I can not make correct configuration for nginx with Magento 2


#1

My server: ubuntu 16.04, Nginx 1.10, PHP 7, MySQL 5.7.
Site works on Magento 2. I try add Let’s Encrypt SSL Certificate.
I have read many times How To Secure Nginx with Let’s Encrypt on Ubuntu 16.04.
My domain is: agestor.ru www.agestor.ru agestor.com www.agestor.com

I ran this command: sudo letsencrypt certonly -a webroot --webroot-path=/var/www/agestor.ru/html -d agestor.ru -d www.agestor.ru -d agestor.com -d www.agestor.com
Or:
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/agestor.ru/html -d agestor.ru -d www.agestor.ru

It produced this output:

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/age                                       stor.ru/html -d agestor.ru -d www.agestor.ru -d agestor.com -d www.agestor.com
Failed authorization procedure. agestor.com (http-01): urn:acme:error:unauthoriz                                       ed :: The client lacks sufficient authorization :: Invalid response from http://                                       agestor.com/.well-known/acme-challenge/TsAoW3va_kj5gSu05huAikPmpROy_d1fA8wBZwmA8                                       ZY: "<!doctype html>
<html lang="ru-RU">
<head >
    <script>
var require = {
    "baseUrl": "http://agestor.ru/stati", agestor.ru (http-01): urn:acme:err                                       or:unauthorized :: The client lacks sufficient authorization :: Invalid response                                        from http://agestor.ru/.well-known/acme-challenge/wvuw-yd-MKzpUt_E_I9wZ2AhtwrbZ                                       JIH_cOm2JANKrE: "<!doctype html>
<html lang="ru-RU">
<head >
    <script>
var require = {
    "baseUrl": "http://agestor.ru/stati", www.agestor.com (http-01): urn:acm                                       e:error:unauthorized :: The client lacks sufficient authorization :: Invalid res                                       ponse from http://www.agestor.com/.well-known/acme-challenge/wM5zgGm6puRGXz6cRAq                                       cLWfN6ODLl-evVwuHjx7h31U: "<!doctype html>
<html lang="ru-RU">
<head >
    <script>
var require = {
    "baseUrl": "http://agestor.ru/stati", www.agestor.ru (http-01): urn:acme                                       :error:unauthorized :: The client lacks sufficient authorization :: Invalid resp                                       onse from http://www.agestor.ru/.well-known/acme-challenge/4H0s6Czl-cAzTQIdo8KUA                                       rdACh427S9pazw1bvFKjUM: "<!doctype html>
<html lang="ru-RU">
<head >
    <script>
var require = {
    "baseUrl": "http://agestor.ru/stati"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: agestor.com
   Type:   unauthorized
   Detail: Invalid response from http://agestor.com/.well-known/acme-
   challenge/TsAoW3va_kj5gSu05huAikPmpROy_d1fA8wBZwmA8ZY: "<!doctype
   html>
   <html lang="ru-RU">
   <head >
       <script>
   var require = {
       "baseUrl": "http://agestor.ru/stati"

   Domain: agestor.ru
   Type:   unauthorized
   Detail: Invalid response from http://agestor.ru/.well-known/acme-
   challenge/wvuw-yd-MKzpUt_E_I9wZ2AhtwrbZJIH_cOm2JANKrE: "<!doctype
   html>
   <html lang="ru-RU">
   <head >
       <script>
   var require = {
       "baseUrl": "http://agestor.ru/stati"

   Domain: www.agestor.com
   Type:   unauthorized
   Detail: Invalid response from http://www.agestor.com/.well-known
   /acme-challenge/wM5zgGm6puRGXz6cRAqcLWfN6ODLl-evVwuHjx7h31U:
   "<!doctype html>
   <html lang="ru-RU">
   <head >
       <script>
   var require = {
       "baseUrl": "http://agestor.ru/stati"

   Domain: www.agestor.ru
   Type:   unauthorized
   Detail: Invalid response from http://www.agestor.ru/.well-known
   /acme-challenge/4H0s6Czl-cAzTQIdo8KUArdACh427S9pazw1bvFKjUM:
   "<!doctype html>
   <html lang="ru-RU">
   <head >
       <script>
   var require = {
       "baseUrl": "http://agestor.ru/stati"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

I try other configuration, but no experience to understand what I need to do with this configuration. It works good for http:

upstream fastcgi_backend {
    server unix:/var/run/php/php7.0-fpm.sock;
}

server {
    listen 80;
    server_name www.agestor.ru www.agestor.com agestor.com;
    return 301 $scheme://agestor.ru$request_uri;
}

server {
    listen 80 default_server;
    server_name agestor.ru;

    set $MAGE_ROOT /var/www/agestor.ru/html;
    set $MAGE_MODE default;

    location ~ /.well-known {
        allow all;
    }

    location = /robots.txt {
        alias /var/www/agestor.ru/html/robots.txt;
    }
    
    location = /sitemap.xml {
        alias /var/www/agestor.ru/html/sitemap.xml;
    }

    include /var/www/agestor.ru/html/nginx.conf.sample;
}

#2

Your site/domain has an AAAA record with an IPv6 address, but there’s nothing listening behind it. If I try to connect to the IPv4 address, I can connect, but with IPv6: timeout.


#3

I need to write the host name for IPv6?


#4

Either enable connectivity through IPv6 to your server or remove the AAAA record from your hostnames.


#5

I connected ipv6. Now will works. But my config wrong for comand and:
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/agestor.ru/html -d agestor.ru -d www.agestor.ru
And configuration.
location ~ /.well-known {
allow all;
}


#6

No it doesn’t:

osiris@desktop ~ $ telnet agestor.ru 80
Trying 2a03:6f00:4::bce1:224d...
telnet: connect to address 2a03:6f00:4::bce1:224d: No route to host
Trying 188.225.32.215...
Connected to agestor.ru.
Escape character is '^]'.
^CConnection closed by foreign host.
osiris@desktop ~ $ 

But perhaps that needs some time to propogate or something.

I don’t understand. Which ‘ssl comand’?


#7

Changed my reply. Ipv 6 need for site and for ssl certificate?


#8

IPv6 isn’t 100% required, but:

Now you’re saying on the DNS level: “Look! I’ve got IPv6!!! You can connect to IP address 2a03:6f00:4::bce1:224d for my site!”, but…: it’s not possible to connect to that IP address… So you’re advertising (through the AAAA record in your DNS) something which isn’t possible.

So either: fix IPv6 connectivity or don’t advertise it.

With regards to your command: the = after the webroot-path isn’t necessary, perhaps even generating trouble, but I’m not sure about that. And you forgot agestor.com and www.agestor.com :wink:


#9

Okay, I understand, need remove AAAA. I don’t forgot, I try command with 1 and 2 domain name and with www. I think my problem in nginx congiguration. My config not usual, this is for Magento 2.


#10

Your redirect is fine (when connected through IPv4 that is ;)):

osiris@desktop ~ $ telnet agestor.ru 80
Trying 2a03:6f00:4::bce1:224d...
telnet: connect to address 2a03:6f00:4::bce1:224d: No route to host
Trying 188.225.32.215...
Connected to agestor.ru.
Escape character is '^]'.
GET / HTTP/1.1
Host: www.agestor.ru

HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.0 (Ubuntu)
Date: Sun, 22 Jan 2017 13:11:45 GMT
Content-Type: text/html
Content-Length: 194
Connection: keep-alive
Location: http://agestor.ru/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.0 (Ubuntu)</center>
</body>
</html>
^CConnection closed by foreign host.
osiris@desktop ~ $ 

See? Fine redirect to the host without the www. So that’s fine.

And also when connecting to agestor.ru and requesting something from /.well-known/acme-challenge/ “works”. It gives a 404 file not found obviously, but there’s no “Connection error”.

So my guess is the Could not connect to domain.ru you’re getting is related to the IPv6 record which is advertised in DNS.

By the way: if possible, I would opt to fix IPv6 connectivity and not delete the AAAA record, because the former (good IPv6 connectivity) is the future of the web and the latter is just an easy fix. But I can understand you choose the “easy fix” for now :wink:


#11

I am not looking for easy ways.:wink: But then I need a lot of work with installing and Ipv6 server before you start to get a certificate. Do you think the problem is that the request goes on Ipv 6? I think the problem in /.well-known/acme-challenge.


#12

Installing? “Ipv6 server”? It is just a network thing, you don’t need a brand new server for that… But I recommend, guessing your know-how of IPv6, it’s better for now to go for the easy fix :wink:

Yes I do, because with IPv4, everything looks OK from my end.

Why do you think that?


#13

“If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.”, webroot plugin use /.well-known.
I need to find information about Ipv6 for my VDS…


#14

Well, that’s one step of the whole troubleshooting thing… But first, you should look at the error the client is giving you: a connection problem.

The path, e.g., /.well-known/blahblahblah is something that’s relevant after connecting to your server. This can be a problem with redirecting. For example, we’ve seen users redirecting hosts or directories (the latter is possible too) to a non-existing hostname, because of a typo.

But we’ve already seen that the redirects in place are fine. And trying to request something from http://agestor.ru/.well-known/acme-challenge/, e.g. http://agestor.ru/.well-known/acme-challenge/test results in a 404 error. A file not found error, not a “connection error”.

So we’re back to the connecting part, which probably is due to lacking IPv6 support while announcing an AAAA record, I still believe.


#16

I’ve updated the question. AAAA do not be deleted. I can not find information about Ipv 6 for ubuntu 16 and Nginx. Maybe wrong .well-known


#17

Although I’m not sure I follow your English, I can see you’ve deleted the AAAA-record somehow. Therefore, no connection troubles any more, but now the 404 error surfaces.

If you put a file test file in your webroot, like so:

echo "Hello world" > /var/www/agestor.ru/html/.well-known/acme-challenge/test

Can you access it through http://agestor.ru/.well-known/acme-challenge/test ?


#18

I can’t delete AAAA. I creat file in /var/www/agestor.ru/html/.well-known. I can’t open this file…


#19

Well, it’s gone anyway:

osiris@desktop ~ $ dig +norecurse @ns1.timeweb.ru agestor.ru AAAA

; <<>> DiG 9.10.3-P4 <<>> +norecurse @ns1.timeweb.ru agestor.ru AAAA
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40422
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;agestor.ru. IN AAAA

;; AUTHORITY SECTION:
agestor.ru. 600 IN SOA ns1.timeweb.ru. dns.timeweb.ru. 10062053 28800 7200 604800 600

;; Query time: 49 msec
;; SERVER: 2a03:6f00:1::10#53(2a03:6f00:1::10)
;; WHEN: Sun Jan 22 17:48:09 CET 2017
;; MSG SIZE rcvd: 91

osiris@desktop ~ $

If you keep providing so little information, I’m inclined to give up helping you, sorry… It’s taking sooo much effort, that shouldn’t be necessary… What file did you create… What URL did you try. What was the error… What did your nginx error log say…


#20

Thank you! I’m just the first time I try to install the certificate. I think be some kind of universal options. I just do not know what kind of information you need to provide. I wrote a configuration error.


#21

For example, this information:

And not something like “a file”, no, exactly which file. And not “some configuration error”, no, exactly which error. Et cetera.