In my endless quest to obtain a LE cert for my home server (port 80 incoming blocked), I ultimately succeeded in creating a wireguard vpn connection to a vps. The connection is successful in that I can see my server by navigating to http://vpsipaddress/myserver, and http://mydomainname.com/myserver (DNS records pointing to VPS IP, obviously). On my home server, I ran
$certbot --nginx
The only obvious error was “nginx restart failed”. I restarted nginx manually, but I still don’t seem to have a certificate. My server is a VM running YunoHost (Debian9). YunoHost has a automated LE tool, but it says my domain isn’t ready to run it yet. I don’t know how it makes this determination. All I know is that I am able to interact with my home server via http at the VPS address/domain, and I don’t understand what else I could need to get a certificate? Thanks for any advice.
please answer the following questions. That's the standard template of Help
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
And the easiest reason your configuration doesn't work: You use a private name, not a public visible, worldwide unique domain name.
Then you have to use dns-01 validation or tls-alpn-01 validation.
the domain name or your dns settings are wrong
port 80 is closed
If you can interact with your server, that may be only possible because you are a local user. So it's the same: Your domain must be worldwide visible if you want to use http-01 validation.
To be clear, the above IP is the VPS address. The VPS is Debian9 on DigitalOcean, with only wireguard installed. The server is running in virtualbox on the same computer I’m typing on right now.
I ran:
~# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: 40yearoldmike.netlib.re
2: yunohost.local
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 40yearoldmike.netlib.re
nginx: [emerg] "server_names_hash_bucket_size" directive is duplicate in /etc/nginx/conf.d/ssowat.conf:3
Cleaning up challenges
nginx restart failed:
b''
b''
My certbot version is 0.28.0. I can ssh into both my home server (VM) and the VPS.
I have now solved this problem, with some help from YunoHost support channel. I used a ‘–no-checks’ flag to override the server finding an IP mismatch.
Thanks for following up. I’m not concerned about the .local domain. I think yunohost just configures it for local management. I don’t need a certificate for it.
As far as weak configuration, could you elaborate? What exactly do I need to update?
Thank you for those interesting websites. I’m looking into it, and it seems I may be stuck with it for awhile, due to issues regarding yunohost and latest nginx. I will keep reading.