Certbot: nginx plugin is not working

Okay, at least, when visiting https://bitwarden.niggipi.duckdns.org/ I now get a message that the Cert is invalid.

When running certbot again, I now get the following message:

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem"
Failed authorization procedure. bitwarden.niggipi.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://niggipi.duckdns.org/.well-known/acme-challenge/iOTn7PnFvDQeSfZU7pHR2VZub0pxXnP6pVvsSIDHdSU: Connection refused

The point of that was to get nginx to stand up and walk (not run).
[at least it is no longer fallen and can't get up]
We still need to fix it so it can run (properly).
To that end, you now need to reissue new cert(s).
But that was hampered by:

It's now time to deal with that problem.

Please show outputs of:
curl -4 ifconfig.co
curl -6 ifconfig.co

Since bitwarden.niggipi.duckdns.org seems to be reachable, I think the problem with niggipi.duckdns.org is, that nginx is not acting as a proxy for niggipi.duckdns.org but as a web server. The proxy for bitwarden.niggipi.duckdns.org seems to work fine. Does this make sense?

Maybe.
Please also show the file:
[to better understand you]

server {
  listen 80;
  server_name bitwarden.niggipi.duckdns.org;
  return 301 https://$host$request_uri;
}

# SSL configuration
server {
  listen 443 ssl default_server;
  listen [::]:443;
  server_name bitwarden.niggipi.duckdns.org;

  # Certs
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; # only temporary
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; # only temporary

  # Improve HTTPS performance with session resumption
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 5m;

  # Enable server-side protection against BEAST attacks
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

  # Disable SSLv3
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # Diffie-Hellman parameter for DHE ciphersuites
  ssl_dhparam /etc/ssl/certs/dhparam.pem;

  # Enable HSTS (https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security)
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";

  # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;

  location / {
    proxy_pass http://192.168.0.254:7000;
    proxy_set_header Host $host;
    proxy_redirect http:// https://;
    proxy_http_version 1.1;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
#    proxy_set_header Connection $connection_upgrade;
  }
}

OK so I see what you mean.
Is there supposed to be a proxy line within the other ssl enabled file?

We still have a port 80 problem to deal with.
Please show the outputs of:
netstat -pant | grep -Ei 'nginx|80|443'
and
grep -Ri listen /etc/nginx

And there us also an IPv4/IPv6 listening problem:

Name:      bitwarden.niggipi.duckdns.org
Addresses: 2a02:8071:2b4:a700:453a:29e2:7f2b:60d4
           82.165.242.73

But the server is not listening to both:

It is missing a line:
listen [::]:80;

netstat -pant | grep -Ei 'nginx|80|443' returns:

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      16513/nginx: master
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      2016/docker-proxy
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      16513/nginx: master
tcp        0      0 192.168.0.254:47314     165.254.191.194:443     VERBUNDEN   725/vncserver-x11-c
tcp6       0      0 :::443                  :::*                    LISTEN      16513/nginx: master
tcp6       0      0 :::8000                 :::*                    LISTEN      2027/docker-proxy

grep -Ri listen /etc/nginx returns:

/etc/nginx/sites-available/default:     listen 80 default_server;
/etc/nginx/sites-available/default:     listen [::]:80 default_server;
/etc/nginx/sites-available/default:     # listen 443 ssl default_server;
/etc/nginx/sites-available/default:     # listen [::]:443 ssl default_server;
/etc/nginx/sites-available/default:#    listen 80;
/etc/nginx/sites-available/default:#    listen [::]:80;
/etc/nginx/sites-available/files.niggipi.duckdns.org:   listen [::]:80;
/etc/nginx/sites-available/files.niggipi.duckdns.org:   listen 80;
/etc/nginx/sites-available/files.niggipi.duckdns.org:   listen 443 ssl http2;
/etc/nginx/sites-available/files.niggipi.duckdns.org:   listen [::]:443 ssl http2;
/etc/nginx/sites-available/bitwarden.niggipi.duckdns.org.conf:  listen 80;
/etc/nginx/sites-available/bitwarden.niggipi.duckdns.org.conf:  listen 443 ssl default_server;
/etc/nginx/sites-available/bitwarden.niggipi.duckdns.org.conf:  listen [::]:443;
/etc/nginx/sites-available/deck.niggipi.duckdns.org:    listen [::]:80;
/etc/nginx/sites-available/deck.niggipi.duckdns.org:    listen 80;
/etc/nginx/sites-available/deck.niggipi.duckdns.org:    listen 443 ssl http2;
/etc/nginx/sites-available/deck.niggipi.duckdns.org:    listen [::]:443 ssl http2;
/etc/nginx/sites-available/mail.niggipi.duckdns.org:    listen [::]:80;
/etc/nginx/sites-available/mail.niggipi.duckdns.org:    listen 80;
/etc/nginx/sites-available/mail.niggipi.duckdns.org:    listen 443 ssl http2;
/etc/nginx/sites-available/mail.niggipi.duckdns.org:    listen [::]:443 ssl http2;
/etc/nginx/sites-available/cospend.niggipi.duckdns.org: listen [::]:80;
/etc/nginx/sites-available/cospend.niggipi.duckdns.org: listen 80;
/etc/nginx/sites-available/cospend.niggipi.duckdns.org: listen 443 ssl http2;
/etc/nginx/sites-available/cospend.niggipi.duckdns.org: listen [::]:443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen 80;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen [::]:80;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:    listen 443 ssl http2;
/etc/nginx/sites-available/niggipi.duckdns.org:    listen [::]:443 ssl http2;
/etc/nginx/sites-enabled/bitwarden.niggipi.duckdns.org.conf:  listen 80;
/etc/nginx/sites-enabled/bitwarden.niggipi.duckdns.org.conf:  listen 443 ssl default_server;
/etc/nginx/sites-enabled/bitwarden.niggipi.duckdns.org.conf:  listen [::]:443;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen 80;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen [::]:80;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen 443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:#    listen [::]:443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:    listen 443 ssl http2;
/etc/nginx/sites-enabled/niggipi.duckdns.org:    listen [::]:443 ssl http2;
/etc/nginx/nginx.conf:#         listen     localhost:110;
/etc/nginx/nginx.conf:#         listen     localhost:143;

Reduced to /sites-enabled/ and NOT commented out and separated by file:

You can see that not all sites are being served on all ports and on both IPv4 & IPv6.
There are missing lines and vhost configs.
and other problems...
[one at a time]

Both names resolve to both IPs:

Name:      bitwarden.niggipi.duckdns.org
Addresses: 2a02:8071:2b4:a700:453a:29e2:7f2b:60d4
           82.165.242.73

Name:      niggipi.duckdns.org
Addresses: 2a02:8071:2b4:a700:453a:29e2:7f2b:60d4
           82.165.242.73

So they should be served by both IPs.
They are for 443:

But not for 80.

And nothing seems to be served on 80 at all right now; I only get:
curl: (56) Recv failure: Connection reset by peer

Is there a firewall or NAT device responsible to sending 82.165.242.73:80 to 192.168.0.254:80 ?

Yeah, forgot to mention: because my ISP does use DS-lite, I use an external server (82.165.242.73), which tunnels all the traffic over SSH to my home server. I just checked the server and it does indeed only show port 443 as open and port 80 as closed.

This, you say on post #30?
I'm really trying to help you - with what is obviously nothing to do with certbot nor LetsEncrypt.
You have to help me help you or this is really not worth the trouble for me.

Yeah, didn't think this could be the problem, haven't touched the external server for like a year.

You are going to need port 80 for HTTP authentication.
Which is what I suspect you were using to renew the certs.
We can check that with:
cat /etc/letsencrypt/renewal/*

Do you want to continue?
Or are we done for today?

Oh my...
cat /etc/letsencrypt/renewal/* returns

Datei oder Verzeichnis nicht gefunden (File or folder not found)

Man, I have the feeling, this is getting too big for me. I don't want to waste your time any more

It think, I will gonna set everything up from scratch!

Reread my first post.
And your reply to it.

You need to fix the port 80 problem first.
Or you must switch away from HTTP-01 and do DNS-01 authentication.

Good night and best of luck to you.
Cheers from Miami

#FreeCUBA

Thank you for your help! I will give a feedback when I found a solution for the port 80 problem!

Thank you so much!

The problem was a misconfigured crontab, that only established an ssh tunnel for port 443 only. Now it is working again.

If anyone should have the same problem in the future: here is the crontab, that I changed:

@reboot autossh -M 0 -f -o ConnectTimeout=10 -o ServerAliveInterval=60 -o ServerAliveCountMax=2 -p 39001 -N -R 443:localhost:443 root@82.165.242.73
@reboot autossh -M 0 -f -o ConnectTimeout=10 -o ServerAliveInterval=60 -o ServerAliveCountMax=2 -p 39001 -N -R 80:localhost:80 root@82.165.242.73

Thank you for the
I hope you are now able to get all new certs and as many as you need
Cheers from Miami

#FreeCUBA

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.