Installing Let's Encrypt on a DNS to use with a Jellyfin server

I'm trying to install Let's Encrypt on a DNS I just now bought to use with my Jellyfin server. This is my first time setting up a DNS, so it's entirely possible I missed a step somewhere in that process. Below is error message I keep getting. Any idea of how to fix this?

Sam

My domain is: sbljellyfin.com

I ran this command: sudo certbot --nginx -d sbljellyfin.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for sbljellyfin.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: jellyfin.sbljellyfin.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for sbljellyfin.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for jellyfin.sbljellyfin.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: nearlyfreespeech.net

I can login to a root shell on my machine (yes or no, or I don't know): IDK

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Welcome to the community @samlane86

I am a little puzzled why when you only used your apex domain sbljellyfin.com in your certbot request the error message also showed your jellyfin subdomain.

Ignoring that for now ... the problem is as the message says. You do not have any A (or AAAA if IPv6) record in your DNS for either domain name. This is required for the http challenge used by the nginx plug-in. And, for people in the public internet to reach you as those records convert the domain name into the needed IP address.

The Let's Debug test site is often helpful when setting up new sites.

4 Likes

Hey Mike,

Thank you very much for the quick response! I tried running the command with both the domain and subdomain. When I realized I’d pasted the one with the subdomain to simplify thing. Evidently I failed at that. Apologies for the confusion!
I saw the explanation about the A records, but I wasn’t sure what it meant. So I guess I just need to figure out how to add one on my domain registrar?

Sam

3 Likes

Yes :slight_smile:

4 Likes

Hey Mike,

So I've been trying to set this up, but I'm unsure if I did everything right. Now when I try using the letsdebug, it gives following error:

A private, inaccessible, IANA/IETF-reserved IP address was found for sbljellyfin.com. Let's Encrypt will always fail HTTP validation for any domain that is pointing to an address that is not routable on the internet. You should either remove this address and replace it with a public one or use the DNS validation method instead.

When adding the A record, what IP address should I be using? I've tried both the one for my wifi network and the one for my Jellyfin server and both produce this error.

Thanks!

Sam

1 Like

The public IP address of your internet connection.

Note that you should also take care of any NAT portmap and/or firewalls, if applicable.

3 Likes

Hey Osiris!

Thanks for your response! So I tried this and got this error message:

ANotWorking

Error

sbljellyfin.com has an A (IPv4) record (85.229.107.228) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with sbljellyfin.com/85.229.107.228: Get "http://sbljellyfin.com/.well-known/acme-challenge/letsdebug-test": dial tcp 85.229.107.228:80: i/o timeout

Trace:
@0ms: Making a request to http://sbljellyfin.com/.well-known/acme-challenge/letsdebug-test (using initial IP 85.229.107.228)
@0ms: Dialing 85.229.107.228
@10001ms: Experienced error: dial tcp 85.229.107.228:80: i/o timeout

1 Like

Your webserver needs to be reachable on TCP port 80 from the internet. Hence my note regarding NAT portmaps and/or firewall(s).

3 Likes

Hey Osiris,

Sorry, a lot of this is new to me. I did attempt to forward port 80, but perhaps I didn't do it properly. Does it also need to be forwarded to the public IP?

No, from the public IP (although not all routers show that) to the private IP address of the webserver.

4 Likes

Is this a residential ISP account? Because some ISPs do not allow port 80 inbound to you (or port 443 sometimes too).

So, it's possible you have it setup right now but I still time out trying to reach your site and Let's Debug test site (from earlier link) can't either.

3 Likes

Hey Mike,

It is indeed a residential ISP. It seemed to be working for a while, at least based on letsbug. But now it seems to have stopped working again:

ANotWorking

Error

jellyfin.sbljellyfin.com has an A (IPv4) record (85.229.107.228) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with jellyfin.sbljellyfin.com/85.229.107.228: Get "http://jellyfin.sbljellyfin.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://jellyfin.sbljellyfin.com/.well-known/acme-challenge/letsdebug-test (using initial IP 85.229.107.228)
@0ms: Dialing 85.229.107.228
@10000ms: Experienced error: context deadline exceeded

I did notice when logging into my router that it says: WARNING: Ports 22 and 443 are reserved by the service provider, use with caution! If needed, use these port numbers behind the router and arbitrary port numbers on the outside of the router.

So I'm not sure if that could be having some sort of impact.

Sam

Never mind, it is still working. I just got that error because I was connected to a VPN. Now I just need to figure out how to get my Jellyfin server to show up on my domain.

Your two domain names behave differently. That's fine ... they are yours to use as you wish. But, it is unusual and often points to a problem.

A request to http://sbljellyfin.com directs to HTTPS and that request times out.
A request to http://jellyfin.sbljellyfin.com redirects to HTTP for a home page and succeeds.

Port 443 (https) is not open to you and may not work given your router says your ISP reserves it. You may need to use non-standard port to reach your site. Be careful though as Let's Encrypt only allows standard ports 80 and 443 when requesting certs so be sure not to redirect http challenge to a non-standard port.

curl -I -m10 http://sbljellyfin.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Location: https://sbljellyfin.com/

curl -I -m10 https://sbljellyfin.com
curl: (28) Connection timed out after 10000 milliseconds


curl -I -m10 http://jellyfin.sbljellyfin.com
HTTP/1.1 302 Found
Server: nginx/1.18.0 (Ubuntu)
Location: /jellyfin/web/index.html

curl -I -m10 http://jellyfin.sbljellyfin.com/jellyfin/web/index.html
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
3 Likes

I can't connect to that IP :frowning:

What happens with?:

curl -I -m10 http://jellyfin.sbljellyfin.com/.well-known/acme-challenge/Test_File-1234
3 Likes

Hey Mike,
Apologies for the delayed response. To be honest, as this was my first time setting up a domain and I went through so much trial and error, I couldn't say why the two domains are set up differently. I didn't even intend to end up with two. The latter has been working okay for me now. The only thing I can't get working now is HTTPS. I'm not sure if that's something with Let's Encrypt, JellyFin or both.
Sam

1 Like

Hey rg305,
It seems to be working okay on my end no matter what network I'm connected to. As I mentioned in my response to Mike, the only thing I can't get working right now is HTTPS. It could be something specific to the way JellyFin is set up. I always have to include the port number I forwarded as well. Try adding :8096 to the end of the url. In any case, I tried running the command you sent and it produces: HTTP/1.1 404 Not Found
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 02 Sep 2022 21:02:16 GMT
Connection: keep-alive
X-Response-Time-ms: 0
Thanks!
Sam

1 Like

I see port 443 blocked. Check your router to ensure you have port 443 open and routed to your server similarly to how you did port 80.

2 Likes

I just double checked that I do have it forwarded along with 80. But, as you suggested earlier, I wonder it my ISP is preventing me from using the port. Is it impossible to use Let's Encrypt if I don't have access to 443?

Sam

LE only uses port 80 for an HTTP challenge (*). Once you get the cert you can use it as you like. By default HTTPS uses port 443 but you could setup your router and server for a different port and use that. Just be sure the server has the proper SSL / TLS config. It would be odd for your ISP to block that and not port 80 though.

(*) Unless you explicitly redirect an http challenge to https. And, if port 80 is not available the DNS challenge is possible.

PS: Right now I don't see port 80 open anymore either

2 Likes