Renewing my cert Nginx-Gunicorn-Django

tmahaffey · July 21, 2022, 3:59am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
trentmahaffey.com

I ran this command:
sudo certbot --nginx
sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/trentmahaffey.com.conf

Simulating renewal of an existing certificate for trentmahaffey.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: trentmahaffey.com
Type: connection
Detail: 75.71.245.217: Fetching http://trentmahaffey.com/.well-known/acme-challenge/8c0QQh9OFdXpbzj62QLdNxDKqHLxMb7OsToPVFogoe8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Failed to renew certificate trentmahaffey.com with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/trentmahaffey.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx (latest)

The operating system my web server runs on is (include version):
ubuntu 20.4

My hosting provider, if applicable, is:
self-hosted

I can login to a root shell on my machine (yes or no, or I don't know):
yeppers

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
shell

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

nginx config

server_tokens on;
access_log /var/log/nginx/trydjango.access.log;
error_log /var/log/nginx/trydjango.error.log;

This configuration will be changed to redirect to HTTPS later

server {
server_name trentmahaffey.com;
location / {
proxy_pass http://localhost:9999; # The plain HTTP request was sent to HTTPS port

proxy_set_header        Host $host;

}
location /static {
autoindex on;
alias /var/www/trentmahaffey.com/static/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/trentmahaffey.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/trentmahaffey.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
if ($host = trentmahaffey.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name trentmahaffey.com;
listen 80;
return 404; # managed by Certbot

}

I have gunicorn serving the django content to nginx on port 9999.
You see my nginx config.
UFW rules:
8088/tcp ALLOW Anywhere
8088 ALLOW Anywhere
22 ALLOW Anywhere
80 ALLOW Anywhere
80/tcp ALLOW Anywhere
8000 ALLOW Anywhere
8001 ALLOW Anywhere
5432 ALLOW 192.168.0.0/24
5432 ALLOW Anywhere
5432/tcp ALLOW Anywhere
443 ALLOW Anywhere
Nginx Full ALLOW Anywhere
9999 ALLOW Anywhere
Anywhere ALLOW 192.168.0.184
22/tcp (v6) ALLOW Anywhere (v6)
8088/tcp (v6) ALLOW Anywhere (v6)
8088 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
8000 (v6) ALLOW Anywhere (v6)
8001 (v6) ALLOW Anywhere (v6)
5432 (v6) ALLOW Anywhere (v6)
5432/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
9999 (v6) ALLOW Anywhere (v6)

Router Port Forwarding

Website is functioning right now with the first time I was able to get SSL working. I'm a bit confused it says I need to have a webserver listening on port 80, and I have that opened and the nginx config should be using that in the server {} sites enabled. I don't know where I went wrong. Thanks a bunch.

_az · July 21, 2022, 5:59am

Check that Comcast isn't blocking port 80 on your account and that you don't have any "advanced security" features enabled on your modem which might be having that effect.

I'm unable to reach your server on port 80. The error from Let's Encrypt is accurate.

tmahaffey · July 21, 2022, 2:01pm

Is this screen the expected behavior if I try localhost:80

image1075×324 20.8 KB

But, when I tried 75.71.245.217:80 with a computer from outside my network, it just times out.

To troublehsoot -

I set my router to forward port 80 to a different webserver running on the same machine on a different port, and it works. That tells me it is not the router/modem/internet provider. It seems like it is a problem with the nginx configuraiton?

Try 75.71.245.217:80

rg305 · July 21, 2022, 2:02pm

Can you reach the system on the local IP:80?

If so, try rebooting the router.
If that fails, contact Comcast (about inbound HTTP).

tmahaffey · July 21, 2022, 2:04pm

This is what I get with localhost:80

Comcast is not blocking traffic, they confirmed. I can forward port 80 to another webserver that is wroking fine on the same machine.

rg305 · July 21, 2022, 2:08pm

Ok then let's look within the machine.
Please show:
netstat -pant | grep -i listen
ps -ef | grep nginx | grep -v grep

tmahaffey · July 21, 2022, 2:12pm

netstat -pant | grep -i listen

tmahaffey · July 21, 2022, 2:13pm

ps -ef | grep nginx | grep -v grep

rg305 · July 21, 2022, 2:14pm

Try:
sudo netstat -pant | grep -i listen | grep 80

MikeMcQ · July 21, 2022, 2:18pm

I am able to reach trentmahaffey.com (same IP) with both http and https. I even see a good cert.

Oddly, I get a 404 trying a test acme-challenge but the server block shown should redirect all requests. So, that's a puzzle.

But, I'm sure Rudy will get that sorted

tmahaffey · July 21, 2022, 2:20pm

I forwarded traffic from port 80 to another webserver on the same machine to prove it has nothing to do with isp or firewall.

I'm trying to renew my cert, old cert is still working and SSL is working (just issue with port 80 and nginx)

MikeMcQ · July 21, 2022, 2:20pm

Sorry. I didn't realize you left it that way

tmahaffey · July 21, 2022, 2:21pm

rg305 · July 21, 2022, 2:22pm

OK, put it back.

We can see nginx is on port 80:

tmahaffey · July 21, 2022, 2:24pm

Port 80 on router is going to port 80 on server

rg305 · July 21, 2022, 2:27pm

Please show:
ifconfig | grep inet
curl ifconfig.co

What is the (inside) IP of the router?
Can it ping that IP?

tmahaffey · July 21, 2022, 2:28pm

tmahaffey · July 21, 2022, 2:28pm

tmahaffey · July 21, 2022, 2:29pm

tmahaffey · July 21, 2022, 2:30pm

Topic		Replies	Views
Certificate renew Help	6	515	May 12, 2023
Certbot renew failed on nginx Help	7	2523	March 31, 2022
Cannot renew certificate Help	4	248	February 9, 2024
Help needed, cant renew certbot Help	4	162	June 15, 2024
Help renewing with certbot Help	16	968	July 24, 2019

Renewing my cert Nginx-Gunicorn-Django

This configuration will be changed to redirect to HTTPS later

image1075×324 20.8 KB

Related topics