Errors creating ssl certificate stuff for nginx

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:gateslink.au ( has an 'A' record ) , public IP is 159.196.67.148 and works with http://gateslink.au:5000 ( nginx is ok , router forwards port 80 to 5000 ) ,ufw has ssh, 80,443 and https open

I ran this command:sudo certbot --nginx -d gateslink.au -d www.gateslink.au

It produced this output: certbot.errors.AuthorizationError: Some challenges have failed.
2025-11-29 12:58:10,092:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version): nginx version: nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version): linux mint 22.3

My hosting provider, if applicable, is: I use ventra-IP for the 'A' record , NO-IP for the actual conversion from my private IP to public , ISP is aussie broadband

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): is certbot version 2.9.0

I do not know what specific detail from the log file you need ... please advise ...regards

2

Hi, get http working for your site (for external visitors, not just working on your own network) then go from there. You can't complete an HTTP challenge without allow incoming tcp port 80 and having it reach your server.

2 Likes
3

Welcome @gatesey

The --nginx option make temp updates to your nginx config to handle the incoming HTTP Challenge. By default, it only updates a server block that listens on port 80.

Since you port forward to port 5000 you have a server block listening on port 5000.

So, you need to add --http-01-port 5000 to your command

See the website docs for more details: User Guide — Certbot 5.2.0.dev0 documentation

That said, I see a "Server: gunicorn" in the response headers for HTTP requests to that port. The --nginx option only updates nginx. Will nginx be handling those inbound requests?

2 Likes
4

Hi Christopher,

Thanks for your update , will be looking at that also after I have checked out what MikeMcQ wrote ...just looking at what he wrote now .

regards,

5

Hi Mike,

Thanks for the tip re: to add the extra http option .
As to the gunicorn setup that is how python3-flask gets to deploy the app via nginx as a reverse front-end proxy server
so I assume the certificate setup will advertise this fact to the web browser and thus regard gateslink.au:5000/
as a 'secure' nominated site, using the extra http option you stated.

It's all according to digital ocean as per this link I have used :- https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04
Using the certbot SSL certificate install process from the above link is how I got the error mesage I sent you.
I set up the successful python3-flask-gunicorn-nginx app that uses http://gateslink.au:5000/vids ( to see my security videos remotely via rustdesk ) , which port forwards
port 80 to 5000 via nginx & in my router ... all successfully.

So this is where I am up to. thanks for the help on this.
regards,

6

No, using that option only makes sure your port 5000 server block can reply properly to the HTTP Challenge.

Certbot then will create a new server block to handle HTTPS on a different port. That port defaults to 443. You will need another setting to instruct Certbot to use a different port for that if you need that too. Please see the Certbot docs for that option.

You cannot use the same port for both HTTP and HTTPS. Well, sometimes you can but it is difficult to manage and best avoided.

Part of the problem is you are following instructions intended for a typical nginx install using port 80 and 443.

Using different ports like you are is not wrong or all that unusual. But, it does take special care to get setup initially. If you need help with that please show the URL you hope to use for HTTPS.

2 Likes
7

Hi MikeMcQ,

Thanks for the follow up note you sent, but I am confused tho, So I think I should repeat what I am trying to achieve.

The URL that I currently use to connect remotely is :- http://gateslink.au:5000/vids ( sometimes for testing purposes I use http://159.196.67.148:5000/ids ) and this takes me to my videos capture
host on my home lan at 192.168.20.7 ..right now my 'challenge' login code is turned off at the python3-flask app end on that home LAN host meaning anyone can land directly on that host and
see the list of of the 5 security camera videos that are stored on that host.
The current nginx server definition block is ( from /etc/nginx/conf.d/flask ) :-

server {
#listen 80;
server_name 192.168.20.7;
location / {
include proxy_params;
proxy_pass http:://127.0.0.1:5000;

again all from what the digital ocean tutorial I used. All I did was place this in the sites-available definition according to what the digital ocean tutorial showed.
The netcomm NF18 router has the port forwarding rule shown in the attached screenshot png file.

What I was after is to replace the http://gateslink.au:5000/vids with the SSl certificate installed and registered
to allow me to use :- https://gateslink.au:5000/vids instead of the http:// insecure version. Happy to alter the port forwarding value as that is a simple change
in python3-flask and gunicorn.

So then as you wrote :-

Part of the problem is you are following instructions intended for a typical nginx install using port 80 and 443.

Using different ports like you are is not wrong or all that unusual. But, it does take special care to get setup initially. If you need help with that please show the URL you hope to use for HTTPS.

So can you please show me how I can properly specify the port arrangement to suit this https SSL certificate setup and install for nginx. Also , let me know if you need any more info.

(attachments)

port-forwarding-nf18.png

8

So am I :slight_smile: I'm not clear what you are trying to achieve.

You show an nginx server block with listen 80; commented out. That doesn't matter since port 80 is the default with no listen so that is what port that server block listens on. HTTP requests to port 80 are currently timing out so the proxy statement in your nginx isn't work. Or, you are blocking port 80 requests before they reach nginx. I don't think your router is forwarding 80 to 5000 or if it is that isn't working right.

Now, on to port 5000. You show a URL using HTTP to port 5000. But, there is no server block in that nginx to handle port 5000. That request must go directly to your gunicorn server/app. Right? And, you must then have port 5000 open to the public internet otherwise requests wouldn't work (and they do).

Why can't you use port 80 for inbound requests to nginx?

A common setup is that nginx sees an HTTP(S) request on port 80(443) and then uses proxy statements to one or more other apps or servers on your LAN. It could even be the proxy statement you already have if the app currently handling port 5000 is on the same machine as nginx (127.0.0.1). In this setup nginx is the first "thing" to see all incoming requests and it proxies to other services as needed based on the URI.

If you want that you don't use your router to forward port 80 to port 5000. nginx will be doing that. You set your router to direct port 80 to the local IP for your nginx machine.

For HTTPS (certificates) you need to use a domain name (not an IP address) to reach that server. That domain name must be in the certificate. Note that you currently have a "micro_httpd" service replying to HTTPS requests on port 443. It uses a self-signed cert for "example.com" from "Denial". Looks like a firewall of some kind perhaps. Do you know what that is?

Once the overall plan is decided then we can sort out how to handle HTTPS. Ideally we'd want nginx to see all incoming HTTPS requests (on port 443 ideally) and proxy to the needed services based on the URI. The same concept as I described for port 80 just for HTTPS. This means nginx is the only place you need to get a cert (more on that later). And, once HTTPS plan is working you change how nginx handles HTTP on port 80 to redirect those to HTTPS. We don't want HTTP traffic going directly to your other apps/services.

3 Likes
9

Hi MikeMcQ,

Thanks again , I see that I have misconfigured the nginx listen 80; comment out part. Which cascaded the matter I think.

The reason for the gunicorn part of the solution is that python3 flask is fine for dev testing a deployed web app but is not recommended for a full-time
secure production like environment so gunicorn does that via running as a service defined in /etc/systemd/system and the port suggested by digital ocean is 5000.
Which is all running fine as an http based web app.

Where I misconfigured ( as you kindly have pointed out thanks !! ) is that digitalocean used the nginx 'listen 80;' ( not commented out ) as per the default setup and
I chose to port forward with the intention that further down the track I could enforce nginx to avoid that port and go directly to 5000 via gunicon ( as a service ) which works
ok despite what I was trying to achieve and was ok for http. Setting up for https brought out the issue .

Which I see ( the router port forwarding ) was not entirely necessary for this project ...it was a hangover from a previous project, looks like I never cleaned up.

Digitalocean then remove the ufw rule via 'delete allow 5000' and instead employ => sudo ufw allow 'Nginx Full' instead to tidy things up . I hadn't done this
previously and so I think this is where I complicated things apparently because digitalocean had removed the earlier 'allow 5000' which I did not.

They show the execution of the certbot SSL bulld call :- sudo certbot --nginx -d your_domain -d www.your_domain as per default ( where I'll substitute with gateslink.au )
which I'll now do with the nginx changes you suggested re: listen 80 uncommented an tidy things up and get back to you with the results.

Thanks for your patience.

10

Hi MikeMcQ,

It seems I have to review the project since the gunicorn part of the python3 flask app combo is what is causing an issue for me in the socket definition.
I have to dig deeper to see how to satisfy the proxy params section in nginx site-available definitions to have it 'see' the socket that gets kicked off.
At this point the socket gets bound and supposedly the firewall and nginx are happy ( ? ) but there is no HTTP connection ( http:/gateslink.au:5000/vids just hangs )
and no errors/issues appear in the nginx logs and no systemctl based faults to see either ... so I have to get this sorted out before tackling certbot.

Thanks again for the tips.

11

Looks like you've made some progress.

But, I think your goal should be to get this URL working

http://gateslink.au/vids

Once you have that we can work on https://gateslink.au/vids

With nginx acting as reverse proxy port 5000 is not exposed to the public internet.

The only reason that wouldn't work is if port 80 and/or 443 are not available to you for inbound requests. Some residential ISP block those, for example. Or, the ISP modem/router uses one of those ports for its own admin purposes and does not allow changes.

Given your gunicorn already works with HTTP requests the proxy statements from nginx to it should be straightforward.

2 Likes
12

Hi MikeMcQ

I agree that I don't need and shouldn't use the port value in the url and it should be hidden at the very least internally.
I'll get back to you today sometime ( my time ) and thanks :blush:

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.