Renewing my cert Nginx-Gunicorn-Django

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
trentmahaffey.com

I ran this command:
sudo certbot --nginx
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/trentmahaffey.com.conf

Simulating renewal of an existing certificate for trentmahaffey.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: trentmahaffey.com
Type: connection
Detail: 75.71.245.217: Fetching http://trentmahaffey.com/.well-known/acme-challenge/8c0QQh9OFdXpbzj62QLdNxDKqHLxMb7OsToPVFogoe8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate trentmahaffey.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/trentmahaffey.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx (latest)

The operating system my web server runs on is (include version):
ubuntu 20.4

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yeppers

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

nginx config

server_tokens on;
access_log /var/log/nginx/trydjango.access.log;
error_log /var/log/nginx/trydjango.error.log;

This configuration will be changed to redirect to HTTPS later

server {
server_name trentmahaffey.com;
location / {
proxy_pass http://localhost:9999; # The plain HTTP request was sent to HTTPS port

proxy_set_header        Host $host;

}
location /static {
autoindex on;
alias /var/www/trentmahaffey.com/static/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/trentmahaffey.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/trentmahaffey.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
if ($host = trentmahaffey.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name trentmahaffey.com;
listen 80;
return 404; # managed by Certbot

}

I have gunicorn serving the django content to nginx on port 9999.
You see my nginx config.
UFW rules:
8088/tcp ALLOW Anywhere
8088 ALLOW Anywhere
22 ALLOW Anywhere
80 ALLOW Anywhere
80/tcp ALLOW Anywhere
8000 ALLOW Anywhere
8001 ALLOW Anywhere
5432 ALLOW 192.168.0.0/24
5432 ALLOW Anywhere
5432/tcp ALLOW Anywhere
443 ALLOW Anywhere
Nginx Full ALLOW Anywhere
9999 ALLOW Anywhere
Anywhere ALLOW 192.168.0.184
22/tcp (v6) ALLOW Anywhere (v6)
8088/tcp (v6) ALLOW Anywhere (v6)
8088 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
8000 (v6) ALLOW Anywhere (v6)
8001 (v6) ALLOW Anywhere (v6)
5432 (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
9999 (v6) ALLOW Anywhere (v6)

Router Port Forwarding

image
image696×285 20.3 KB

Website is functioning right now with the first time I was able to get SSL working. I'm a bit confused it says I need to have a webserver listening on port 80, and I have that opened and the nginx config should be using that in the server {} sites enabled. I don't know where I went wrong. Thanks a bunch.

2

Check that Comcast isn't blocking port 80 on your account and that you don't have any "advanced security" features enabled on your modem which might be having that effect.

I'm unable to reach your server on port 80. The error from Let's Encrypt is accurate.

3 Likes
3

Is this screen the expected behavior if I try localhost:80

image
image1075×324 20.8 KB

But, when I tried 75.71.245.217:80 with a computer from outside my network, it just times out.

To troublehsoot -

I set my router to forward port 80 to a different webserver running on the same machine on a different port, and it works. That tells me it is not the router/modem/internet provider. It seems like it is a problem with the nginx configuraiton?

Try 75.71.245.217:80

4

Can you reach the system on the local IP:80?

If so, try rebooting the router.
If that fails, contact Comcast (about inbound HTTP).

1 Like
5

This is what I get with localhost:80

image
image1050×264 20.4 KB

Comcast is not blocking traffic, they confirmed. I can forward port 80 to another webserver that is wroking fine on the same machine.

1 Like
6

Ok then let's look within the machine.
Please show:
netstat -pant | grep -i listen
ps -ef | grep nginx | grep -v grep

2 Likes
7

netstat -pant | grep -i listen

image
image898×331 46.7 KB

8

ps -ef | grep nginx | grep -v grep

image
image919×207 43.4 KB

9

Try:
sudo netstat -pant | grep -i listen | grep 80

2 Likes
10

I am able to reach trentmahaffey.com (same IP) with both http and https. I even see a good cert.

Oddly, I get a 404 trying a test acme-challenge but the server block shown should redirect all requests. So, that's a puzzle.

But, I'm sure Rudy will get that sorted :slight_smile:

1 Like
11

I forwarded traffic from port 80 to another webserver on the same machine to prove it has nothing to do with isp or firewall.

I'm trying to renew my cert, old cert is still working and SSL is working (just issue with port 80 and nginx)

1 Like
12

Sorry. I didn't realize you left it that way

1 Like
13

image
image918×200 36.3 KB

14

OK, put it back.

We can see nginx is on port 80:
image

1 Like
15

Port 80 on router is going to port 80 on server

17

Please show:
ifconfig | grep inet
curl ifconfig.co

What is the (inside) IP of the router?
Can it ping that IP?

1 Like
18

image
image701×116 19.6 KB

1 Like
19

image

1 Like
20

image

1 Like
21

image
image919×574 59.5 KB