I have been going thru a FrontEndMasters (“Full Stack for Front End Engineers”) tutorial that sets up an nginx, node stack via the terminal. At one point in the lesson, i’m instructed to request certificates.
I am consistently “timing out” and failing the challenges.
I would very much appreciate any help.
Best wishes to all,
Beau
PS
(This is my first post and am having trouble getting my head around this).
At the risk of sounding like an idiot, am I required to spin up a server in order to pass challenges in this cert authorization?)
My domain is:
beau.haus
www.beau.haus
I ran this command:
sudo certbot --nginx It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): beau.haus, www.beau.haus
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for beau.haus
http-01 challenge for www.beau.haus
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.beau.haus (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.beau.haus/.well-known/acme-challenge/litdVlsN4EileF0OHrNh9RVaZTyV2OAuYNduH6nvCe0: Timeout, beau.haus (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://beau.haus/.well-known/acme-challenge/cFaubiNjh08DvAg7Z1RTtOUVoRzr5EVNM7DyC5TeEto: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version):
node and nginx
The operating system my web server runs on is (include version):
ubuntu linux
Ubuntu 16.04.4 LTS
My hosting provider, if applicable, is:
registrar: porkbun
host: digitalocean
I can login to a root shell on my machine (yes or no, or I don’t know):
YES
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
-bash
I can’t connect to your site too. Are you sure nginx is started and listening on port 80?, are you sure there is a rule in your firewall allowing connections to port 80?.
Error: listen EADDRINUSE :::3001
at Object.exports._errnoException (util.js:1020:11)
at exports._exceptionWithHostPort (util.js:1043:20)
at Server._listen2 (net.js:1277:14)
at listen (net.js:1313:10)
at Server.listen (net.js:1409:5)
at Object. (/var/www/fsfe2/app.js:94:8)
at Module._compile (module.js:577:32)
at Object.Module._extensions…js (module.js:586:10)
at Module.load (module.js:494:32)
at tryModuleLoad (module.js:453:12)
–I will check about the firewall-- I’m still feeling my way about, so that quite likely could be the culprit. thx!
That error means there is something already listening on port 3001 and I suppose it is your own application. You should stop or kill it if you want to start it again. Also, are you using nginx as a proxy to your node.js app or...?
FWIW:
I’m instructed to proxy traffic to a node server (by the tutorial I’m following)
inside nginx/sites-available/default…
location / {
proxy_pass http://127.0.0.1:3001/;
}
—I will double-check my steps–
/etc/nginx/sites-available$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
---- Then, I start up my repo using forever -----
beau@beauhaus:/var/www/fsfe2$ /home/beau/.npm-global/lib/node_modules/forever/bin/forever start app.js
warn: --minUptime not set. Defaulting to: 1000ms
warn: --spinSleepTime not set. Your script will exit if it does not stay up for at least 1000ms
info: Forever processing file: app.js
Then I would create a location on your server block to serve the http challenge for Let’s Encrypt, if you post the output of nginx -T I could modify it for you.
(very kind of you! --Okay, just for documentation’s sake…I’ll print out the steps.)
root@beauhaus:~# ufw allow 80
Rule added
Rule added (v6)
root@beauhaus:~# nginx -T
Summary
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/default:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://127.0.0.1:3001;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
(I feel like I’m very close… Thx again…)
FWIW: at this point in the tutorial, the instructor has long had access to his example site…giving me the suspicion that I missed an important step somewhere.
–There are some things that given careful attention, others… less so.
trying to follow this carefully…
I’m editing the sites-available/default
beau@beauhaus:/etc/nginx/sites-available$ pwd
/etc/nginx/sites-available
beau@beauhaus:/etc/nginx/sites-available$ cat default
##
# You should look at the following URL’s in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
location ~ /.well-known/acme-challenge/ {
allow all;
default_type "text/plain";
root /tmp;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
proxy_pass http://127.0.0.1:3001;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
then, restart… beau@beauhaus:/etc/nginx/sites-available$ sudo service nginx restart
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for beau.haus
Using the webroot path /tmp for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. beau.haus (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://beau.haus/.well-known/acme-challenge/Bic_f1qLhzr0tbyD6MKWjVQ6wo68nlEoYe-8tNbGqBk: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: beau.haus
Type: connection
Detail: Fetching
http://beau.haus/.well-known/acme-challenge/Bic_f1qLhzr0tbyD6MKWjVQ6wo68nlEoYe-8tNbGqBk:
Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
A www.beau.haus directs to 198.211.109.116 3600
A beau.haus directs to 198.211.109.116 3600
NS beau.haus directs to ns2.digitalocean.com 1800
NS beau.haus directs to ns3.digitalocean.com 1800
NS beau.haus directs to ns1.digitalocean.com 1800
[edit: I’ll try disabling the firewall just to see if I can get a pulse…]
I see no problem on your firewall rules, indeed I’ve tested them in an Ubuntu Server and are working fine, your public ip is correct and nginx is listening on port 80. Maybe there is a firewall in front of your server, as far as I know DigitalOcean has cloud firewalls or something like that, you should take a look to your control panel in DigitalOcean to check whether there is some kind of firewall active for your droplet.
