My domain is: foundry.dyoung.page
I ran this command: certbot (ran successfully and Let's Debug passes)
My web server is (include version): nginx Version: 1.18.0-0ubuntu1
The operating system my web server runs on is (include version): Linux Mint 20.1 (Ulyssa)
My hosting provider, if applicable, is: None - self hosting
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0
My nginx config file in sites-available reads as follows:
server {
# Adjust this to your the FQDN you chose!
server_name foundry.dyoung.page;
access_log /var/log/nginx/foundry/access.log;
error_log /var/log/nginx/foundry/error.log;
location ^~ /.well-known/acme-challenge {
allow all;
root /var/www/letsencrypt;
auth_basic off;
}
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Adjust the port number you chose!
proxy_pass http://127.0.0.1:30000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 90;
# Again, adjust both your FQDN and your port number here!
proxy_redirect http://127.0.0.1:30000 http://foundry.dyoung.page;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/foundry.dyoung.page/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/foundry.dyoung.page/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = foundry.dyoung.page) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name foundry.dyoung.page;
return 404; # managed by Certbot
}
Thank you for your help @_az . I can't get a screenshot of the error message in Chrome, but here is the text:
Your connection is not private
Attackers might be trying to steal your information from foundry.dyoung.page (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
To get Chrome’s highest level of security, turn on enhanced protection
foundry.dyoung.page normally uses encryption to protect your information. When Google Chrome tried to connect to foundry.dyoung.page this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be foundry.dyoung.page, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.
You cannot visit foundry.dyoung.page right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.
Are you connecting to https://foundry.dyoung.page at the default port? Or perhaps on a different port than 443? Because your regular HTTPS port 443 is fine.
It's strange because usually when there is a certificate error, you can click advanced and ignore the warning and go forward anyway, but this error message is different and doesn't give me that option. Here is a picture of the screen I'm getting (sorry, my screen capture extension isn't working for this page either...)
Wait, there is a complicating factor I've been forgetting. The server is running as a virtual machine on a proxmox server. This is my first time using proxmox and I am realizing I haven't looked into network routing for that. If any of you happen to know what is needed there, I'd appreciate a pointer, but otherwise, I'll do some digging in that direction and get back.
OK, I think the NAT theory is probably correct then!
If you can, try re-assigning the web admin port on your Comcast Router from port 443, to something else. If this is possible, it should be somewhere with the settings.
I don't know how locked-down Comcast routers are so I can't tell you whether it's possible, but I hope it is.
My network is set up with a Comcast cable modem/router hooked to only one device: which is my Nest/Google wifi router.
I was getting tired of doing port configuration in both the comcast router and in the Nest router, so I tried setting the comcast to use a DMZ which points to the Nest/Google router and then I do all the port forwarding only on the Nest router (in this case, 443 and 80 to my internal foundry.dyoung.page server). Is that a broken setup?
Can you add an entry into the client hosts file?
[for Windows: c:\windows\system32\drivers\etc\hosts]
[for Linux: /etc/hosts]
If so, try adding something like: 192.168.1.100 foundry.dyoung.page
[replacing "192.168.1.100" with the actual internal IP of the foundry server]
Are you able to access that IP directly?
Like are you on the same network with it?
Or do you have to cross a router/firewall?
[pardon my lack of understanding (your setup)]
Some simple tests: ping IP.IP.IP.IP traceroute IP.IP.IP.IP http://IP.IP.IP.IP/ https://IP.IP.IP.IP/
[replace IP.IP.IP.IP with actual local IP of server]
My LAN (I have full access)
1a. PC on LAN running Proxmox (a linux distro that runs VMs) (at 192.168.86.100)
1a1. A VM running the foundry server I'm trying to reach (VM is given ip of 192.168.86.86 on local LAN)
1b. A laptop from which I'll run the commands you gave me (using the local LAN IP of 1a1)
RESULTS
> traceroute 192.168.86.86
traceroute to 192.168.86.86 (192.168.86.86), 64 hops max
1 192.168.86.86 9.072ms 7.142ms 8.325ms
> ping 192.168.86.86
PING 192.168.86.86 (192.168.86.86) 56(84) bytes of data.
64 bytes from 192.168.86.86: icmp_seq=1 ttl=64 time=6.50 ms
64 bytes from 192.168.86.86: icmp_seq=2 ttl=64 time=6.48 ms
^C
--- 192.168.86.86 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 6.478/6.487/6.496/0.009 ms
http://IP.IP.IP.IP/ gets me a 404 error https://IP.IP.IP.IP/ gets me an error page ("Your connection not private") from Chrome, but unlike when I try to do this from outside the LAN, it let's me override and connect to the site instead of making me type "thisisunsafe". I then get my server app successfully.
When I do https://publicIPaddress, I get a "Your connection not private", but because the .page domain is HSTS, it doesn't include an (obvious) option for overriding and connecting anyway. If I type "thisisunsafe", I get my router config screen instead of the server.
I should mention that I have both 80 and 443 port forwarded on both my Comcast router (which faces the internet and has only one internal connection to my Google router) and my Google router (which provides my local LAN with the systems above and assigns fixed IP addresses for the systems on my LAN)
