Generate ssl certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: usdzradio.live

nslookup www.usdzradio.live

Server: 169.254.169.254
Address: 169.254.169.254#53

Non-authoritative answer:
www.usdzradio.live canonical name = usdzradio.live.
Name: usdzradio.live
Address: 34.148.79.147

I ran this command:
/opt/bitnami/letsencrypt/lego --tls --email="XXXX.athXXX@gmail.com" --domains="usdzradio.live" --domains="www.usdzradio.live" --path="/opt/bitnami/letsencrypt" run

It produced this output:
2022/03/15 21:38:35 [INFO] [usdzradio.live, www.usdzradio.live] acme: Obtaining bundled SAN certificate
2022/03/15 21:38:35 [INFO] [usdzradio.live] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/88006927300
2022/03/15 21:38:35 [INFO] [www.usdzradio.live] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/88006927310
2022/03/15 21:38:35 [INFO] [usdzradio.live] acme: use tls-alpn-01 solver
2022/03/15 21:38:35 [INFO] [www.usdzradio.live] acme: use tls-alpn-01 solver
2022/03/15 21:38:35 [INFO] [usdzradio.live] acme: Trying to solve TLS-ALPN-01
2022/03/15 21:38:48 [INFO] [www.usdzradio.live] acme: Trying to solve TLS-ALPN-01
2022/03/15 21:38:55 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/88006927300
2022/03/15 21:38:55 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/88006927310
2022/03/15 21:38:55 Could not obtain certificates:
error: one or more domains had a problem:
[usdzradio.live] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for usdzradio.live - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for usdzradio.live - the domain's nameservers may be malfunctioning
[www.usdzradio.live] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: SERVFAIL looking up A for www.usdzradio.live - the domain's nameservers may be malfunctioning; DNS problem: SERVFAIL looking up AAAA for www.usdzradio.live - the domain's nameservers may be malfunctioning

My web server is (include version):
i'm using WordPress with NGINX and SSL Certified by Bitnami and Automattic

nginx version: nginx/1.21.6
with Wordpress

The operating system my web server runs on is (include version):
lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No (wordpress
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Your DNSSEC is broken. usdzradio.live | DNSViz

Did you add the proper DS record at your registrar?

Google should've given it to you when you enabled DNSSEC on their side. (something is very broken considering that Google is both your registrar and your DNS provider. Try waiting a bit.)

3 Likes

You'll have to login to Google Domains and disable DNSSEC on your domain, because it's currently misconfigured. This prevents your domain from functioning at all.

You can set it up again, later if you want.

4 Likes

Thanks it worked by disabling DNSSEC

2 Likes

Thanks it worked

1 Like

thanks the certificate problem is solved, but now i have to figure out how i make reverse proxy out of my nginx

nginx is pretty much useless as a forward proxy....
So, you shouldn't too much trouble finding information on "how to" use it for what it was meant for.

1 Like

thanks for the answer
but i need to let this http://usdzradio.live:8000/mount pass under https other wise yi can't listen to my radio

nginx supports "streams"
But if you want the client to connect via TLS[HTTPS] and the service isn't doing TLS, then nginx will have to proxy (not stream) the HTTPS requests to the HTTP service.

1 Like

i tried many combination
proxy_pass http://localhost:8000;
proxy_pass http://usdzradio.live:8000;

none did work.
im doing something wrong most probably worst case i will revert to http and stop this ssl certificate

inside your (https, and http) server block that serves the blog:


location /mount {
   proxy_pass http://127.0.0.1:8000/mount;
}

(and you probably need more options, which are in the manual and the documentation)

(and after you've seen that it works, make the icecast server only listen on localhost)

1 Like

thanks
it's not working

my icecast is listening on port 8000 and 8443
i can listen to the music if i go directly using the URL http://hooggar.com:8443/mount
however i can't listen to the music from https://hooggar.com

this is my 3rd VM this week i install to get it done lol i will stop

ss -tlpn | grep 443
LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1344,fd=6),("nginx",pid=1342,fd=6))
LISTEN 0 5 0.0.0.0:8443 0.0.0.0:* users:(("icecast2",pid=462,fd=4))

ss -tlpn | grep 8000

LISTEN 0 5 0.0.0.0:8000 0.0.0.0:* users:(("icecast2",pid=462,fd=5))

I don't know how much you know about icecast but many people have struggled with it. One key issue is that the cert file it needs must have both the fullchain and private key in the bundle file. I did not see this mentioned yet in this thread.

Here is another thread with an icecast person from earlier that talks about this and has links to docs.

2 Likes

It looks like icecast and nginx might not play too nice together. There are several example configs online, you might try those.

1 Like

yes i did it as it is on the procedure

cat /opt/bitnami/letsencrypt/certificates/hooggar.com.crt /opt/bitnami/letsencrypt/certificates/hooggar.com.key > /usr/share/icecast2/bundle.pem

my icecast xml file have this values :

<listen-socket>
    <port>8000</port>
    <!-- <bind-address>127.0.0.1</bind-address> -->
    <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>
<!--
<listen-socket>
    <port>8080</port>
</listen-socket>
-->  
<listen-socket>
    <port>8443</port>
    <ssl>1</ssl>
</listen-socket>

/usr/share/icecast2/bundle.pem

i can see the hhtps ports listening on

ss -tlpn | grep 443

LISTEN 0 128 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1746,fd=6),("nginx",pid=1744,fd=6))
LISTEN 0 5 0.0.0.0:8443 0.0.0.0:* users:(("icecast2",pid=462,fd=4))

and the http on :slight_smile:

ss -tlpn | grep 8000

LISTEN 0 5 0.0.0.0:8000 0.0.0.0:* users:(("icecast2",pid=462,fd=5))

i dont know if it's thenginx bitnami version or the icecast but defnitely not working.
the ports are listening but the output with https is not cominng
thanks for your support

Your port 8443 is an http one: http://hooggar.com:8443/mount

I don't know why it's ignoring this. Did you reload/restart icecast after adding that?

https://icecast.org/docs/icecast-2.4.1/config-file.html#ports

1 Like

yes i did reboot the server

It's pretty strange.

did you see this?

    <ssl-certificate>/path/to/certificate.pem</ssl-certificate>

https://icecast.org/docs/icecast-2.4.1/config-file.html#path

1 Like

(( /usr/share/icecast2/bundle.pem ))

yes the file is there

ls -l /usr/share/icecast2/

total 24
drwxr-xr-x 2 root root 4096 Mar 17 14:48 admin
-rw-r--r-- 1 root root 5560 Mar 19 18:05 bundle.pem
-rw-r--r-- 1 root root 5560 Mar 17 15:02 icecast.pem.old
drwxr-xr-x 2 root root 4096 Mar 17 14:51 web