Site proxied by VPN, can't install cert

In my endless quest to obtain a LE cert for my home server (port 80 incoming blocked), I ultimately succeeded in creating a wireguard vpn connection to a vps. The connection is successful in that I can see my server by navigating to http://vpsipaddress/myserver, and http://mydomainname.com/myserver (DNS records pointing to VPS IP, obviously). On my home server, I ran

$certbot --nginx

The only obvious error was “nginx restart failed”. I restarted nginx manually, but I still don’t seem to have a certificate. My server is a VM running YunoHost (Debian9). YunoHost has a automated LE tool, but it says my domain isn’t ready to run it yet. I don’t know how it makes this determination. All I know is that I am able to interact with my home server via http at the VPS address/domain, and I don’t understand what else I could need to get a certificate? Thanks for any advice.

Hi @really_trying

please answer the following questions. That’s the standard template of #help


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


And the easiest reason your configuration doesn’t work: You use a private name, not a public visible, worldwide unique domain name.

Then you have to use dns-01 validation or tls-alpn-01 validation.

  • the domain name or your dns settings are wrong
  • port 80 is closed

If you can interact with your server, that may be only possible because you are a local user. So it’s the same: Your domain must be worldwide visible if you want to use http-01 validation.

1 Like

Hi thanks, I’ll try to provide what you asked. Port 80 is open as evidenced that I can navigate to my server via

To be clear, the above IP is the VPS address. The VPS is Debian9 on DigitalOcean, with only wireguard installed. The server is running in virtualbox on the same computer I’m typing on right now.

I ran:
~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: 40yearoldmike.netlib.re
2: yunohost.local
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 40yearoldmike.netlib.re
nginx: [emerg] "server_names_hash_bucket_size" directive is duplicate in /etc/nginx/conf.d/ssowat.conf:3
Cleaning up challenges
nginx restart failed:
b''
b''

My certbot version is 0.28.0. I can ssh into both my home server (VM) and the VPS.

I have now solved this problem, with some help from YunoHost support channel. I used a ‘–no-checks’ flag to override the server finding an IP mismatch. :slight_smile:

Your first domain name is a public domain name.

Your second domain name doesn’t end with an entry of the public suffix list.

So it’s impossible to get a certificate with yunohost.local.

But there you see: Your local Certbot doesn’t see that.

PS: You have a weak configuration:

Old connection: Diffie-Hellman Key Exchange with 1024 Bit is unsecure. Update to 2048 Bit Key Exchange.

1 Like

Thanks for following up. I’m not concerned about the .local domain. I think yunohost just configures it for local management. I don’t need a certificate for it.

As far as weak configuration, could you elaborate? What exactly do I need to update?

You use a Diffie-Hellman Key Exchange with a too small key. Checked via https://check-your-website.server-daten.de/?q=40yearoldmike.netlib.re

To update, there are a lot of informations online.

Sample:

https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

1 Like

Thank you for those interesting websites. I’m looking into it, and it seems I may be stuck with it for awhile, due to issues regarding yunohost and latest nginx. I will keep reading.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.