Nginx on Centos Reverse proxy can't get certificate

My domain is:

mail.foodcity.ru

I ran this command:

sudo /usr/local/bin/certbot-auto --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: mail.foodcity.ru


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.foodcity.ru
Waiting for verification…
Challenge failed for domain mail.foodcity.ru
http-01 challenge for mail.foodcity.ru
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.foodcity.ru
    Type: connection
    Detail: Fetching
    http://mail.foodcity.ru/.well-known/acme-challenge/eQft3oh2d-eJMKOu_mRYgc2q864G5mHYTBRMIy12ag8:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):

nginx/1.14.1

The operating system my web server runs on is (include version):

CentOS Linux release 8.0.1905 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.0.0

What could be the problem?

nslookup mail.foodcity.ru 8.8.8.8

Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: mail.foodcity.ru
Address: 85.140.48.11

85.140.48.11 - right IP

firewall-cmd --state

not running

Hi @akhaleta

checking your domain there is no answer - https://check-your-website.server-daten.de/?q=mail.foodcity.ru

Domainname Http-Status redirect Sec. G
http://mail.foodcity.ru/
85.140.48.11 -14 10.000 T
Timeout - The operation has timed out
https://mail.foodcity.ru/
85.140.48.11 -14 10.047 T
Timeout - The operation has timed out
http://mail.foodcity.ru/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
85.140.48.11 -14 10.053 T
Timeout - The operation has timed out

Only timeouts. A working port 80 is required if you want to use http validation.

Works your domain internal?

curl http://mail.foodcity.ru/
curl http://mail.foodcity.ru/.well-known/acme-challenge/1234

What says

nginx -T

fixed

curl http://mail.foodcity.ru

301 Moved Permanently

301 Moved Permanently


nginx/1.14.1

curl http://mail.foodcity.ru/.well-known/acme-challenge/1234

301 Moved Permanently

301 Moved Permanently


nginx/1.14.1

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

There is nothing fixed. Again timeouts. Online tools like "check your website" or other tools must be able to see your domain.

Why do you use a redirect if you don't have a working https configuration? That can't work

-T, not -t.

I want to use this server to access the exchange mail server from the outside. I need only 443 port for this

I do not understand, I see that everything is fine

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

configuration file /etc/nginx/nginx.conf:

For more information on configuration, see:

* Official English Documentation: http://nginx.org/en/docs/

* Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.

include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;

server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

Settings for a TLS enabled server.

server {

listen 443 ssl http2 default_server;

listen [::]:443 ssl http2 default_server;

server_name _;

root /usr/share/nginx/html;

ssl_certificate “/etc/pki/nginx/server.crt”;

ssl_certificate_key “/etc/pki/nginx/private/server.key”;

ssl_session_cache shared:SSL:1m;

ssl_session_timeout 10m;

ssl_ciphers PROFILE=SYSTEM;

ssl_prefer_server_ciphers on;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

}

configuration file /usr/share/nginx/modules/mod-http-image-filter.conf:

load_module “/usr/lib64/nginx/modules/ngx_http_image_filter_module.so”;

configuration file /usr/share/nginx/modules/mod-http-perl.conf:

load_module “/usr/lib64/nginx/modules/ngx_http_perl_module.so”;

configuration file /usr/share/nginx/modules/mod-http-xslt-filter.conf:

load_module “/usr/lib64/nginx/modules/ngx_http_xslt_filter_module.so”;

configuration file /usr/share/nginx/modules/mod-mail.conf:

load_module “/usr/lib64/nginx/modules/ngx_mail_module.so”;

configuration file /usr/share/nginx/modules/mod-stream.conf:

load_module “/usr/lib64/nginx/modules/ngx_stream_module.so”;

configuration file /etc/nginx/mime.types:

types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml                                      mml;
text/plain                                       txt;
text/vnd.sun.j2me.app-descriptor                 jad;
text/vnd.wap.wml                                 wml;
text/x-component                                 htc;

image/png                                        png;
image/svg+xml                                    svg svgz;
image/tiff                                       tif tiff;
image/vnd.wap.wbmp                               wbmp;
image/webp                                       webp;
image/x-icon                                     ico;
image/x-jng                                      jng;
image/x-ms-bmp                                   bmp;

application/font-woff                            woff;
application/java-archive                         jar war ear;
application/json                                 json;
application/mac-binhex40                         hqx;
application/msword                               doc;
application/pdf                                  pdf;
application/postscript                           ps eps ai;
application/rtf                                  rtf;
application/vnd.apple.mpegurl                    m3u8;
application/vnd.google-earth.kml+xml             kml;
application/vnd.google-earth.kmz                 kmz;
application/vnd.ms-excel                         xls;
application/vnd.ms-fontobject                    eot;
application/vnd.ms-powerpoint                    ppt;
application/vnd.oasis.opendocument.graphics      odg;
application/vnd.oasis.opendocument.presentation  odp;
application/vnd.oasis.opendocument.spreadsheet   ods;
application/vnd.oasis.opendocument.text          odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                 pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                 xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                 docx;
application/vnd.wap.wmlc                         wmlc;
application/x-7z-compressed                      7z;
application/x-cocoa                              cco;
application/x-java-archive-diff                  jardiff;
application/x-java-jnlp-file                     jnlp;
application/x-makeself                           run;
application/x-perl                               pl pm;
application/x-pilot                              prc pdb;
application/x-rar-compressed                     rar;
application/x-redhat-package-manager             rpm;
application/x-sea                                sea;
application/x-shockwave-flash                    swf;
application/x-stuffit                            sit;
application/x-tcl                                tcl tk;
application/x-x509-ca-cert                       der pem crt;
application/x-xpinstall                          xpi;
application/xhtml+xml                            xhtml;
application/xspf+xml                             xspf;
application/zip                                  zip;

application/octet-stream                         bin exe dll;
application/octet-stream                         deb;
application/octet-stream                         dmg;
application/octet-stream                         iso img;
application/octet-stream                         msi msp msm;

audio/midi                                       mid midi kar;
audio/mpeg                                       mp3;
audio/ogg                                        ogg;
audio/x-m4a                                      m4a;
audio/x-realaudio                                ra;

video/3gpp                                       3gpp 3gp;
video/mp2t                                       ts;
video/mp4                                        mp4;
video/mpeg                                       mpeg mpg;
video/quicktime                                  mov;
video/webm                                       webm;
video/x-flv                                      flv;
video/x-m4v                                      m4v;
video/x-mng                                      mng;
video/x-ms-asf                                   asx asf;
video/x-ms-wmv                                   wmv;
video/x-msvideo                                  avi;

}

configuration file /etc/nginx/conf.d/proxy.conf:

server
{
listen 80;
server_name mail.foodcity.ru;
return 301 https://$host$request_uri;
}

server
{
    tcp_nodelay on;
    listen 443 ssl;

    # Обязательно включить SSL
    ssl on;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_session_timeout 5m;
    server_name mail.foodcity.ru;
    location / {
            return 301 https://mail.lotos.local/owa;
    }

proxy_http_version 1.1;

    proxy_read_timeout      360;
    proxy_pass_header       Date;
    proxy_pass_header       Server;
    proxy_pass_header       Authorization;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_request_headers on;

more_set_input_headers ‘Authorization: $http_authorization’;

    proxy_set_header Accept-Encoding "";

more_set_headers -s 401 ‘WWW-Authenticate: Basic realm=“Local_Address”’;

    proxy_buffering off;
    proxy_set_header Connection "Keep-Alive";

    location ~* ^/owa { proxy_pass https://mail.lotos.local; }
    location ~* ^/Microsofmailt-Server-ActiveSync { proxy_pass https://mail.lotos.local; }
    location ~* ^/ecp { proxy_pass https://mail.lotos.local; }
    location ~* ^/rpc { proxy_pass https://mail.lotos.local; }

}

Please. These are only your name servers.

T, T, T, three timeouts.

Please start with some basics:

Then

Port 80 must answer.

PS:

That's

a running job. If the job is ready -> Global Grade T = Timeout. Compare it with other results.

Thanks for your answer, I will study this

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.