HTTP-ALT is NOT port 80
I don't see any port 80 accept there
added now:
unifiadmin@unifi:~$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8880
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8843
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:6789
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:3478
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10001
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
Now I can reach nginx !
Bring UFW up - let's see if that blocks
unifiadmin@unifi:~ sudo systemctl start ufw
unifiadmin@unifi:~ sudo systemctl status ufw
● ufw.service - Uncomplicated firewall
Loaded: loaded (/lib/systemd/system/ufw.service; enabled; vendor preset: enabled)
Active: active (exited) since Tue 2020-11-03 15:09:00 CET; 5s ago
Docs: man:ufw(8)
Process: 8311 ExecStop=/lib/ufw/ufw-init stop (code=exited, status=0/SUCCESS)
Process: 8601 ExecStart=/lib/ufw/ufw-init start quiet (code=exited, status=0/SUCCESS)
Main PID: 8601 (code=exited, status=0/SUCCESS)
Nov 03 15:09:00 unifi.itvakta.no systemd[1]: Starting Uncomplicated firewall...
Nov 03 15:09:00 unifi.itvakta.no systemd[1]: Started Uncomplicated firewall.
unifiadmin@unifi:~$
i notice now that unifi.itvakta.no reports unsafe site (cert problem)
We're still good:
curl -Iki unifi.itvakta.no
HTTP/1.1 400
Content-Type: text/html;charset=utf-8
Content-Language: en
Transfer-Encoding: chunked
Date: Tue, 03 Nov 2020 14:09:45 GMT
Connection: close
OK now to renewing the cert via HTTP 
Try:
certbot renew -a nginx --dry-run
OR
certbot certonly -a nginx --dry-run
unifiadmin@unifi:~$ sudo certbot renew -a --nginx --dry-run
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument -a/--authenticator: expected one argument
unifiadmin@unifi:~$
unifiadmin@unifi:~$ sudo certbot renew --nginx --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/unifi.itvakta.no.conf
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for unifi.itvakta.no
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (unifi.itvakta.no) from /etc/letsencrypt/renewal/unifi.itvakta.no.conf produced an unexpected error: Failed authorization procedure. unifi.itvakta.no (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://unifi.itvakta.no/.well-known/acme-challenge/GMqF-3PuCXvD6CDJPPl3uToObnIevmDf2pKk8ejQSEk [172.105.65.130]: "<!doctype html><html lang="en">HTTP Status 404 \u2013 Not Found<style type="text/css">body {font-family:Tahoma". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/unifi.itvakta.no/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: unifi.itvakta.no
Type: unauthorized
Detail: Invalid response from
http://unifi.itvakta.no/.well-known/acme-challenge/GMqF-3PuCXvD6CDJPPl3uToObnIevmDf2pKk8ejQSEk
[172.105.65.130]: "<!doctype html><html
lang="en">HTTP Status 404 – Not Found<style
type="text/css">body {font-family:Tahoma"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
unifiadmin@unifi:~$
Try:
certbot renew -a nginx --dry-run
OR
certbot certonly -a nginx --dry-run
1 Like
I am still not able to get past the 400 error. And same error msg when running dry run
To be able to proceed with this, should we remove nginx all together? I feel i do not have time to get to know all there is for setting up nginx to support both letsencrypt renewal and unifi webserver.
Nginx works now as a proxy, but i can set firewall rules to protect the server and allow only my own IPs to enter unifi webserver.
What do you recommend?
If you leave nginx to redirect all to https, then there isn't much to configure there.
We would only need to get it to work with certbot.
We would need to modify the nginx config a bit.
Are you up for that?
yes i worked many hours yesterday to try to fix the nginx config.
I can send you the config i have made sofar
yes, let's continue from there
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.