Cannot get certificate using NGINX U

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gymnasticsudj.com

I ran this command:

It produced this output:

Let's debug tells me there's no issue with the DNS-01 challenge:

I've also tried pointing DNS to an IPV4 VM on GCP but still no luck. What am I doing wrong? I googled to no avail but cannot get it to work.

Welcome @iPodClassic

I don't know much about Nginx UI. But, it is using lego as the ACME Client to get the Let's Encrypt cert.

I did not see any docs at Nginx UI about how to configure a DNS Challenge. There was only one small mention for an HTTP Challenge.

Can you describe in more detail how you configured lego?

Is there some reason you need Nginx UI rather than just configuring nginx yourself? I am just curious. Sometimes it is easier to use tools directly.

PS: The Let's Debug test site is excellent for checking HTTP Challenges but there is not much it can test for DNS Challenges. Testing an HTTP Challenge it alerts that the IP for your domain is not a publicly accessible one. That is fine if you are setting up a private site and your choice of DNS Challenge is the only way to get a cert in that case. Just thought you should know its limits in validation DNS Challenges.

5 Likes

Sort of. To get a cert from the Let's Encrypt ACME Server you must use an ACME Client. Certbot is one of those. So is lego. There are many. Nginx UI itself doesn't have its own but relies on lego. Lego's docs are here: Welcome :: Let’s Encrypt client and ACME library written in Go.

This error says there is a comms problem from that IPv6 address ending in 9f85 making a request to the Cloudflare DNS server (IPv6 ending in c31d).

That "from" IP is not Let's Encrypt but rather it belongs to Telecentro. Is that you?

It is likely lego doing a pre-check that the needed TXT record exists before sending the cert request to Let's Encrypt. If so, this is some sort of configuration problem on your system. Since Nginx UI did that configuration for you it might be worth asking them. Otherwise you are left with debugging multiple layers of software now (Nginx UI and lego).

To get you started, what happens with this command?

dig +norecur TXT _acme-challenge.redhorizonit.com. @elias.ns.cloudflare.com.

Right now you will get an NXDOMAIN as that record does not exist. But, the error was a timeout so this just checks comms.

3 Likes

Thanks! I'm giving these docs a ready, I'll see what I can find!

Yes that's me, it's a test VM with a Zabbix mockup.

:~# dig +norecur TXT _acme-challenge.redhorizonit.com. @elias.ns.cloudflare.com.

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> +norecur TXT _acme-challenge.redhorizonit.com. @elias.ns.cloudflare.com.

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16934

;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

;; QUESTION SECTION:

;_acme-challenge.redhorizonit.com. IN TXT

;; AUTHORITY SECTION:

redhorizonit.com. 1800 IN SOA elias.ns.cloudflare.com. dns.cloudflare.com. 2348119782 10000 2400 604800 1800

;; Query time: 156 msec

;; SERVER: 162.159.44.29#53(elias.ns.cloudflare.com.) (UDP)

;; WHEN: Fri Aug 02 18:25:33 -03 2024

;; MSG SIZE rcvd: 121
1 Like

That dig looks normal. Is that issued from the same "context" as when running Nginx UI?

What I mean is are you in the same VM and/or container or any other subsystem? Sometimes inside VMs or, say, docker containers the ports and access are different.

You will quickly exhaust my knowledge of Nginx UI :slight_smile: The above is just general knowledge. Might be worth asking them too.

3 Likes

Hello Mike! Yes, I ran it in the same Nginx UI VM with the Zabbix Mockup, all in the same VM.

It's a VMWare Fusion VM pretending to be another computer in the LAN.

Haha yeah sorry for bringing such a hard nut to crack! :rofl: I will certainly take it to the Nginx UI people and then report back with more info.

By the way, is there any other way to issue a cert through LE from my VM? I tried Certbot but didn't have any luck. :smiling_face_with_tear:

what kind of problems did you have with certbot? But, yes, there are many other acme clients so if it was something unique to it then maybe a different client would help

I think there is an option to disable the pre-check from Lego so you could try doing that.

Acme.sh is a popular bash script

4 Likes

Success! I don't know really what happened tbh, but I tried again to gather logs to send to the people at Nginx UI Github and it worked:

2024/08/02 18:41:43 [INFO] [redhorizonit.com] acme: Waiting for DNS record propagation.

2024/08/02 18:41:45 [INFO] [redhorizonit.com] acme: Waiting for DNS record propagation.

2024/08/02 18:41:47 [INFO] [redhorizonit.com] acme: Waiting for DNS record propagation.

2024/08/02 18:41:55 [INFO] [redhorizonit.com] The server validated our request

2024/08/02 18:41:55 [INFO] [redhorizonit.com] acme: Cleaning DNS-01 challenge

2024/08/02 18:41:56 [INFO] [redhorizonit.com] acme: Validations succeeded; requesting certificates

2024/08/02 18:41:57 [INFO] [redhorizonit.com] Server responded with a certificate.

2024/08/02 18:41:57 [INFO] [Nginx UI] Writing certificate to disk

2024/08/02 18:41:57 [INFO] [Nginx UI] Writing certificate private key to disk

2024/08/02 18:41:57 [INFO] [Nginx UI] Reloading nginx

2024/08/02 18:41:57 [INFO] [Nginx UI] Finished

2024/08/02 18:41:59 [INFO] [Nginx UI] Environment variables cleaned

Issued certificate successfully

Certbot was pretty much doing the same, requesting the cert and simply returning an error, unfortunately I don't have any logs on what failed, but it pretty much looked like the one I was getting from Nginx.

I will take a look into Acme.sh, thanks! I will definitely need alternatives in the future in case I run into any issues.

Thanks again Mike for sharing your knowledge and your patience! Wishing you a great weekend :slight_smile:

2 Likes

Sure, glad it's working. Cert bot would not have had the same exact error because it does not do a precheck. But, if there were some DNS query issues on that system then Certbot would have failed on various of its https requests

4 Likes

Yes ,I'm super interesting in using Certbot because I believe it does auto renewal for you as well, if I'm not mistaken.

Which would we awesome for me. And since I managed to get the cert I needed for some testing, I have enough time to read through the links you sent me and test Certbot a little bit more.

Thanks as always!

2 Likes

Most, if not all, ACME clients can do autorenewals [including acme.sh].

3 Likes

Awesome! Thanks for the tip @rg305 !

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.