Hello, I want to access my server outside my but my isp has CGNAT on ipv4 so Ipv6
was the only option for me so I tried to reverse to my domain prayagnet.tk with a cname record adding Minecraft inplace of www, so my domain is minecraft.prayagnet.tk
but when I try to create an SSL cert for it in Nginx Proxy Manager it gives me an "internal error"
logs for Nginx Proxy manager:
[1/31/2021] [2:58:13 AM] [Nginx ] › ℹ info Reloading Nginx
[1/31/2021] [3:00:48 AM] [Nginx ] › ℹ info Reloading Nginx
[1/31/2021] [3:00:48 AM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates
for Cert #19: minecraft.prayagnet.tk
[1/31/2021] [3:00:57 AM] [Nginx ] › ℹ info Reloading Nginx
[1/31/2021] [3:00:57 AM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot
certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-19" --agree-
tos --email "prayagprajapati.17@gmail.com" --preferred-challenges "dns,http" --
domains "minecraft.prayagnet.tk"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for minecraft.prayagnet.tk
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched
domains.
Waiting for verification...
Challenge failed for domain minecraft.prayagnet.tk
http-01 challenge for minecraft.prayagnet.tk
Cleaning up challenges
Some challenges have failed.
When I use command it gives me this error(command included):
[root@docker-315a52f05d38:/app]# /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-19" --agree-tos --email "prayagprajapati.17@gmail.com" --preferred-challenges "dns,http" --domains "minecraft.prayagnet.tk"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for minecraft.prayagnet.tk
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain minecraft.prayagnet.tk
http-01 challenge for minecraft.prayagnet.tk
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: minecraft.prayagnet.tk
Type: connection
Detail: Fetching
http://minecraft.prayagnet.tk/.well-known/acme-challenge/CZBRW9KBLCGM7v_MYsp0P_u2wv5hIcM3mJ9OZoCZfsw:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My port 80 is open and have allowed port 80 in my firewall(on my server as well as on my router). PS I am running Minecraft in docker
Now my error has changed to this when I use the command but my AAAA record points to my server and I can connect my server on prayagnet.tk. PS: I have changed my server port to 82 to open up the port 80:
/usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-24" --agree-tos --email "prayagprajapati.17@gmail.com" --preferred-challenges "dns,http" --domains "openmediavault.prayagnet.tk"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for openmediavault.prayagnet.tk
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain openmediavault.prayagnet.tk
http-01 challenge for openmediavault.prayagnet.tk
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: openmediavault.prayagnet.tk
Type: unauthorized
Detail: Invalid response from
http://openmediavault.prayagnet.tk/.well-known/acme-challenge/z_X9zbcfJxrZYtsgdCx06_Iif4g20iVMPOBPh50Ef_s
[2606:4700:3032::ac43:812a]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
<html class=\"no-js ie6 oldie\" lang=\"en-US\">
<![endif]-->\n<!--[if IE 7]> <html class=\"no-js "
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
That is not the IP I am pointing to in the AAAA record.
Wait, I know what you are trying to say, that IP which is shown is not mine. how can I fix it, I have disabled proxy on both AAAA record and CNAME record?
Btw forgot to mention my ISP uses CGNAT on ipv4
Edit:
My output changed again:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: openmediavault.prayagnet.tk
Type: connection
Detail: Fetching
http://openmediavault.prayagnet.tk/.well-known/acme-challenge/3G07Wp7K72h7F7BSvH8IN_NFo3hO9_HX2JrMiwnMdnM:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided
@prayag17, one thing to think about related to what @rg305 noticed: the reason you said you are using IPv6 and not IPv4 is that your ISP uses CGN for IPv4. But is it clear whether your ISP allows any inbound connections on IPv6 from the rest of the Internet? If your IPv6 address is globally unique, then the ISP could allow inbound connections from elsewhere to your devices—but it could still choose to block them, if the ISP operators believe that subscribers are not supposed to be allowed to run public servers, or something.
So you might need to confirm that the ISP doesn't intentionally stop you from running a publicly-accessible server in IPv6, or, as @rg305 pointed out, that your home router or similar device isn't configured to block incoming connections as a firewall.
Having a globally-unique, globally-routable IPv6 address is a good first start for receiving connections from elsewhere, but unfortunately it's not the only requirement—the devices in between also have to be willing to deliver the incoming connections' packets to you.