I cannot get a certification

I tried using the subdomain that is actually connected to immich, i got this

sudo certbot -a webroot -i nginx -w /var/www/html -d immich.harryisback.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for immich.harryisback.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: immich.harryisback.org
  Type:   unauthorized
  Detail: 155.4.61.251: Invalid response from https://immich.harryisback.org/.well-known/acme-challenge/x1tJZQzxwdDmr7j6ejOT1BE_ZEd_sM2iEGwfyeLRrSw: "<!doctype html>\n<html>\n  <head>\n    <!-- (used for SSR) -->\n    <!-- metadata:tags -->\n\n    <meta charset=\"utf-8\" />\n    <meta n"

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.


The HTTP challenge files should be served by that root [not redirected to HTTPS].

1 Like

You do not need to use the "proxy" setting at Cloudflare. That sets up their CDN and your server as the Origin Server. Without this proxy you just use their DNS service.

And, for that you can use Certbot as:
https://certbot-dns-cloudflare.readthedocs.io/en/stable/

It is possible to use Cloudflare "proxy" but your Origin Server would still be nginx - not your immich system. Then your local nginx server proxies to your local immich system. You could maybe use the Cloudflare Origin CA cert on your nginx system. This would avoid needing to use Certbot to get a cert for your nginx. But, evaluating all this is more complex and maybe best avoided given your difficulties so far.

3 Likes

Does this work? It is just a test. Just let us know result. Do not issue any other Certbot command yet

sudo certbot certonly --dry-run --nginx -d immich.harryisback.org
3 Likes

what does this mean?

"dry run was succesfull" thats the best news ive ever heard!

1 Like

Great. Now try
sudo certbot --nginx -d immich.harryisback.org

2 Likes

it worked, great. Do i have to do anything more now? or is my site secure for logins and entering passwords?

2 Likes

HTTPS requests to your domain see a valid cert. So that's great. As for whether your site behaves as you wish that is for you to determine :slight_smile:

You can check your cert with a site like below. As for the rest you know your app better than we do

2 Likes

Thank you all for the support, and thank you for being so patient with me, everything seems to be working, but I do wonder, what happens when my certificte runs out ( accordring to your link it runs out in 90 days)

2 Likes

And! if i want to create more sites to show, how would i do that, can i just add more blocks?

Depending on how you installed, most likely a cronjob or systemd timer was installed. This cronjob or timer will run Certbot twice a day and ask it to renew any certificate due for renewal (which is when the cert expires within 30 days).

You claim to have installed Certbot 1.21.0 on Debian Bookworm, but when I look at Debian -- Details of package certbot in bookworm, Debian Bookworm should ship Certbot 2.1.0? So I'm curious on how you installed it. When installed using Debians apt package, there should automatically have been installed a cronjob (AFAIK it's a cronjob).

Yes, and then run the Certbot command again (but with a different -d ...). But please note that this is not the generic "nginx configuration Community". We've helped you so far that you can install a certificate, but the whole "fixing nginx" was to be honest not really our scope to begin with.

3 Likes

I think i installed cerbot with this command (that chatgpt gave me)

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx

okay, yeah i do understand that you helped me with things not directly related to the certification, and Thanks much for that.

1 Like

Would you show output of this?

sudo certbot --version

Because bookworm most definitely includes v2.1 and bullseye was 1.12. So, something is slightly amiss.

Also show this

cat /etc/crontab | grep -i certbot
3 Likes
harrykotten@pi:~ $ sudo certbot --version
certbot 2.1.0
harrykotten@pi:~ $ cat /etc/crontab | grep -i certbot
harrykotten@pi:~ $ 

Well, that sorts the version anyway.

I thought Debian 12 used crontab but maybe it is one of these. Please show output of both

cat /etc/cron.*/* | grep -i certbot

sudo systemctl list-timers | grep -Ei "certbot|renew"
3 Likes
harrykotten@pi:~ $ cat /etc/cron.*/* | grep -i certbot
# /etc/cron.d/certbot: crontab entries for the certbot package
# certbot.timer.
0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew --no-random-sleep-on-renew
harrykotten@pi:~ $ sudo systemctl list-timers | grep -Ei "certbot|renew"
Thu 2024-11-07 09:18:57 CET 14h left     Wed 2024-11-06 13:03:01 CET 5h 51min ago certbot.timer                certbot.service
harrykotten@pi:~ $ 

hmm...

Looks like you have two jobs [doing the same thing].

3 Likes