type:   connection
   Detail: Fetching
   http://minecraft.prayagnet.tk/.well-known/acme-challenge/CZBRW9KBLCGM7v_MYsp0P_u2wv5hIcM3mJ9OZoCZfsw:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My port 80 is open and have allowed port 80 in my firewall(on my server as well as on my router). PS I am running Minecraft in docker

1 Like
#2

The Internet seems to see otherwise:

curl -Iki http://minecraft.prayagnet.tk
curl: (7) Failed to connect to minecraft.prayagnet.tk port 80: Connection refused

Have you tested access to it from the Internet?

And why include DNS as the preferred challenge type?

1 Like
#3 
 curl -Iki http://minecraft.prayagnet.tk
HTTP/1.1 521 Origin Down
Date: Sun, 31 Jan 2021 06:00:07 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=dabc279d9d9e562079a359fa435f565581612072807; expires=Tue, 02-Mar-21 06:00:07 GMT; path=/; domain=.prayagnet.tk; HttpOnly; SameSite=Lax
Cache-Control: no-store, no-cache
cf-request-id: 07f8a003f000004203dc8f1000000001
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1n6n4RT%2BpmYYbK2mWjU%2FfEFzVFpXgIQZCu8M8IzRP7ShczsRfX3S6uHN0elmh9C2syogpiSl1%2FZ0m6RaQUO%2FLkGwsWN38RiVe%2BTU6f7QShFsYQwVjJByBObnym%2FWCRamgI9h"}],"group":"cf-nel","max_age":604800}
NEL: {"max_age":604800,"report_to":"cf-nel"}
Server: cloudflare
CF-RAY: 61a135e64af54203-MRS

Getting this output when i do :

 curl -Iki http://minecraft.prayagnet.tk
1 Like
#4

Port 80 isn't going to pass through CloudFlare.
You should switch to --webroot authentication.

1 Like
#5

Can you explain what is webroot auth?

1 Like
#6

Hi @prayag17

first use the documentation.

#Webroot

PS: You use Cloudflare, but your server doesn't answer.

So webroot can't work.

Deactivate the Cloudflare proxy, so your A-record points to your server (not to Cloudflare), create a certificate, then activate Cloudflare.

PPS:

You use already webroot. So you know how the command works.

3 Likes
#7

Deactivate the Cloudflare proxy, so your A-record points to your server (not to Cloudflare), create a certificate, then activate Cloudflare.

I use AAAA cause I use ipv6 address

#8

This still didn't work.

#9

Now my error has changed to this when I use the command but my AAAA record points to my server and I can connect my server on prayagnet.tk. PS: I have changed my server port to 82 to open up the port 80:

/usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --email "prayagprajapati.17@gmail.com" --preferred-challenges "dns,http" --domains "openmediavault.prayagnet.tk" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for openmediavault.prayagnet.tk
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain openmediavault.prayagnet.tk
http-01 challenge for openmediavault.prayagnet.tk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: openmediavault.prayagnet.tk
   Type:   unauthorized
   Detail: Invalid response from
   http://openmediavault.prayagnet.tk/.well-known/acme-challenge/z_X9zbcfJxrZYtsgdCx06_Iif4g20iVMPOBPh50Ef_s
   [2606:4700:3032::ac43:812a]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
   <html class=\"no-js ie6 oldie\" lang=\"en-US\">
   <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
#10

It doesn't. 2606:4700:3032::ac43:812a is a Cloudflare ip, not your server.

2 Likes
#11

That is not the IP I am pointing to in the AAAA record.

Wait, I know what you are trying to say, that IP which is shown is not mine. how can I fix it, I have disabled proxy on both AAAA record and CNAME record?
Btw forgot to mention my ISP uses CGNAT on ipv4
Edit:
My output changed again:

    IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: openmediavault.prayagnet.tk
   Type:   connection
   Detail: Fetching
   http://openmediavault.prayagnet.tk/.well-known/acme-challenge/3G07Wp7K72h7F7BSvH8IN_NFo3hO9_HX2JrMiwnMdnM:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided
1 Like
#12

Looks like a blocking firewall.

2 Likes
#13

But I have allowed all Ipv6 connection through my network.

1 Like
#14

Please read some required basics:

and

2 Likes
#15

I can't port forward, I am behind CGNAT :frowning: , Is there another way?
I am not pro in networking and trying to learn new things

1 Like
#16

I don't know how to configure such a network.

But

http://openmediavault.prayagnet.tk/.well-known/acme-challenge/random-filename

via external port 80 must answer. Not a timeout, not a blocking firewall. A working external port 80 is required.

May be a problem of your ISP, may be a problem of your router configuration.

2 Likes
#17

Have you confirmed this IP is on your device?:
2405:201:2002:8826:dea6:32ff:fe58:6c70

Please show the output of the following:
ifconfig | grep -Ei 'addr|inet'
curl -6 ifconfig.co

Something is explicitly refusing port 80 and 443 connections, other random ports will just time out:

curl -I6 -m10 minecraft.prayagnet.tk:80
curl: (7) Failed to connect to minecraft.prayagnet.tk port 80: Connection refused

curl -I6 -m10 minecraft.prayagnet.tk:443
curl: (7) Failed to connect to minecraft.prayagnet.tk port 443: Connection refused

curl -I6 -m10 minecraft.prayagnet.tk:1234
curl: (28) Connection timed out after 10001 milliseconds

curl -I6 -m10 minecraft.prayagnet.tk:12345
curl: (28) Connection timed out after 10001 milliseconds

[you should double check your firewall and routing configurations]

2 Likes
#18

@prayag17, one thing to think about related to what @rg305 noticed: the reason you said you are using IPv6 and not IPv4 is that your ISP uses CGN for IPv4. But is it clear whether your ISP allows any inbound connections on IPv6 from the rest of the Internet? If your IPv6 address is globally unique, then the ISP could allow inbound connections from elsewhere to your devices—but it could still choose to block them, if the ISP operators believe that subscribers are not supposed to be allowed to run public servers, or something.

So you might need to confirm that the ISP doesn't intentionally stop you from running a publicly-accessible server in IPv6, or, as @rg305 pointed out, that your home router or similar device isn't configured to block incoming connections as a firewall.

Having a globally-unique, globally-routable IPv6 address is a good first start for receiving connections from elsewhere, but unfortunately it's not the only requirement—the devices in between also have to be willing to deliver the incoming connections' packets to you. :slight_smile:

2 Likes
#19

Have you confirmed this IP is on your device?:
2405:201:2002:8826:dea6:32ff:fe58:6c70

Yes

But is it clear whether your ISP allows any inbound connections on IPv6 from the rest of the Internet?

Yes it is clear, try connecting to [2405:201:2002:8826:dea6:32ff:fe58:6c70]:82 or prayagnet.tk:82

#20

ifconfig | grep -Ei 'addr|inet'

Output:

    inet 172.19.0.1  netmask 255.255.0.0  broadcast 172.19.255.255
    inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
    inet6 fe80::42:e2ff:fee5:2c68  prefixlen 64  scopeid 0x20<link>
    inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
    inet6 fe80::42:17ff:fedc:63cd  prefixlen 64  scopeid 0x20<link>
    inet 192.168.29.60  netmask 255.255.255.0  broadcast 192.168.29.255
    inet6 fe80::dea6:32ff:fe58:6c70  prefixlen 64  scopeid 0x20<link>
    inet6 2405:201:2002:8826:dea6:32ff:fe58:6c70  prefixlen 64  scopeid 0x0<global>
    inet 127.0.0.1  netmask 255.0.0.0
    inet6 ::1  prefixlen 128  scopeid 0x10<host>
    inet6 fe80::1ca8:dfff:fe08:39e8  prefixlen 64  scopeid 0x20<link>
    inet6 fe80::4054:c0ff:feec:ec37  prefixlen 64  scopeid 0x20<link>
    inet6 fe80::3c7d:58ff:fed6:589d  prefixlen 64  scopeid 0x20<link>
    inet6 fe80::503e:94ff:fe53:deb0  prefixlen 64  scopeid 0x20<link>
    inet 10.147.17.232  netmask 255.255.255.0  broadcast 10.147.17.255
    inet6 fe80::a8d1:96ff:feb2:7a64  prefixlen 64  scopeid 0x20<link>
    inet6 fde5:cd7a:9e1c:6b19:5099:939c:f209:d737  prefixlen 88  scopeid 0x0<global>

curl -6 ifconfig.co

Output:

2405:201:2002:8826:dea6:32ff:fe58:6c70