Internal error NGINX Proxy

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: google.de

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): rasp pi

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi there,
maybe here is anyone able to solve my problem...

NGINX proxy manager installed on rasp pi 4 (OS light 64bit) in docker with portainer.

Google DNS is used: bitwarden.xxx.de

NGINX is up and running. Port forwarding is ok in a unifi dream machine. Port 80 is directed to the raspberry and is working. I can reach bitwarden via http.

Now I try to get a SSL and always get an internal error.

The result of let's debug you can see attached.

I can't find the error... I have no idea...

maybe you guys?

Thank you

ANotWorking

ERROR

bitwarden.xxx.de has an A (IPv4) record (91.248.xx.xx) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with bitwarden.skypio.de/91.248.xx.xx: Get "http://bitwarden.xxx.de/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://bitwarden.xxx.de/.well-known/acme-challenge/letsdebug-test (using initial IP 91.248.xx.xx)
@0ms: Dialing 91.248.xx.xx
@10000ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt

ERROR

A test authorization for bitwarden.skypio.de to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

91.248.xx.xx: Fetching http://bitwarden.xxx.de/.well-known/acme-challenge/Ph5VEQwjPFukZ6DEc-E4Ns_r-AXTqA3jP_eB0mgDj_0: Timeout during connect (likely firewall problem)

We have same issues today.
Timeout during connect (likely firewall problem)

https://letsencrypt.status.io/ says: "Planned Maintenance In Progress".

It also says any interruptions would be temporary and brief. If your timeout problem persists it is not likely related. I cannot reach the bitwarden domain in the first post even from my test server. Not LE related

And, @iHeadRu if you want to pursue a problem please open a new Help thread

I'm not aware that outgoing validation attempts from the Let's Encrypt validation servers would be affected to this agree.

Most likely both your errors comes from a firewall or NAT device blocking incoming access to port 80.

Also, @pio007, please don't obfuscate your actual hostname. As the questionnaire states, it's mandatory to state the domain to get help. Nevermind, it's not obfuscated everywhere Your host is indeed not reachable from the public internet, which is prerequisite for the http-01 challenge to work.

not reachable?
bitwarden.skypio.de points me direct to the http page of bitwarden on my local raspberry? I tested this with several browsers....

???

"local raspberry" probably being key here. It might be reachable from within your own network, but from my location at least it is not. Which corresponds with the timeout seen by Let's Encrypt too.

@pio007 The Let's Debug test site is often helpful when setting up new systems. (and which shows the timeout right now)

If you have a mobile phone, disable wifi and try accessing your domain. This will have you using the public internet. You will likely get the same comms timeout.

ok, checked it. unfortunately you are right...

So: the problem is my firewall of the UDM, right? Google DNS is fine and not the problem, also Let's encrypt?

A firewall is one candidate and should be checked. You are using an HTTP Challenge so Let's Encrypt servers must be able to make an http request to verify your domain. The Let's Debug site uses the LE test (staging) system for one test and that test times out.

Your DNS for that domain is a CNAME to skypio.de which has an A record for your IP. You should check that your public IP still matches that DNS A value. The IP that LE finds from the DNS lookup is shown in the error message. One way to check your (IPv4) IP is to run this command

curl -4 https://ifconfig.co

the result of curl -4 https://ifconfig.co is equal to my IP of the provider....

If IP is fine then check all your "pieces"

• Unifi
• this: NPM on pi in docker w/portainer
• other router?

Something is not allowing http requests. Once you find that try the cert request again and it should be fine.

I see you got some certs in Aug. You should focus on changes to your systems since then (see here)

ok, thanks a lot.

I try to find out, although I didn't change my setup since month...

regards marc

Has your ISP changed its policy about allowing http (port 80) requests. Some residential services do not allow it.

i will ask the ISP. A quick check offers: EWE and port 80 is with trouble.... maybe there is the fault...

I found the error: in my unifi UDM was a country restriction for America.... This blocked the certs. now it's working!
Thank you all guys....

Regard Marc

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.