Nginx proxy manager SSL

Hocis · August 25, 2023, 1:22pm

Je peux lire des réponses en Anglais : yes

Mon nom de domaine est : hocishome.duckdns.org

Bonjour ! Ravi de faire parti de la communauté ! Je cherche depuis des heures parmi plein de sujets et rien ne fonctionne... Je suis neophyte. J’ai exécuté cette commande : Bonjour, J'essaie de rendre possible l'accès à Homeassistant depuis l'extérieur pour faire remonter mes appareils sur alexa ensuite, avec duckdns en docker portainer. Je n'arrive pas à donner les certificats et rendre le https://hocishome.duckdns.org fonctionnel.

Elle a produit cette sortie :

❯ Starting backend ...
[8/25/2023] [1:12:45 PM] [Global ] › info Using MySQL configuration
[8/25/2023] [1:12:47 PM] [Migrate ] › info Current database version: 20211108145214
[8/25/2023] [1:12:47 PM] [Setup ] › info Logrotate Timer initialized
[8/25/2023] [1:12:47 PM] [Setup ] › info Logrotate completed.
[8/25/2023] [1:12:47 PM] [IP Ranges] › info Fetching IP Ranges from online services...
[8/25/2023] [1:12:47 PM] [IP Ranges] › info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[8/25/2023] [1:12:48 PM] [IP Ranges] › info Fetching https://www.cloudflare.com/ips-v4
[8/25/2023] [1:12:48 PM] [IP Ranges] › info Fetching https://www.cloudflare.com/ips-v6
[8/25/2023] [1:12:48 PM] [SSL ] › info Let's Encrypt Renewal Timer initialized
[8/25/2023] [1:12:48 PM] [SSL ] › info Renewing SSL certs close to expiry...
[8/25/2023] [1:12:48 PM] [IP Ranges] › info IP Ranges Renewal Timer initialized
[8/25/2023] [1:12:48 PM] [Global ] › info Backend PID 277 listening on port 3000 ...
[8/25/2023] [1:12:49 PM] [Nginx ] › info Reloading Nginx
[8/25/2023] [1:12:50 PM] [SSL ] › info Renew Complete
[8/25/2023] [1:13:09 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/proxy_host/1.conf
[8/25/2023] [1:13:09 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/proxy_host/1.conf.err
[8/25/2023] [1:13:09 PM] [Nginx ] › ⬤ debug Could not delete file: {
"errno": -2,
"syscall": "unlink",
"code": "ENOENT",
"path": "/data/nginx/proxy_host/1.conf.err"
}
[8/25/2023] [1:13:09 PM] [Nginx ] › info Reloading Nginx
[8/25/2023] [1:13:09 PM] [SSL ] › info Requesting Let'sEncrypt certificates via Cloudflare for Cert #21: hocishome.duckdns.org
[8/25/2023] [1:13:09 PM] [SSL ] › info Command: mkdir -p /etc/letsencrypt/credentials 2> /dev/null; echo '# Cloudflare API token
dns_cloudflare_api_token = g7DvNms0R54ygj05Xrs1xcPFsMSTy_BwLzFdiTIb' > '/etc/letsencrypt/credentials/credentials-21' && chmod 600 '/etc/letsencrypt/credentials/credentials-21' && . /opt/certbot/bin/activate && pip install --no-cache-dir certbot-dns-cloudflare==$(certbot --version | grep -Eo '0-9+') cloudflare && deactivate && certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-21" --agree-tos --email "admin@hocishome.duckdns.org" --domains "hocishome.duckdns.org" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-21"
[8/25/2023] [1:13:17 PM] [Nginx ] › info Reloading Nginx
[8/25/2023] [1:13:17 PM] [Express ] › warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-21" --agree-tos --email "admin@hocishome.duckdns.org" --domains "hocishome.duckdns.org" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-21"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : debian raspberry pi 4B

Mon hébergeur, le cas échéant, est : duckdns

Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : yes

J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) : nginx proxy manager front works fine

Osiris · August 25, 2023, 1:26pm

It seems your Nginx Proxy Manager (NPM) is trying to do the dns-01 challenge (and thus not the http-01 challenge you're testing using Let's Debug) using the Cloudflare DNS plugin while your DNS provider is DuckDNS. That doesn't make much sense.

That said: I don't have any experience with NPM and I do not want to have any experience with that software (I don't like it at all), so I cannot help you with changing the findings I mentioned above.

Hocis · August 25, 2023, 1:28pm

Ok, j'ai désactivé l'option DNS challenge pour ne pas faire un non-sens entre DNS et HTTP de mes requêtes, mais fonctionne toujours pas ^^.

Osiris · August 25, 2023, 1:29pm

If you disabled the DNS challenge, you should have gotten a different error message. Please provide that new error message, as my crystal ball unfortunately is broken and still needs to be repaired.

Hocis · August 25, 2023, 1:32pm

This happened

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-23" --agree-tos --authenticator webroot --email "admin@hocishome.duckdns.org" --preferred-challenges "dns,http" --domains "hocishome.duckdns.org"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.
at ChildProcess.exithandler (node:child_process:402:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Socket. (node:internal/child_process:458:11)
at Socket.emit (node:events:513:28)
at Pipe. (node:net:301:12)

in portainer log of [nginxproxymanager_app_1] :

Starting backend ...
[8/25/2023] [1:30:39 PM] [Global ] › info Using MySQL configuration
[8/25/2023] [1:30:42 PM] [Migrate ] › info Current database version: 20211108145214
[8/25/2023] [1:30:42 PM] [Setup ] › info Logrotate Timer initialized
[8/25/2023] [1:30:42 PM] [Setup ] › info Logrotate completed.
[8/25/2023] [1:30:42 PM] [IP Ranges] › info Fetching IP Ranges from online services...
[8/25/2023] [1:30:42 PM] [IP Ranges] › info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[8/25/2023] [1:30:42 PM] [IP Ranges] › info Fetching https://www.cloudflare.com/ips-v4
[8/25/2023] [1:30:42 PM] [IP Ranges] › info Fetching https://www.cloudflare.com/ips-v6
[8/25/2023] [1:30:42 PM] [SSL ] › info Let's Encrypt Renewal Timer initialized
[8/25/2023] [1:30:42 PM] [SSL ] › info Renewing SSL certs close to expiry...
[8/25/2023] [1:30:42 PM] [IP Ranges] › info IP Ranges Renewal Timer initialized
[8/25/2023] [1:30:42 PM] [Global ] › info Backend PID 200 listening on port 3000 ...
[8/25/2023] [1:30:43 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/proxy_host/1.conf
[8/25/2023] [1:30:43 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/proxy_host/1.conf.err
[8/25/2023] [1:30:43 PM] [Nginx ] › ⬤ debug Could not delete file: {
"errno": -2,
"syscall": "unlink",
"code": "ENOENT",
"path": "/data/nginx/proxy_host/1.conf.err"
}
[8/25/2023] [1:30:43 PM] [Nginx ] › info Reloading Nginx
[8/25/2023] [1:30:44 PM] [Nginx ] › info Reloading Nginx
[8/25/2023] [1:30:44 PM] [SSL ] › info Renew Complete
[8/25/2023] [1:30:44 PM] [SSL ] › error Certificate is not valid (Command failed: openssl x509 -in /etc/letsencrypt/live/npm-23/fullchain.pem -subject -noout
Can't open /etc/letsencrypt/live/npm-23/fullchain.pem for reading, No such file or directory
547769563008:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/letsencrypt/live/npm-23/fullchain.pem','r')
547769563008:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
unable to load certificate
)
[8/25/2023] [1:30:48 PM] [SSL ] › info Requesting Let'sEncrypt certificates for Cert #23: hocishome.duckdns.org
[8/25/2023] [1:30:48 PM] [SSL ] › info Command: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-23" --agree-tos --authenticator webroot --email "admin@hocishome.duckdns.org" --preferred-challenges "dns,http" --domains "hocishome.duckdns.org"
[8/25/2023] [1:31:11 PM] [Nginx ] › ⬤ debug Deleting file: /data/nginx/temp/letsencrypt_23.conf
[8/25/2023] [1:31:12 PM] [Nginx ] › info Reloading Nginx
[8/25/2023] [1:31:12 PM] [Express ] › warning Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-23" --agree-tos --authenticator webroot --email "admin@hocishome.duckdns.org" --preferred-challenges "dns,http" --domains "hocishome.duckdns.org"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

Osiris · August 25, 2023, 2:28pm

I have no clue what Certbot returned as error message, as for some reason NPM decided it would be a good idea to NOT inform the user what went wrong. (You might find more info in the Certbot log file.)

That said, it seems your website is not available on HTTP port 80, not using IPv4 nor using IPv6, which is a requirement for the http-01 challenge.

Hocis · August 25, 2023, 3:04pm

Je ne sais pas trop comment faire pour m'en assurer ... J'ai mis dans le docker duckdns mon token duckdns associé, après je ne sais pas comment lier les deux.

Je ne sais meme pas où est le certbot log file

Osiris · August 25, 2023, 3:05pm

The DuckDNS token is only required for the dns-01 challenge, not for the http-01 challenge. For the http-01 challenge you "only" need a working website using HTTP.

The location of the log is mentioned in the NPM output.

MikeMcQ · August 25, 2023, 3:05pm

You may need to visit an NPM forum for help setting this up

Hocis · August 25, 2023, 3:10pm

Don't have any folder letsencrypt-log in tpm.

Letsencrypt is in opt folder but no letsencrypt-log folder in.

Hocis · August 25, 2023, 3:11pm

MikeMcQ · August 25, 2023, 3:28pm

The log is probably in one of the systemd private folders. That's something that NPM is configuring

Hocis · August 25, 2023, 4:32pm

in all 3 systemprivate there is only a tmp folder where there is nothing

I am not able to fix my problem

I can go to HA with :

So a link has been set, but not able to generate SSL to have it outside with https... I only have log

Osiris · August 25, 2023, 4:40pm

Your website isn't reachable from my location at all. That's an issue separate from getting a certificate if you actually would like visitors from the public internet. And also a requirement for getting a cert using the http-01 challenge.

If you don't want your website accessible from the public internet, you can't use the http-01 challenge and you should continu your efforts with NPM to make it actually use the DuckDNS DNS plugin. How? I don't know.

Hocis · August 25, 2023, 4:41pm

I'd like to access to the site outside with https://domain.duckdns.org

MikeMcQ · August 25, 2023, 4:42pm

The HTTP Challenge requires something listening on port 80. You can redirect that once it arrives to a different port. But, it starts there and your server is not available on that port.

Hocis · August 25, 2023, 4:43pm

How I do it ? ^^'

the port is listening by nginx in docker :

Hocis · August 25, 2023, 4:52pm

I have this on my box internet

9peppe · August 25, 2023, 5:02pm

80 or 443 only, if it's for http-01. (it follows redirects to other fqdns)

You need to enable that funcion for port (externe) 80 and 443, each to the appropriate internal port (this depends on how you configured your nginx proxy manager -- you should look at its docker-compose.yml).

Hocis · August 25, 2023, 5:09pm

here my docker compose