My domain is:
ubuntu@ubuntu:~/matrix$ sudo certbot --nginx
Which names would you like to activate HTTPS for?
1: matrix.corkboard.wtf
Select the appropriate numbers separated by commas and/or spaces, or leave input
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:http://matrix.corkboard.wtf/.well-known/acme-challenge/VcsPOTbLQZaVhew0HRrkph7X-J-4mPlYYr9nh0X8Y1A: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Some challenges have failed.https://community.letsencrypt.org . See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):certbot --version or certbot-auto --version if you're using Certbot): 1.21.0
_az
April 26, 2022, 1:12am
2
The port isn't open to the internet, I can't connect to it either.
Check that you have port forwarding correctly set up.
3 Likes
The ports are open in my router settings, would this be an issue with their software?
_az
April 26, 2022, 1:28am
4
Ah, I see. The port is open but the connection hangs forever after a request is sent:
$ curl -vvv -m10 184.60.27.164
* Trying 184.60.27.164:80...
* Connected to 184.60.27.164 (184.60.27.164) port 80 (#0)
> GET / HTTP/1.1
> Host: 184.60.27.164
> User-Agent: curl/7.79.1
> Accept: */*
>
* Operation timed out after 10003 milliseconds with 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 10003 milliseconds with 0 bytes received
Could be that the internal address and port for the port forwarding is not right.
Could be that nginx is not listening on the address that the port forward expects.
Could be that it will start working after a router reboot (happens from time to time sadly).
Do you see any connection attempts in the nginx access or error logs?
3 Likes
I see connection attempts from "check your website", but that is all
rg305
April 26, 2022, 2:04am
6
Has the web site ever worked?
3 Likes
No, I am also not running a website but a matrix instance.
rg305
April 26, 2022, 2:07am
8
hmm...
coolperson:
sudo certbot --nginx
which expects a running nginx web server.
3 Likes
I am indeed running an nginx webserver, but I am not hosting a website. I am running an instance of matrix.
rg305
April 26, 2022, 2:13am
10
You may have failed to grasp the requirements around "sudo certbot --nginx".{sudo} netstat -pant | grep -i listensudo if needed]
and also:nginx -T
2 Likes
2 :::* LISTEN 761/sshd: /usr/sbin
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;
# configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
# configuration file /etc/nginx/sites-enabled/matrix.corkboard.wtf:
server {
server_name matrix.corkboard.wtf;
location / {
proxy_pass http://localhost:8008;
}
}
rg305
April 26, 2022, 2:22am
13
Seems like you don't really need the nginx server:"Instead, you can proxy access to Synapse's HTTP listener on port 8008 via an existing HTTPS proxy with a valid certificate (e.g. an nginx listening on port 443), or you can point Synapse at a valid X.509 signed TLS certificate ."
from: FAQ | Matrix.org
2 Likes
rg305
April 26, 2022, 2:26am
14
Sorry, discourse ate your post [after I edited it - to add ```s (for better formatting)]
From what I saw, the netstat output was very short.nginx nor the "matrix" software running/listening.
2 Likes
ah,
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 786 root 6u IPv4 15232 0t0 TCP *:http (LISTEN)
nginx 1700 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
nginx 1701 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
nginx 1702 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
nginx 1703 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
rg305
April 26, 2022, 2:28am
16
While we wait..."In future, Synapse will probably use letsencrypt to autogenerate valid certificates rather than self-signed ones during installation, simplifying this process enormously."
"The future" sounds wonderful1
2 Likes
rg305
April 26, 2022, 2:29am
17
I need to see more than just 80.
3 Likes
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 636 systemd-resolve 14u IPv4 18950 0t0 TCP localhost:domain (LISTEN)
sshd 761 root 3u IPv4 21780 0t0 TCP *:ssh (LISTEN)
sshd 761 root 4u IPv6 21782 0t0 TCP *:ssh (LISTEN)
nginx 786 root 6u IPv4 15232 0t0 TCP *:http (LISTEN)
docker-pr 1162 root 4u IPv4 23762 0t0 TCP *:8008 (LISTEN)
docker-pr 1170 root 4u IPv6 21486 0t0 TCP *:8008 (LISTEN)
nginx 1700 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
nginx 1701 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
nginx 1702 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
nginx 1703 www-data 6u IPv4 15232 0t0 TCP *:http (LISTEN)
[edited]
this future does sound wonderful
rg305
April 26, 2022, 2:32am
20
OKnginx can be used to proxy to "8008"nginx]
2 Likes
