Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: nextcloud.portwenn.net
Type: unauthorized
Detail: 34.198.182.201: Invalid response from Portwenn NextCloud Server "\n\n\nPortw"
My web server is (include version): nginx version: nginx/1.22.0
The operating system my web server runs on is (include version):
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.29.0
Hello, first post and a noob at certificates and webhosting. I have a self hosted server. I have a no-ip DDNS service with a registered domain. I have it set for wildcards and I have nextcloud.portwenn.net redirected to portwenn.net.
The certificate is successfully created for portwenn.net and I can access from interenet. All route trace tests are successful for domain and subdomains. I would like to add cert for subdomains so I can redirect to specific ports as I enable various services.
It is possible I am doing this all wrong as I am new to this. I cannot seem to find another post that addresses my issue in a way I can understand. Any help is appreciated.
It looks like you have set up this redirect using what's called an "iframe redirection". This is sometimes called URL Masking.
This isn't going to work for the purposes of SSL or getting an SSL certificate.
You need to point your subdomain at your main domain using DNS (with a DNS A or CNAME record in no-ip), and then set up a redirection on your nginx web server.
Ok thank you. When I have some time I will take a look at see if I can figure how to change my records at no-ip.
However, I don't know how to set up a redirect on my nginx server. I can search around for that but if anyone has a "best practice" I would appreciate some advice.
The tricky part is I am setting up various services on a TrueNAS machine. What I am doing here is just for the NextCloud instance. I think once I get the no-ip records straight, I will want only the nextcloud.portwenn.net certificate for the NextCloud jail. Other services will have their own jail and probably each of those will have just one subdomain certificate.
Please let me know if I am on the right track or not. Thanks for the help.
I have figured out how to create CNAME records a no-ip. I think I had mistakenly thought that I could only have one CNAME record due to the updater client pointing to the root domain and the subdomains had to be redirects. So I have created CNAME records for my subdomains which should allow me to send services to various ports.
I tried to delete certs for the old domains and now my nginx server is broken. There is a section in the user guide on "safely deleting certificates" that I think I am going to have to go through. After I clear out all previous domains I will try to basically start over and I should only need one subdomain per server. Hopefully that will simplify the setup. This time I will keep track of changes with git so I can tag working commits and restore it if I break something.
If anyone has any advice on how to reset all certs I would appreciate some guidance. Thank you.
I tried to "safely delete certificates" according to the certbot docs and at this point my nginx server is totally broken. I cannot manage to restore a self signed cert and certbot certificates returns nothing because I removed everything manuall.
I tried these steps and it seems I got it working again:
I tried to recreate the self signed certs with
openssl req -nodes -batch -x509 -newkey rsa:2048 -keyout /usr/local/etc/letsencrypt/self-signed-privkey.pem -out /usr/local/etc/letsencrypt/self-signed-cert.pem -days 356
Not sure what good this did as I could not find out where to refer to it. This step may be useless.
I cleared out the old /usr/local/etc/nginx/conf.d/nextcloud.conf by copying the nextcloud.self-signed.conf to nextcloud.conf. But that didn't help.
Having cleared out everything I decided to basically start over from here.
certbot --nginx --domain nextcloud.portwenn.net
Restart the NextCloud app from TrueNAS plugins page.
Now you will have too many redirects. For some reason the /usr/local/etc/nginx/conf.d/nextcloud.conf has too many server and listen lines. I made the following chagnes:
So in the end, my issue was not needing to add subdomains. I had my DDNS set up wrong, I needed to add CNAME record for the subdomain at no-ip and the updater client in my router takes care of the DDNS updating. Now I only need one domain and that simplifies my problem.
