Unable to Get Certs Renewed Due to Domain Validation

Quantum · September 8, 2021, 7:56pm

webserver ==> router ==> TheInternets -- I can not get my sites on the router or webserver, but I can on all other LAN machines which go a different route through a VPN. This matters because certbot can not validate.

I've combed through the firewall on both the webserver and router and have fixed all the DROPs. Still can not get my domains. I suspect the problem is in the router.

From either I can curl google.com... but not my own domains served by the router.

On the webserver curling my domain, and tcpdump on the router's DMZ interface, sees the port 80 packet going out, but getting reset back in. The packet never makes it to the routers outside interface. I am masquerading and forwarding.

rg305 · September 8, 2021, 8:23pm

Can you use DNS-01 validation?

Can you give an example for use to check?

The router may need to support hair-pinning for you to be able to connect to an inside IP via its' outside IP.

Can anyone on the Internet see your sites?
Does your ISP use CGNAT?

Quantum · September 8, 2021, 8:33pm

Apparently DNS-01 validation can't get back to my webserver.

https://quantum-sci.com . Unfortunately my ONT is down and Ziply Fiber's tech was apparently at a strip club rather than coming out here to replace the ONT this morning. But when fiber is working the sites are available from the outside. Just not from the webserver inside, so I can't get validation.

I've been doing this since 1980 and have never heard of "hair pinning". And can't find any nftables examples on The Internets which make sense.

rg305 · September 8, 2021, 8:55pm

HTTP-01 validation would need to reach your "authoritative" webserver.
DNS-01 validation would only need to reach your authoritative DNS servers.

Quantum · September 8, 2021, 9:16pm

Ok now I understand what hair pinning is, it appears that this could be the reason certbot can't do HTTP-01 val. My registrar has advanced features like stapling etc, so they must have DNS-01.

The problem is correctly implementing hair pinning in nftables. From resources, I infer that the correct rule (in chain postrouting) is:
tcp dport { http, https } ip saddr 10.2.10.20 oif $DMZ_IF masquerade
(assuming 10.2.10.20 is my webserver)

I can't prove it though because Ziply Fiber's crappy equipment has taken away my internet this week and the tech didn't show up today as was scheduled.

rg305 · September 8, 2021, 11:19pm

Negative.
certbot doesn't validate anything.
LE validates the information certbot presents it.
[directly via HTTPS and indirectly via file served by your web server].
LE validations are all done from the Internet.
[which will never need to be hairpinned]

Quantum · September 9, 2021, 3:37pm

Huh? So hair pinning isn't my solution?

Fired Ziply Fiber as I waited all day losing over $400 income because they didn't show up. Now trying to find another ISP. Might be my only choice is to resort to frickin' Xfinity.

rg305 · September 17, 2021, 12:28am

Any news?

system · October 17, 2021, 12:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.