Fail to get certificate for my server

Hello,

I ran the command below to install BigBlueButton on my machine witch is a web conferencing system. The let's encrypt certificate generation is included in the script. Unfortunately I got the error shown bellow.
Can you please help me to fix this problem?

The command executed:

wget -qO- https://raw.githubusercontent.com/bigbluebutton/bbb-install/v2.7.x-release/bbb-install.sh | bash -s -- -w -v focal-270 -s bbb.univ-bejaia.dz -e info@example.com

My domain is: bbb.univ-bejaia.dz

I ran this command:

wget -qO- https://raw.githubusercontent.com/bigbluebutton/bbb-install/v2.7.x-release/bbb-install.sh | bash -s -- -w -v focal-270 -s bbb.univ-bejaia.dz -e info@example.com -g

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bbb.univ-bejaia.dz
Using the webroot path /var/www/bigbluebutton-default/assets for all unmatched domains.
Waiting for verification...
Challenge failed for domain bbb.univ-bejaia.dz
http-01 challenge for bbb.univ-bejaia.dz
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: bbb.univ-bejaia.dz
   Type:   connection
   Detail: 41.111.207.110: Fetching
   https://bbb.univ-bejaia.dz:443/.well-known/acme-challenge/GUDDGp3cWuDP0cSbKg5BnEtpFXR0UCSttzic-oKzOmU:
   Error getting validation data
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
bbb-install: Let's Encrypt SSL request for bbb.univ-bejaia.dz did not succeed - exiting

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: we hotse our server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I don't know

1 Like

Did you configure nginx yourself? Or did it come from the BBB package?

Because HTTP requests to your domain are being redirected to HTTPS. Which is fine. But, your nginx HTTPS server block is not setup properly. Or, perhaps your Fortinet firewall is blocking the incoming requests. Could be either.

Ideally you would not redirect the HTTP request for the ACME HTTP Challenge and just do all the rest. If you configured your nginx could you show the server block for port 80? We could instruct how to modify it.

Otherwise you are probably better off asking your Fortinet support and/or BBB for help on setting up your system. This problem is affecting any requests not just the Let's Encrypt challenge.

# HTTP request to home page redirected (so are LE HTTP challenges)
curl -i http://bbb.univ-bejaia.dz/
HTTP/1.1 302 Object moved
Location: https://bbb.univ-bejaia.dz:443/

# But HTTPS request fails (even ignoring self-signed Fortinet cert)
curl -ik https://bbb.univ-bejaia.dz/
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::
unexpected eof while reading, errno 0
3 Likes

First, thank you for your answer.

It comes from the BBB package (The script bbb-install.sh installs and configures nginx).

I asked the fortinet firewall manager to open ports 80 and 443 so I don't think the problem comes from the firewall, however, in the /etc/nginx/sites-enabled directory, I didn't find a block for https, I only found two files Default and bigblubutton, the latter is configured as follows:
server_tokens off;
server {
listen 80;
listen [::]:80;
server_name bbb.univ-bejaia.dz;
access_log /var/log/nginx/bigbluebutton.access.log;
location / {
root /var/www/bigbluebutton-default/assets;
try_files $uri @bbb-fe;
}
}

Also, to test if port 433 is open, I ran several commands as you can see in the attached screenshots:

When I run the command ufw status it shows me as if port 443 and 80 are both open. On the other hand, when I run the two commands: nc -zv localhots 443 and ss -tuln | grep : 443 it shows me as if port 443 is not open. Can you please tell me the difference between these two displays and also how to open port 443 if it is closed.

1 Like

Is there any Geo-Location blocking?

1 Like

Someone is redirecting HTTP to HTTPS but that server block does not have any redirect. So, it must be getting redirected before reaching your nginx server. Does your Fortinet do that?

The full reply looks like below. Does that help identify what is doing the redirect?

curl -i http://bbb.univ-bejaia.dz/
HTTP/1.1 302 Object moved
Location: https://bbb.univ-bejaia.dz:443/
Content-Length: 74
Content-Type: text/html

<head><title>Object moved</title></head><body><h1>Object Moved</h1></body>
3 Likes

indeed, the redirection is done by me in fortiweb. I just removed this redirection but the problem persists. Can you please test again ?

1 Like
curl http://bbb.univ-bejaia.dz/
curl: (52) Empty reply from server

curl http://bbb.univ-bejaia.dz/.well-known/acme-challenge/Test_File-1234
curl: (52) Empty reply from server
2 Likes

Here is what I see

$ curl -vi http://bbb.univ-bejaia.dz/
*   Trying 41.111.207.110:80...
* Connected to bbb.univ-bejaia.dz (41.111.207.110) port 80 (#0)
> GET / HTTP/1.1
> Host: bbb.univ-bejaia.dz
> User-Agent: curl/7.81.0
> Accept: */*
>
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server
2 Likes

For Port 443 (HTTPS) here https://decoder.link/sslchecker/bbb.univ-bejaia.dz/443 showing a self-signed certificate is being served

Is Port 80 being handled differently than Port 443?

I don't know, this is the first time I install BBB so I'm a little lost. I usually generate let's encrypt certificates for three sites that run under debian, with apache as web server and I installed certbot myself. When the certificates are generated, I manually import them into fortiweb and it works. But in this case, the bbb script does everything itself and I don't know what it does exactly, in addition, the system and the web server have changed (ubuntu and nginx). Until now I don't know why the certificate was not generated.

I probably should have had more context to my question about handling of Port 80 as compared to Port 443.

From the perspective of Fortinet redirecting the URLs.

1 Like