Getting SSL certificates for a secure namespace

My domain is: nextcloud.jamesaylward.dev

I ran this command: sudo ./init-letsencrypt.sh

It produced this output:
Fetching http://nextcloud.jamesaylward.dev/.well-known/acme-challenge/RG7tGnHhTqkK-VDYpB37wwiX0aGuP3SfJLOS1HpVAgQ: Connection refused

My web server is (include version):
Based on this guide Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes | by Philipp | Medium
changed all references of port 443 to 8443

The operating system my web server runs on is (include version):
Debian 12

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is: certbot 2.1.0

I have been struggling to get SSL certificates for my domain. I am unsure if I can even authenticate it since I am using a secure namespace (forgive me, I'm not very familiar with web technologies). Is anybody able to point me in the right direction?

while browsers will use https on that domain because of HSTS preload on .dev zone, by RFC 8555 http-01 challenge will start from port 80 and you need to spin a http server on port 80

5 Likes

Hi @Mavo12,

Using the online tool Let's Debug yields this result
https://letsdebug.net/nextcloud.jamesaylward.dev/1852982 of OK

Port 80 is Open and accessible (Port 443 is filtered)

$ nmap -Pn -p80,443 nextcloud.jamesaylward.dev
Starting Nmap 7.80 ( https://nmap.org ) at 2024-03-31 20:01 UTC
Nmap scan report for nextcloud.jamesaylward.dev (139.216.33.198)
Host is up (0.20s latency).
rDNS record for 139.216.33.198: 139-216-33-198.sta.dodo.net.au

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.68 seconds
$ curl -Ii http://nextcloud.jamesaylward.dev/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx/1.25.4
Date: Sun, 31 Mar 2024 20:03:06 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 4604
Connection: keep-alive
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Permitted-Cross-Domain-Policies: none
X-Robots-Tag: noindex, nofollow
X-XSS-Protection: 1; mode=block
X-Powered-By: PHP/8.2.16
Set-Cookie: ocecq24gw793=638653576b23c1448bbd15ade0dcc03d; path=/; secure; HttpOnly; SameSite=Lax
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=jsGOKdaZuI5Eo0y6MA3GzxNzRcWN6zyEPrmHtD9QUxajpJNXkv4J2O1iPXpJmamthbLi8r%2FzPCs%2Fz50Om79P6GhjD3Z72iVQVCasqiRXZgq8csC74C%2F0YWDPW9T2GGig; path=/; secure; HttpOnly; SameSite=Lax
Set-Cookie: ocecq24gw793=638653576b23c1448bbd15ade0dcc03d; path=/; secure; HttpOnly; SameSite=Lax
Content-Security-Policy: default-src 'none';base-uri 'none';manifest-src 'self';script-src 'self';style-src 'self' 'unsafe-inline';img-src 'self' data: blob: https://*.tile.openstreetmap.org;font-src 'self' data:;connect-src 'self';media-src 'self';frame-src 'self';frame-ancestors 'self';form-action 'self'
Set-Cookie: __Host-nc_sameSiteCookielax=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=lax
Set-Cookie: __Host-nc_sameSiteCookiestrict=true; path=/; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict
Set-Cookie: ocecq24gw793=638653576b23c1448bbd15ade0dcc03d; path=/; secure; HttpOnly; SameSite=Lax
X-Request-Id: MbfD493XCwtvhXZ16XiJ
Feature-Policy: autoplay 'self';camera 'none';fullscreen 'self';geolocation 'none';microphone 'none';payment 'none'
2 Likes

Port 8443 is working well.

2 Likes