Internal error (nginx proxy manager)

millionsofplayers · March 24, 2024, 2:57am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ofplayers.net

I ran this command: I ran it through a docker container of Nginx proxy manager

It produced this output:

3/24/2024] [2:53:31 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t -g "error_log off;"
[3/24/2024] [2:53:31 AM] [Nginx ] › info Reloading Nginx
[3/24/2024] [2:53:31 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload
[3/24/2024] [2:53:36 AM] [SSL ] › info Requesting Let'sEncrypt certificates for Cert #11: blog.ofplayers.net
[3/24/2024] [2:53:36 AM] [SSL ] › info Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-11" --agree-tos --authenticator webroot --email "ofplayers@proton.me" --preferred-challenges "dns,http" --domains "blog.ofplayers.net"
[3/24/2024] [2:53:36 AM] [Global ] › ⬤ debug CMD: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-11" --agree-tos --authenticator webroot --email "ofplayers@proton.me" --preferred-challenges "dns,http" --domains "blog.ofplayers.net"
[3/24/2024] [2:53:38 AM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_11.conf
[3/24/2024] [2:53:38 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -t -g "error_log off;"
[3/24/2024] [2:53:38 AM] [Nginx ] › info Reloading Nginx
[3/24/2024] [2:53:38 AM] [Global ] › ⬤ debug CMD: /usr/sbin/nginx -s reload
[3/24/2024] [2:53:38 AM] [Express ] › warning Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Linode VPS (least expensive option)
The operating system my web server runs on is (include version): Ubuntu 23.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Nginx proxy manager 2.11.1

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.9.0

This worked on my base domain and I can’t get the log file for some reason

MikeMcQ · March 24, 2024, 3:09am

Your base domain has both A and AAAA records in your DNS but the blog subdomain does not have either one. You have requested to use the --webroot method to authenticate and you need at least one of these records so the Let's Encrypt servers can find your IP to make the HTTP challenge request.

millionsofplayers · March 24, 2024, 3:17am

I added both and it gives the same error, I’ll wait like 20 minutes and update if it happens again or not

rg305 · March 24, 2024, 3:24am

Do the authoritative DNS servers show the added IPs?

If so, then you can start testing.
Note: Testing is best performed on the LE staging environment [not the LE production environment].

If not, then where did you add those IPs?

millionsofplayers · March 24, 2024, 3:29am

Do you mean linode’s domain page?

rg305 · March 24, 2024, 3:33am

I wouldn't know where you need to go to add DNS entries into your domain.

I do see that Porkbun DNS servers are being used by your domain:

nslookup -q=ns ofplayers.net
ofplayers.net nameserver = fortaleza.ns.porkbun.com
ofplayers.net nameserver = maceio.ns.porkbun.com
ofplayers.net nameserver = salvador.ns.porkbun.com
ofplayers.net nameserver = curitiba.ns.porkbun.com

But none of those servers know anything about the blog subdomain.
Nor do they know anything about your base domain either.

try:
nslookup www.ofplayers.net salvador.ns.porkbun.com
nslookup ofplayers.net salvador.ns.porkbun.com

millionsofplayers · March 24, 2024, 3:36am

I added linode nameservers like an hour or 2 ago, I’m guessing it may take time to register everywhere else but I’ll try adding it in porkbun too if it lets me

rg305 · March 24, 2024, 3:37am

That would be very strange.
A long time ago it used to be that way [up to 24 hours, etc.] - but not in 2024.

millionsofplayers · March 24, 2024, 3:38am

I think that worked, I have it up there now

rg305 · March 24, 2024, 3:42am

I think I see the "problem" now...

Even though the registrar now has all these nameservers:

The two systems know nothing about each other:
System #1 only knows about itself:

nslookup -q=ns ofplayers.net salvador.ns.porkbun.com
ofplayers.net nameserver = curitiba.ns.porkbun.com
ofplayers.net nameserver = fortaleza.ns.porkbun.com
ofplayers.net nameserver = maceio.ns.porkbun.com
ofplayers.net nameserver = salvador.ns.porkbun.com

System #2 only knows about itself:

nslookup -q=ns ofplayers.net ns1.linode.com
ofplayers.net nameserver = ns2.linode.com
ofplayers.net nameserver = ns4.linode.com
ofplayers.net nameserver = ns1.linode.com
ofplayers.net nameserver = ns3.linode.com
ofplayers.net nameserver = ns5.linode.com

So, I have to ask: Do you know how to configure DNS across two providers?

millionsofplayers · March 24, 2024, 3:55am

No, I just added the A/AAAA records manually on both of them

rg305 · March 24, 2024, 4:19am

That is far from ideal.
You really should delegate that to someone familiar with the whole DNS process.

That said, it should no longer stand in the way of you getting a cert.

Unless...

Both systems don't resolve the names equally.
I now see one system does [Linode]:

nslookup ofplayers.net ns1.linode.com
Name:      ofplayers.net
Addresses: 2600:3c03::f03c:94ff:fe15:bc82
           97.107.131.38

nslookup www.ofplayers.net ns1.linode.com
Name:      www.ofplayers.net
Addresses: 2600:3c03::f03c:94ff:fe15:bc82
           97.107.131.38

But the other still does not [Porkbun]:

nslookup ofplayers.net maceio.ns.porkbun.com
Server:  UnKnown
Address:  162.159.11.180
Name:    ofplayers.net

nslookup www.ofplayers.net maceio.ns.porkbun.com
Server:  UnKnown
Address:  162.159.11.180
*** UnKnown can't find www.ofplayers.net: Non-existent domain

millionsofplayers · March 24, 2024, 4:30am

According to porkbun’s web ui I have to remove the linode name servers to be able to add dns records on porkbun, that’s probably why it’s like that

rg305 · March 24, 2024, 4:34am

OR
You could remove the Porkbun nameservers from your registrar.

There are many solutions to this problem.
You need to find one that works for you - all the time - not just part of the time OR only when I do this but, immediately afterwards, I need to do these two other things...

DNS is a set it and forget it thing - when designed and implemented correctly.

millionsofplayers · March 24, 2024, 4:46am

I removed the pork bun nameservers

This is unrelated but now I can’t use the base ofplayers.net page, I think this is because I used the same gateway ip on both of the proxy hosts (same docker network) but I don’t know how I’d fix that

Since I’m not really active on the blog (I’ve posted 4 times on it over a year) I’ll probably just close the ghost container and work on using some static site generator thing instead

Edit: I removed the blog’s dns records, cert and proxy entry, the main page still isn’t working

Edit 2: I restarted the server and the main page works now (www still leads to a error though)

system · April 23, 2024, 4:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.