Unable to create any certs with Nginx Proxy Manager

mkono87 · August 12, 2021, 2:13am

My domain is konomedia.ca

I used to run the swag docker container but would have problems with 522 errors so I decided to test with nginx proxy manager.

I have used it before in other applications but for some reason any time i try to create a cert I get an error and not sure whats going on. Any help would be great.


{
  "identifier": {
    "type": "dns",
    "value": "konomedia.ca"
  },
  "status": "invalid",
  "expires": "2021-08-19T02:06:57Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "Invalid response from https://konomedia.ca/.well-known/acme-challenge/ZaWy5zdXCtg6NTqHl6mHuVg_OyhRf_HqgBCue4mUxmY [2606:4700:3035::ac43:b1e1]: \"\u003c!DOCTYPE html\u003e\\n\u003c!--[if lt IE 7]\u003e \u003chtml class=\\\"no-js ie6 oldie\\\" lang=\\\"en-US\\\"\u003e \u003c![endif]--\u003e\\n\u003c!--[if IE 7]\u003e    \u003chtml class=\\\"no-js \"",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/21075075080/wLs8_w",
      "token": "ZaWy5zdXCtg6NTqHl6mHuVg_OyhRf_HqgBCue4mUxmY",
      "validationRecord": [
        {
          "url": "http://konomedia.ca/.well-known/acme-challenge/ZaWy5zdXCtg6NTqHl6mHuVg_OyhRf_HqgBCue4mUxmY",
          "hostname": "konomedia.ca",
          "port": "80",
          "addressesResolved": [
            "104.21.75.147",
            "172.67.177.225",
            "2606:4700:3031::6815:4b93",
            "2606:4700:3035::ac43:b1e1"
          ],
          "addressUsed": "2606:4700:3031::6815:4b93"
        },
        {
          "url": "https://konomedia.ca/.well-known/acme-challenge/ZaWy5zdXCtg6NTqHl6mHuVg_OyhRf_HqgBCue4mUxmY",
          "hostname": "konomedia.ca",
          "port": "443",
          "addressesResolved": [
            "172.67.177.225",
            "104.21.75.147",
            "2606:4700:3035::ac43:b1e1",
            "2606:4700:3031::6815:4b93"
          ],
          "addressUsed": "2606:4700:3035::ac43:b1e1"
        }
      ],
      "validated": "2021-08-12T02:06:58Z"
    }
  ]
}
2021-08-11 22:07:02,235:DEBUG:acme.client:Storing nonce: 0101NIe2YmzdG149eEwEFD1BUrzb-mM5IVmFG6Pz93j9tDc
2021-08-11 22:07:02,236:INFO:certbot._internal.auth_handler:Challenge failed for domain konomedia.ca
2021-08-11 22:07:02,236:INFO:certbot._internal.auth_handler:http-01 challenge for konomedia.ca
2021-08-11 22:07:02,236:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: konomedia.ca
  Type:   unauthorized
  Detail: Invalid response from https://konomedia.ca/.well-known/acme-challenge/ZaWy5zdXCtg6NTqHl6mHuVg_OyhRf_HqgBCue4mUxmY [2606:4700:3035::ac43:b1e1]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2021-08-11 22:07:02,237:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-08-11 22:07:02,237:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-08-11 22:07:02,237:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-08-11 22:07:02,237:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/ZaWy5zdXCtg6NTqHl6mHuVg_OyhRf_HqgBCue4mUxmY
2021-08-11 22:07:02,237:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-08-11 22:07:02,238:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1426, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 128, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 456, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 386, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 436, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 90, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 178, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-08-11 22:07:02,239:ERROR:certbot._internal.log:Some challenges have failed.

rg305 · August 12, 2021, 4:18am

Hi @mkono87, and welcome to the LE community forum

The IPs shown in the log all come from Cloudflare CDN.
[which are all being redirected to HTTPS]
Is that expected?

mkono87 · August 12, 2021, 12:55pm

Yes that is correct. Im using CF as my DNS, I have it proxied (orange cloud).

I havent tried with having CF set to just DNS but out of nowhere I have issues with proxied mode, so maybe I should try again with it turned off.

rg305 · August 12, 2021, 2:49pm

Maybe you missed the detail in my last post, so I will say it again (in greater detail this time).

Cloudflare CDN redirects all HTTP connections to HTTPS; as seen in the failed request:

mkono87:

Detail: Invalid response from https://konomedia.ca/.well-known/acme-challenge/ZaWy5zdXCtg6NTqHl6mHuVg_OyhRf_HqgBCue4mUxmY [2606:4700:3035::ac43:b1e1]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

If the requests from Cloudflare to your server are all via HTTPS, then the ACME client may be unprepared for such (as it may be expecting an HTTP request).

You should review the web server config to ensure that any measures taken to handle the challenge requests in HTTP are also taken in HTTPS.

If you are using Apache, you can start with the output of:
sudo apachectl -S
If you are using nginx, you can review the entire config with the output of:
sudo nginx -T

If you need any help with any of that, please post the relevant output here.

mkono87 · August 12, 2021, 4:06pm

There are two machines both with docker setups. Here is the output from NGINX in the swag container

root@12d56553710f:/# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# /etc/nginx/nginx.conf

user nginx;

# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

# Configures default error logger.
error_log /var/log/nginx/error.log warn;

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;

# Uncomment to include files with config snippets into the root context.
# NOTE: This will be enabled by default in Alpine 3.15.
#include /etc/nginx/conf.d/*.conf;

events {
        # The maximum number of simultaneous connections that can be opened by
        # a worker process.
        worker_connections 1024;
}

http {
        # Includes mapping of file name extensions to MIME types of responses
        # and defines the default type.
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # Name servers used to resolve names of upstream servers into addresses.
        # It's also needed when using tcpsocket and udpsocket in Lua modules.
        #resolver 1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001;

        # Don't tell nginx version to the clients. Default is 'on'.
        server_tokens off;

        # Specifies the maximum accepted body size of a client request, as
        # indicated by the request header Content-Length. If the stated content
        # length is greater than this size, then the client receives the HTTP
        # error code 413. Set to 0 to disable. Default is '1m'.
        client_max_body_size 1m;

        # Sendfile copies data between one FD and other from within the kernel,
        # which is more efficient than read() + write(). Default is off.
        sendfile on;

        # Causes nginx to attempt to send its HTTP response head in one packet,
        # instead of using partial frames. Default is 'off'.
        tcp_nopush on;


        # Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
        # TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

        # Path of the file with Diffie-Hellman parameters for EDH ciphers.
        # TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
        #ssl_dhparam /etc/ssl/nginx/dh2048.pem;

        # Specifies that our cipher suits should be preferred over client ciphers.
        # Default is 'off'.
        ssl_prefer_server_ciphers on;

        # Enables a shared SSL cache with size that can hold around 8000 sessions.
        # Default is 'none'.
        ssl_session_cache shared:SSL:2m;

        # Specifies a time during which a client may reuse the session parameters.
        # Default is '5m'.
        ssl_session_timeout 1h;

        # Disable TLS session tickets (they are insecure). Default is 'on'.
        ssl_session_tickets off;


        # Enable gzipping of responses.
        #gzip on;

        # Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
        gzip_vary on;


        # Helper variable for proxying websockets.
        map $http_upgrade $connection_upgrade {
                default upgrade;
                '' close;
        }


        # Specifies the main log format.
        log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                        '$status $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';

        # Sets the path, format, and configuration for a buffered log write.
        access_log /var/log/nginx/access.log main;


        # Includes virtual hosts configs.
        include /etc/nginx/http.d/*.conf;
}

# TIP: Uncomment if you use stream module.
#include /etc/nginx/stream.conf;

# configuration file /etc/nginx/modules/10_devel_kit.conf:
load_module "modules/ndk_http_module.so";

# configuration file /etc/nginx/modules/10_http_brotli.conf:
load_module "modules/ngx_http_brotli_filter_module.so";
load_module "modules/ngx_http_brotli_static_module.so";

# configuration file /etc/nginx/modules/10_http_dav_ext.conf:
load_module "modules/ngx_http_dav_ext_module.so";

# configuration file /etc/nginx/modules/10_http_echo.conf:
load_module "modules/ngx_http_echo_module.so";

# configuration file /etc/nginx/modules/10_http_fancyindex.conf:
load_module "modules/ngx_http_fancyindex_module.so";

# configuration file /etc/nginx/modules/10_http_geoip2.conf:
load_module "modules/ngx_http_geoip2_module.so";

# configuration file /etc/nginx/modules/10_http_headers_more.conf:
load_module "modules/ngx_http_headers_more_filter_module.so";

# configuration file /etc/nginx/modules/10_http_image_filter.conf:
load_module "modules/ngx_http_image_filter_module.so";

# configuration file /etc/nginx/modules/10_http_nchan.conf:
load_module "modules/ngx_nchan_module.so";

# configuration file /etc/nginx/modules/10_http_perl.conf:
load_module "modules/ngx_http_perl_module.so";

# configuration file /etc/nginx/modules/10_http_redis2.conf:
load_module "modules/ngx_http_redis2_module.so";

# configuration file /etc/nginx/modules/10_http_upload_progress.conf:
load_module "modules/ngx_http_uploadprogress_module.so";

# configuration file /etc/nginx/modules/10_http_xslt_filter.conf:
load_module "modules/ngx_http_xslt_filter_module.so";

# configuration file /etc/nginx/modules/10_mail.conf:
load_module "modules/ngx_mail_module.so";

# configuration file /etc/nginx/modules/10_rtmp.conf:
load_module "modules/ngx_rtmp_module.so";

# configuration file /etc/nginx/modules/10_stream.conf:
load_module "modules/ngx_stream_module.so";

# configuration file /etc/nginx/modules/20_http_set_misc.conf:
load_module "modules/ngx_http_set_misc_module.so";

# configuration file /etc/nginx/modules/20_stream_geoip2.conf:
load_module "modules/ngx_stream_geoip2_module.so";

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

rg305 · August 12, 2021, 6:19pm

I'm surprised to see this include and no configs actually included
Are there any files there?:
ls -l /etc/nginx/http.d/*.conf
Did you run nginx -T in the right place?

mkono87 · August 12, 2021, 7:35pm

Sorry for the delay, I dont seem to be getting notified of any responses.

Not sure why I did Swag before. Im entering the Nginx Proxy Manager container now and performing these two steps.

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
# run nginx in foreground
daemon off;

#user root;

# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

error_log /data/logs/fallback_error.log warn;

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;

events {
        worker_connections  1024;
}

http {
        include                       /etc/nginx/mime.types;
        default_type                  application/octet-stream;
        sendfile                      on;
        server_tokens                 off;
        tcp_nopush                    on;
        tcp_nodelay                   on;
        client_body_temp_path         /var/tmp/nginx/body 1 2;
        keepalive_timeout             90s;
        proxy_connect_timeout         90s;
        proxy_send_timeout            90s;
        proxy_read_timeout            90s;
        ssl_prefer_server_ciphers     on;
        gzip                          on;
        proxy_ignore_client_abort     off;
        client_max_body_size          2000m;
        server_names_hash_bucket_size 1024;
        proxy_http_version            1.1;
        proxy_set_header              X-Forwarded-Scheme $scheme;
        proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header              Accept-Encoding "";
        proxy_cache                   off;
        proxy_cache_path              /var/lib/nginx/cache/public  levels=1:2 keys_zone=public-cache:30m max_size=192m;
        proxy_cache_path              /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;

        log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
        log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';

        access_log /data/logs/fallback_access.log proxy;

        # Dynamically generated resolvers file
        include /etc/nginx/conf.d/include/resolvers.conf;

        # Default upstream scheme
        map $host $forward_scheme {
                default http;
        }

        # Real IP Determination

        # Local subnets:
        set_real_ip_from 10.0.0.0/8;
        set_real_ip_from 172.16.0.0/12; # Includes Docker subnet
        set_real_ip_from 192.168.0.0/16;
        # NPM generated CDN ip ranges:
        include conf.d/include/ip_ranges.conf;
        # always put the following 2 lines after ip subnets:
        real_ip_header X-Real-IP;
        real_ip_recursive on;

        # Custom
        include /data/nginx/custom/http_top[.]conf;

        # Files generated by NPM
        include /etc/nginx/conf.d/*.conf;
        include /data/nginx/default_host/*.conf;
        include /data/nginx/proxy_host/*.conf;
        include /data/nginx/redirection_host/*.conf;
        include /data/nginx/dead_host/*.conf;
        include /data/nginx/temp/*.conf;

        # Custom
        include /data/nginx/custom/http[.]conf;
}

stream {
        # Files generated by NPM
        include /data/nginx/stream/*.conf;

        # Custom
        include /data/nginx/custom/stream[.]conf;
}

# Custom
include /data/nginx/custom/root[.]conf;

# configuration file /etc/nginx/mime.types:
types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/include/resolvers.conf:
resolver 192.168.0.1 ;

# configuration file /etc/nginx/conf.d/include/ip_ranges.conf:

set_real_ip_from 120.52.22.96/27;

set_real_ip_from 205.251.249.0/24;

set_real_ip_from 180.163.57.128/26;

set_real_ip_from 204.246.168.0/22;

set_real_ip_from 205.251.252.0/23;

set_real_ip_from 54.192.0.0/16;

set_real_ip_from 204.246.173.0/24;

set_real_ip_from 54.230.200.0/21;

set_real_ip_from 120.253.240.192/26;

set_real_ip_from 116.129.226.128/26;

set_real_ip_from 130.176.0.0/17;

set_real_ip_from 108.156.0.0/14;

set_real_ip_from 99.86.0.0/16;

set_real_ip_from 205.251.200.0/21;

set_real_ip_from 223.71.71.128/25;

set_real_ip_from 13.32.0.0/15;

set_real_ip_from 120.253.245.128/26;

set_real_ip_from 13.224.0.0/14;

set_real_ip_from 70.132.0.0/18;

set_real_ip_from 15.158.0.0/16;

set_real_ip_from 13.249.0.0/16;

set_real_ip_from 205.251.208.0/20;

set_real_ip_from 65.9.128.0/18;

set_real_ip_from 130.176.128.0/18;

set_real_ip_from 58.254.138.0/25;

set_real_ip_from 54.230.208.0/20;

set_real_ip_from 116.129.226.0/25;

set_real_ip_from 52.222.128.0/17;

set_real_ip_from 64.252.128.0/18;

set_real_ip_from 205.251.254.0/24;

set_real_ip_from 54.230.224.0/19;

set_real_ip_from 71.152.0.0/17;

set_real_ip_from 216.137.32.0/19;

set_real_ip_from 204.246.172.0/24;

set_real_ip_from 120.52.39.128/27;

set_real_ip_from 118.193.97.64/26;

set_real_ip_from 223.71.71.96/27;

set_real_ip_from 54.240.128.0/18;

set_real_ip_from 205.251.250.0/23;

set_real_ip_from 180.163.57.0/25;

set_real_ip_from 52.46.0.0/18;

set_real_ip_from 223.71.11.0/27;

set_real_ip_from 52.82.128.0/19;

set_real_ip_from 54.230.0.0/17;

set_real_ip_from 54.230.128.0/18;

set_real_ip_from 54.239.128.0/18;

set_real_ip_from 130.176.224.0/20;

set_real_ip_from 36.103.232.128/26;

set_real_ip_from 52.84.0.0/15;

set_real_ip_from 143.204.0.0/16;

set_real_ip_from 144.220.0.0/16;

set_real_ip_from 120.52.153.192/26;

set_real_ip_from 119.147.182.0/25;

set_real_ip_from 120.232.236.0/25;

set_real_ip_from 54.182.0.0/16;

set_real_ip_from 58.254.138.128/26;

set_real_ip_from 120.253.245.192/27;

set_real_ip_from 54.239.192.0/19;

set_real_ip_from 18.64.0.0/14;

set_real_ip_from 120.52.12.64/26;

set_real_ip_from 99.84.0.0/16;

set_real_ip_from 130.176.192.0/19;

set_real_ip_from 52.124.128.0/17;

set_real_ip_from 204.246.164.0/22;

set_real_ip_from 13.35.0.0/16;

set_real_ip_from 204.246.174.0/23;

set_real_ip_from 36.103.232.0/25;

set_real_ip_from 119.147.182.128/26;

set_real_ip_from 118.193.97.128/25;

set_real_ip_from 120.232.236.128/26;

set_real_ip_from 204.246.176.0/20;

set_real_ip_from 65.8.0.0/16;

set_real_ip_from 65.9.0.0/17;

set_real_ip_from 108.138.0.0/15;

set_real_ip_from 120.253.241.160/27;

set_real_ip_from 64.252.64.0/18;

set_real_ip_from 13.113.196.64/26;

set_real_ip_from 13.113.203.0/24;

set_real_ip_from 52.199.127.192/26;

set_real_ip_from 13.124.199.0/24;

set_real_ip_from 3.35.130.128/25;

set_real_ip_from 52.78.247.128/26;

set_real_ip_from 13.233.177.192/26;

set_real_ip_from 15.207.13.128/25;

set_real_ip_from 15.207.213.128/25;

set_real_ip_from 52.66.194.128/26;

set_real_ip_from 13.228.69.0/24;

set_real_ip_from 52.220.191.0/26;

set_real_ip_from 13.210.67.128/26;

set_real_ip_from 13.54.63.128/26;

set_real_ip_from 99.79.169.0/24;

set_real_ip_from 18.192.142.0/23;

set_real_ip_from 35.158.136.0/24;

set_real_ip_from 52.57.254.0/24;

set_real_ip_from 13.48.32.0/24;

set_real_ip_from 18.200.212.0/23;

set_real_ip_from 52.212.248.0/26;

set_real_ip_from 3.10.17.128/25;

set_real_ip_from 3.11.53.0/24;

set_real_ip_from 52.56.127.0/25;

set_real_ip_from 15.188.184.0/24;

set_real_ip_from 52.47.139.0/24;

set_real_ip_from 18.229.220.192/26;

set_real_ip_from 54.233.255.128/26;

set_real_ip_from 3.231.2.0/25;

set_real_ip_from 3.234.232.224/27;

set_real_ip_from 3.236.169.192/26;

set_real_ip_from 3.236.48.0/23;

set_real_ip_from 34.195.252.0/24;

set_real_ip_from 34.226.14.0/24;

set_real_ip_from 13.59.250.0/26;

set_real_ip_from 18.216.170.128/25;

set_real_ip_from 3.128.93.0/24;

set_real_ip_from 3.134.215.0/24;

set_real_ip_from 52.15.127.128/26;

set_real_ip_from 3.101.158.0/23;

set_real_ip_from 52.52.191.128/26;

set_real_ip_from 34.216.51.0/25;

set_real_ip_from 34.223.12.224/27;

set_real_ip_from 34.223.80.192/26;

set_real_ip_from 35.162.63.192/26;

set_real_ip_from 35.167.191.128/26;

set_real_ip_from 44.227.178.0/24;

set_real_ip_from 44.234.108.128/25;

set_real_ip_from 44.234.90.252/30;

set_real_ip_from 2600:9000:3000::/36;

set_real_ip_from 2600:9000:ddd::/48;

set_real_ip_from 2600:9000:5300::/40;

set_real_ip_from 2600:9000:1000::/36;

set_real_ip_from 2600:9000:2000::/36;

set_real_ip_from 2400:7fc0:500::/40;

set_real_ip_from 2600:9000:4000::/36;

set_real_ip_from 2600:9000:fff::/48;

set_real_ip_from 2404:c2c0:500::/40;

set_real_ip_from 2600:9000:f000::/36;

set_real_ip_from 2600:9000:eee::/48;

set_real_ip_from 173.245.48.0/20;

set_real_ip_from 103.21.244.0/22;

set_real_ip_from 103.22.200.0/22;

set_real_ip_from 103.31.4.0/22;

set_real_ip_from 141.101.64.0/18;

set_real_ip_from 108.162.192.0/18;

set_real_ip_from 190.93.240.0/20;

set_real_ip_from 188.114.96.0/20;

set_real_ip_from 197.234.240.0/22;

set_real_ip_from 198.41.128.0/17;

set_real_ip_from 162.158.0.0/15;

set_real_ip_from 104.16.0.0/13;

set_real_ip_from 104.24.0.0/14;

set_real_ip_from 172.64.0.0/13;

set_real_ip_from 131.0.72.0/22;

set_real_ip_from 2400:cb00::/32;

set_real_ip_from 2606:4700::/32;

set_real_ip_from 2803:f800::/32;

set_real_ip_from 2405:b500::/32;

set_real_ip_from 2405:8100::/32;

set_real_ip_from 2a06:98c0::/29;

set_real_ip_from 2c0f:f248::/32;

# configuration file /etc/nginx/conf.d/default.conf:
# "You are not configured" page, which is the default if another default doesn't exist
server {
        listen 8080;
        listen [::]:8080;

        set $forward_scheme "http";
        set $server "127.0.0.1";
        set $port "8080";

        server_name localhost-nginx-proxy-manager;
        access_log /data/logs/fallback_access.log standard;
        error_log /data/logs/fallback_error.log warn;
        include conf.d/include/assets.conf;
        include conf.d/include/block-exploits.conf;
        include conf.d/include/letsencrypt-acme-challenge.conf;

        location / {
                index index.html;
                root /var/www/html;
        }
}

# First 4443 Host, which is the default if another default doesn't exist
server {
        listen 4443 ssl;
        listen [::]:4443 ssl;

        set $forward_scheme "https";
        set $server "127.0.0.1";
        set $port "4443";

        server_name localhost;
        access_log /data/logs/fallback-access.log standard;
        error_log /dev/null crit;
        ssl_certificate /data/nginx/dummycert.pem;
        ssl_certificate_key /data/nginx/dummykey.pem;
        include conf.d/include/ssl-ciphers.conf;

        return 444;
}

# configuration file /etc/nginx/conf.d/include/assets.conf:
location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
        if_modified_since off;

        # use the public cache
        proxy_cache public-cache;
        proxy_cache_key $host$request_uri;

        # ignore these headers for media
        proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;

        # cache 200s and also 404s (not ideal but there are a few 404 images for some reason)
        proxy_cache_valid any 30m;
        proxy_cache_valid 404 1m;

        # strip this header to avoid If-Modified-Since requests
        proxy_hide_header Last-Modified;
        proxy_hide_header Cache-Control;
        proxy_hide_header Vary;

        proxy_cache_bypass 0;
        proxy_no_cache 0;

        proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404;
        proxy_connect_timeout 5s;
        proxy_read_timeout 45s;

        expires @30m;
        access_log  off;

        include conf.d/include/proxy.conf;
}

# configuration file /etc/nginx/conf.d/include/proxy.conf:
add_header       X-Served-By $host;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-Proto  $scheme;
proxy_set_header X-Forwarded-For    $remote_addr;
proxy_set_header X-Real-IP          $remote_addr;
proxy_pass       $forward_scheme://$server:$port;


# configuration file /etc/nginx/conf.d/include/block-exploits.conf:
## Block SQL injections
set $block_sql_injections 0;

if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
}

if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
}

if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
}

if ($block_sql_injections = 1) {
        return 403;
}

## Block file injections
set $block_file_injections 0;

if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
}

if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
}

if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
}

if ($block_file_injections = 1) {
        return 403;
}

## Block common exploits
set $block_common_exploits 0;

if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
}

if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
}

if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
}

if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
}

if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
}

if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
}

if ($block_common_exploits = 1) {
        return 403;
}

## Block spam
set $block_spam 0;

if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") {
        set $block_spam 1;
}

if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") {
        set $block_spam 1;
}

if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") {
        set $block_spam 1;
}

if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") {
        set $block_spam 1;
}

if ($block_spam = 1) {
        return 403;
}

## Block user agents
set $block_user_agents 0;

# Disable Akeeba Remote Control 2.5 and earlier
if ($http_user_agent ~ "Indy Library") {
        set $block_user_agents 1;
}

# Common bandwidth hoggers and hacking tools.
if ($http_user_agent ~ "libwww-perl") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "GetRight") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "GetWeb!") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "Go!Zilla") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "Download Demon") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "Go-Ahead-Got-It") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "TurnitinBot") {
        set $block_user_agents 1;
}

if ($http_user_agent ~ "GrabNet") {
        set $block_user_agents 1;
}

if ($block_user_agents = 1) {
        return 403;
}

# configuration file /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf:
# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
location ^~ /.well-known/acme-challenge/ {
        # Since this is for letsencrypt authentication of a domain and they do not give IP ranges of their infrastructure
        # we need to open up access by turning off auth and IP ACL for this location.
        auth_basic off;
        auth_request off;
        allow all;

        # Set correct content type. According to this:
        # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
        # Current specification requires "text/plain" or no content header at all.
        # It seems that "text/plain" is a safe option.
        default_type "text/plain";

        # This directory must be the same as in /etc/letsencrypt/cli.ini
        # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
        # there to "webroot".
        # Do NOT use alias, use root! Target directory is located here:
        # /var/www/common/letsencrypt/.well-known/acme-challenge/
        root /data/letsencrypt-acme-challenge;
}

# Hide /acme-challenge subdirectory and return 404 on all requests.
# It is somewhat more secure than letting Nginx return 403.
# Ending slash is important!
location = /.well-known/acme-challenge/ {
        return 404;
}

# configuration file /etc/nginx/conf.d/include/ssl-ciphers.conf:
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;

# configuration file /etc/nginx/conf.d/production.conf:
# Admin Interface
server {
        listen 8181 default;
        listen [::]:8181 default;

        server_name nginxproxymanager;
        root /opt/nginx-proxy-manager/frontend;
        access_log /dev/null;

        location /api {
                return 302 /api/;
        }

        location /api/ {
                add_header            X-Served-By $host;
                proxy_set_header Host $host;
                proxy_set_header      X-Forwarded-Scheme $scheme;
                proxy_set_header      X-Forwarded-Proto  $scheme;
                proxy_set_header      X-Forwarded-For    $remote_addr;
                proxy_pass            http://127.0.0.1:3000/;

                proxy_read_timeout 15m;
                proxy_send_timeout 15m;
        }

        location / {
                index index.html;
                if ($request_uri ~ ^/(.*)\.html$) {
                        return 302 /$1;
                }
                try_files $uri $uri.html $uri/ /index.html;
        }
}

# configuration file /data/nginx/proxy_host/1.conf:
# ------------------------------------------------------------
# ha.konomedia.ca
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "192.168.0.30";
  set $port           8123;

  listen 8080;
listen [::]:8080;


  server_name ha.konomedia.ca;











proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


  access_log /config/log/proxy-host-1_access.log proxy;
  error_log /config/log/proxy-host-1_error.log warn;







  location / {

    




    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    

    # Proxy!
    include conf.d/include/proxy.conf;
  }


  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}


/tmp #

The http.d does not exist in that path.

SIde Note: I switched all my subdomain in CF to DNS only and tried it, but get connection refused now.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1408, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 763, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 264, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 46, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 835, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 1179, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3.8/site-packages/acme/client.py", line 1150, in _send_request
    raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))
ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Connection refused
2021-08-12 13:10:43,766:ERROR:certbot._internal.log:An unexpected error occurred:
2021-08-12 13:10:43,766:ERROR:certbot._internal.log:ValueError: Requesting acme-v02.api.letsencrypt.org/directory: Connection refused

rg305 · August 13, 2021, 12:46am

Well I still think I might be missing something...

But let's go ahead with what is shown for the challenge requests:
root /data/letsencrypt-acme-challenge
Please add a test file at this path:
/data/letsencrypt-acme-challenge/.well-known/acme-challenge/Test-File-1234
to include any simple text message.
And then let's try accessing that file from the Internet, with:
http://konomedia.ca/.well-known/acme-challenge/Test-File-1234

[do not continue to run certbot until this test has been passed]

mkono87 · August 13, 2021, 1:59am

In the container, there are no file hidden or not after /data/letsencrypt-acme-challenge/

After manually adding the folder path and file and trying it in a web browser, it converts it to https and throws a 526, invalid ssl cert.

rg305 · August 13, 2021, 2:16am

I only get 404s for (both HTTP and HTTPS) that challenge test file:

<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>openresty</center>
</body>
</html>

For the site itself (both HTTP and HTTPS) I do see the proxy manager responding:

curl http://konomedia.ca/
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Default Site</title>
        <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
        <style>
            .jumbotron { margin-top: 50px; }
        </style>
    </head>
    <body>
        <div class="container">
            <div class="jumbotron">
                <h1>Congratulations!</h1>
                <p>You've successfully started the Nginx Proxy Manager.</p>
                <p>If you're seeing this site then you're trying to access a host that isn't set up yet.</p>
                <p>Log in to the Admin panel to get started.</p>
            </div>
            <p class="text-center"><small>Powered by <a href="https://github.com/jc21/nginx-proxy-manager" target="_blank">Nginx Proxy Manager</a></small></p>
        </div>
    </body>
</html>


curl https://konomedia.ca/
<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=edge">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <title>Default Site</title>
        <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css" rel="stylesheet">
        <style>
            .jumbotron { margin-top: 50px; }
        </style>
    </head>
    <body>
        <div class="container">
            <div class="jumbotron">
                <h1>Congratulations!</h1>
                <p>You've successfully started the Nginx Proxy Manager.</p>
                <p>If you're seeing this site then you're trying to access a host that isn't set up yet.</p>
                <p>Log in to the Admin panel to get started.</p>
            </div>
            <p class="text-center"><small>Powered by <a href="https://github.com/jc21/nginx-proxy-manager" target="_blank">Nginx Proxy Manager</a></small></p>
        </div>
    </body>
</html>

mkono87 · August 13, 2021, 2:46am

Okay so....I had a big moment.

I realized that for my ssl settings in cloudflare set to strict which requires a valid certificate on the host. Once i put it to flex mode (Encrypts traffic between the browser and Cloudflare) I was able to create certs in NPM. So I guess im now on a pace to all of them created for each service. Other than having problem with one proxy just going to the nginx page, thats out of the scope of this forum. Thanks for your help, really appreciate it.

system · September 12, 2021, 2:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.