webserver ==> router ==> TheInternets -- I can not get my sites on the router or webserver, but I can on all other LAN machines which go a different route through a VPN. This matters because certbot can not validate.
I've combed through the firewall on both the webserver and router and have fixed all the DROPs. Still can not get my domains. I suspect the problem is in the router.
From either I can curl google.com... but not my own domains served by the router.
On the webserver curling my domain, and tcpdump on the router's DMZ interface, sees the port 80 packet going out, but getting reset back in. The packet never makes it to the routers outside interface. I am masquerading and forwarding.
Apparently DNS-01 validation can't get back to my webserver.
https://quantum-sci.com . Unfortunately my ONT is down and Ziply Fiber's tech was apparently at a strip club rather than coming out here to replace the ONT this morning. But when fiber is working the sites are available from the outside. Just not from the webserver inside, so I can't get validation.
I've been doing this since 1980 and have never heard of "hair pinning". And can't find any nftables examples on The Internets which make sense.
Ok now I understand what hair pinning is, it appears that this could be the reason certbot can't do HTTP-01 val. My registrar has advanced features like stapling etc, so they must have DNS-01.
The problem is correctly implementing hair pinning in nftables. From resources, I infer that the correct rule (in chain postrouting) is:
tcp dport { http, https } ip saddr 10.2.10.20 oif $DMZ_IF masquerade
(assuming 10.2.10.20 is my webserver)
I can't prove it though because Ziply Fiber's crappy equipment has taken away my internet this week and the tech didn't show up today as was scheduled.
Negative. certbot doesn't validate anything.
LE validates the information certbot presents it.
[directly via HTTPS and indirectly via file served by your web server].
LE validations are all done from the Internet.
[which will never need to be hairpinned]
Fired Ziply Fiber as I waited all day losing over $400 income because they didn't show up. Now trying to find another ISP. Might be my only choice is to resort to frickin' Xfinity.