Issue generating cert on Debian 10 Linode nginx server

Raoch · February 3, 2022, 3:39pm

My domain is:
mjr-stock.xyz

I ran this command:
sudo certbot certonly --nginx

It produced this output:

Requesting a certificate for mjr-stock.xyz
Performing the following challenges:
http-01 challenge for mjr-stock.xyz
Waiting for verification...
Challenge failed for domain mjr-stock.xyz
http-01 challenge for mjr-stock.xyz

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: mjr-stock.xyz
Type: connection
Detail: Fetching http://www.mjr-stock.xyz/.well-known/acme-challenge/dTQP5ZiCU6ibB7Z9n2bZv-EKLurQpEVK28JDoJwXwKI: Connection reset by peer

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):
nginx/1.14.2

The operating system my web server runs on is (include version):
Debian 10

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

Raoch · February 3, 2022, 3:43pm

Hello all. Bought a domain since my last help topic, think im still missing a few things.

I'm following the guide here: An ASP.NET Core on Linux Tutorial | Linode

At first I got this error:

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: mjr-stock.xyz
  Type:   connection
  Detail: Fetching http://mjr-stock.xyz/.well-known/acme-challenge/Z_x2hpRYjyDQaxVwdom8UD63-IMwyXlOMkAksS6RQpI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

after troubleshooting and allowing http via UFW and creating a service file for my application I got the error described in the Main post.

I think im either missing a step - Should my app be running and working on http before doing this step?

else i think the issue might be the proxy_pass value in /etc/nginx/nginx.conf
I wasnt 100% sure what to put here, i tried just my domain at first and got an error, then changed it to the server name i set for the server using hostnamectl set-hostname example-hostname

Thanks for any help

9peppe · February 3, 2022, 3:47pm

It doesn't need to be up, but nginx needs to be running and listening on port 80 if you want to use --nginx -- also, don't use certonly if you want certbot to also install the certificate as opposed to just obtaining it.

Raoch · February 3, 2022, 3:47pm

Hmm I've just though - Do i need to add my new domain url to the /etc/hosts file?

9peppe · February 3, 2022, 3:52pm

No, it doesn't need to be in /etc/hosts, but it needs to be in the public DNS system. (An A and/or AAAA record)

Raoch · February 3, 2022, 3:54pm

Thanks, it seems it has an A record but no AAAA record according to

9peppe · February 3, 2022, 3:55pm

Either or both it's fine. If you use both, make sure they point to the same machine.

MikeMcQ · February 3, 2022, 3:57pm

Your Namecheap DNS records look to be pointing at the Namecheap landing page and using their URL redirect. You need to have an A record pointing to your server for each of the names you use (mjr-stock.xyz, www.mjr-stock.xyz, for example).

The guide you reference looks wrong. It does not show any server for port 80 which is required for Let's Encrypt. And, it shows a port 443 server setup without any SSL certs which cannot work.

Raoch · February 3, 2022, 3:59pm

It looks like nginx is only running on port 443, i think this is because i replaced the /etc/nginx/nginx.conf file as per the instructions on An ASP.NET Core on Linux Tutorial | Linode
so it now contains:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {
    include        /etc/nginx/proxy.conf;
    limit_req_zone $binary_remote_addr zone=one:10m rate=5r/s;
    server_tokens  off;

    sendfile on;
    keepalive_timeout   29;
    client_body_timeout 10; client_header_timeout 10; send_timeout 10;

    upstream example-app{
        server localhost:5000;
    }

    server {
        listen                    443 ssl http2;
        listen                    [::]:443 ssl http2;
        server_name               mjr-stock.xyz;

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

        location / {
            proxy_pass http://hostname;
            limit_req  zone=one burst=10 nodelay;
        }
    }
}

9peppe · February 3, 2022, 4:00pm

Oh, please, no. Do you still have the previous version?

Raoch · February 3, 2022, 4:03pm

yes i backed it up sounds like the guide I am following is not very good.
I also haven't pointed my A records to my server as @MikeMcQ pointed out so I will replace the conf file and update the A records and see where I'm at then

9peppe · February 3, 2022, 4:11pm

ok. once you've done that, create a file /etc/nginx/sites-available/yourapp.conf and put this inside:

server {
  listen 80;
  listen [::]:80;

  server_name yourdomainname www.yourdomainname and all other combos you want;
}

then, ln -s /etc/nginx/sites-available/yourapp.conf /etc/nginx/sites-enabled/
then reload nginx, service nginx reload

This should be enough for certbot to create your https server block when it installs your certificate, and enough for --nginx to work.

After, you can add all the proxy stuff to the https block.

Raoch · February 3, 2022, 4:24pm

To confirm is server name the name i set using 'hostnamectl set-hostname example-hostname'

Raoch · February 3, 2022, 4:28pm

Looks like it isn't as I'm getting in error using that when reloading nginx

9peppe · February 3, 2022, 4:29pm

It's probably missing some semicolon. Check the logs.

Raoch · February 3, 2022, 4:30pm

Oh doh sorry im being stupid that should literally be 'server_name' i tried replacing it with my host name its reloaded now

9peppe · February 3, 2022, 4:31pm

Ok, take a moment and realize that you are serving a webpage: http://mjr-stock.xyz/

Now you can run certbot. Use --dry-run at first

Raoch · February 3, 2022, 4:44pm

Amazing ran without error now and looks like the https url is working When you said before after i can add the proxy stuff to the https block what would this be required for now https is working?

9peppe · February 3, 2022, 4:47pm

If what you have is enough, you don't have to do anything else.

If you need to use nginx as a reverse proxy, there is a lot of documentation, depending on what you are
proxying.

Also, I assumed you'd redirect http to https (you should, certbot enhance --redirect), if you don't want to do that then you should add that stuff to both blocks.

Raoch · February 3, 2022, 5:28pm

Thanks, redirect is now working for www.mjr-stock.xyz, doesnt redirect from just mjr-stock.xyz though, to fix this should I edit /etc/nginx/sites-available/mjr-stock.conf again to add mjr-stock.xyz to server_name field then run certbot enhance --redirect again? I see its added a section to that file from the first run:

if ($host = www.mjr-stock.xyz) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

would manually adding another block like this with mjr-stock.xyz work?