Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rpiweather.net

I ran this command: installation of certbot via snap:

pi@HomeAutomation:~ $ sudo snap install --classic certbot
certbot 2.8.0 from Certbot Project (certbot-eff✓) installed
pi@HomeAutomation:~ $ sudo ln -s /snap/bin/certbot /usr/bin/certbot
pi@HomeAutomation:~ $ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: rpiweather.net

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

An RSA certificate named rpiweather.net already exists. Do you want to update
its key type to ECDSA?

(U)pdate key type/(K)eep existing key type: U
Renewing an existing certificate for rpiweather.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/rpiweather.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/rpiweather.net/privkey.pem
This certificate expires on 2024-04-13.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for rpiweather.net to /etc/nginx/sites-enabled/default
Your existing certificate has been successfully renewed, and the new certificate has been installed.

If you like Certbot, please consider supporting our work by:

• Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
• Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

pi@HomeAutomation:~ $ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/rpiweather.net.conf

Account registered.
Simulating renewal of an existing certificate for rpiweather.net

Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/rpiweather.net/fullchain.pem (success)

pi@HomeAutomation:~ $

It produced this output:

My web server is (include version): nginx version: nginx/1.14.2

The operating system my web server runs on is (include version): Raspbian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: google domains for DNS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

DNS for rpiweather.net is with Google Domains and hosted on my Raspberry Pi. Prior to installing certbot I could reach my website using http::/rpiweather.net, but after installation I get this:

The site is still reachable using 71.174.250.159). My router is forwarding ports 443, 80, 8000 and 8080:

image1528×1029 163 KB

This is the content in the 'default' file in /etc/nginx/sites-available folder:

You should look at the following URL's in order to grasp a solid understanding

of Nginx configuration files in order to fully unleash the power of Nginx.

Getting Started | NGINX

Pitfalls and Common Mistakes | NGINX

Nginx/DirectoryStructure - Debian Wiki

In most cases, administrators will remove this file from sites-enabled/ and

leave it as reference inside of sites-available where it will continue to be

updated by the nginx packaging team.

This file will automatically load configuration files provided by other

applications, such as Drupal or Wordpress. These applications will be made

available underneath a path with that package name, such as /drupal8.

Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.

Default server configuration

server {
listen 80 default_server;
listen [::]:80 default_server;

SSL configuration

listen 443 ssl default_server;

listen [::]:443 ssl default_server;

Note: You should disable gzip for SSL traffic.

See: https://bugs.debian.org/773332

Read up on ssl_ciphers to ensure a secure configuration.

See: https://bugs.debian.org/765782

Self signed certs generated by the ssl-cert package

Don't use them in a production server!

include snippets/snakeoil.conf;

root /var/www/html;

Add index.php to the list if you are using PHP

index index.html index.htm index.nginx-debian.html;

server_name _;

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}

pass PHP scripts to FastCGI server

#location ~ .php$ {

include snippets/fastcgi-php.conf;

# With php-fpm (or other unix sockets):

fastcgi_pass unix:/run/php/php7.3-fpm.sock;

# With php-cgi (or other tcp sockets):

fastcgi_pass 127.0.0.1:9000;

#}

deny access to .htaccess files, if Apache's document root

concurs with nginx's one

#location ~ /.ht {

deny all;

#}
}

Virtual Host configuration for example.com

You can move that to a different file under sites-available/ and symlink that

to sites-enabled/ to enable it.

#server {

listen 80;

listen [::]:80;

server_name example.com;

root /var/www/example.com;

index index.html;

location / {

try_files $uri $uri/ =404;

}

#}

server {

SSL configuration

listen 443 ssl default_server;

listen [::]:443 ssl default_server;

Note: You should disable gzip for SSL traffic.

See: https://bugs.debian.org/773332

Read up on ssl_ciphers to ensure a secure configuration.

See: https://bugs.debian.org/765782

Self signed certs generated by the ssl-cert package

Don't use them in a production server!

include snippets/snakeoil.conf;

root /var/www/html;

Add index.php to the list if you are using PHP

index index.html index.htm index.nginx-debian.html;
server_name rpiweather.net; # managed by Certbot

location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}

pass PHP scripts to FastCGI server

#location ~ .php$ {

include snippets/fastcgi-php.conf;

# With php-fpm (or other unix sockets):

fastcgi_pass unix:/run/php/php7.3-fpm.sock;

# With php-cgi (or other tcp sockets):

fastcgi_pass 127.0.0.1:9000;

#}

deny access to .htaccess files, if Apache's document root

concurs with nginx's one

#location ~ /.ht {

deny all;

#}

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/rpiweather.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/rpiweather.net/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
if ($host = rpiweather.net) {
return 301 https://$host$request_uri;
} # managed by Certbot

listen 80 ;
listen [::]:80 ;
server_name rpiweather.net;
return 404; # managed by Certbot

}

Can you suggest how to fix this? thank you.

Hello @MJHanagan, welcome to the Let's Encrypt community.

Port 443 (used for HTTPS) is filtered, I would guess a firewall is blocking access to port 443.

$ nmap -Pn -p80,443 rpiweather.net
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-14 17:31 UTC
Nmap scan report for rpiweather.net (71.174.250.159)
Host is up (0.091s latency).
Other addresses for rpiweather.net (not scanned): 2600:4040:5050:8900:c93c:951:81ed:94ad
rDNS record for 71.174.250.159: pool-71-174-250-159.bstnma.fios.verizon.net

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.25 seconds

And from around the world Permanent link to this check report most get "Connection timed out", a few "No route to host".

Hi @MJHanagan,

Also IPv6 has both Port 80 & 443 filtered. How many firewall are between the server and the Internet?

>nmap -6 -Pn -p80,443 rpiweather.net
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 17:43 UTC
Nmap scan report for rpiweather.net (2600:4040:5050:8900:c93c:951:81ed:94ad)
Host is up.
Other addresses for rpiweather.net (not scanned): 71.174.250.159

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 4.24 seconds

>nmap -4 -Pn -p80,443 rpiweather.net
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-14 17:43 UTC
Nmap scan report for rpiweather.net (71.174.250.159)
Host is up (0.070s latency).
Other addresses for rpiweather.net (not scanned): 2600:4040:5050:8900:c93c:951:81ed:94ad
rDNS record for 71.174.250.159: pool-71-174-250-159.bstnma.fios.verizon.net

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.50 seconds

Another thing to note is you nicely redirect HTTP to HTTPS,
but since Port 443 is filtered the site is effectively not reachable .

$ curl -Ii http://rpiweather.net/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2
Date: Sun, 14 Jan 2024 17:48:22 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://rpiweather.net/.well-known/acme-challenge/sometestfile

This is the redirection Location: https://rpiweather.net/.well-known/acme-challenge/sometestfile

Is that a typo in the local IP address for port 443? Shouldn't it end in .125 (not .123)

image1425×348 70.3 KB

Nice catch @MikeMcQ!

Also, your IPv6 address in your DNS AAAA record is not a working IP address

Let's Encrypt prefers IPv6 when you have an AAAA record but will try IPv4 for certain failures. But, this is not good to rely on and only works for narrow cases.

You should fix your IPv6 address or remove it if you cannot support IPv6. This problem affects all ports.

curl -i4 http://rpiweather.net
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.2

curl -i6 http://rpiweather.net
curl: (7) Failed to connect to rpiweather.net port 80 after 3017 ms: 
No route to host

Also see

That is the right version (right now)

Was that a typo to say was 0.31? Or do you have two versions installed?

What does this say:
certbot --version

OMG!! You found it, was the .123 typo! Thank you so much, I've been banging my head for a week trying to fix this.

Sorry, I didn't see the 0.31 comment. Yes, that was from last week's installation. After today's 'snap' install I get this:
pi@HomeAutomation:~ $ certbot --version
certbot 2.8.0

You still have to fix your IPv6 problem. You may not be seeing one but any client trying to use it will have problems. And, Let's Encrypt prefers it as I already noted

@MJHanagan your weather doesn't seem to agree with, Rensselaer Polytechnic Institute (/rɛnsəˈlɪər/; RPI).

Weather in Rensselaer Polytechnic Institute ⛅ (New York), United States - Weather Forecast - www.ViewWeather.com.

The "RPI" for rpiweather.net is in reference to the Raspberry Pi I use to host the website. The weather data is from a collection of Adafruit sourced sensors and Davis Weather instruments located in Grafton MA. Web traffic mostly limited to the family and a few neighbors.

Oh, sorry about @MJHanagan.

I just added a AAAA record in Google Domains, does this fix the IPv6 problem?

No, your IPv6 AAAA record IP address looked wrong and still is. See below and click rerun test to check again. You might be better off deleting the AAAA. And add it back when you understand it better

I got this today regarding the IPv6 compatibility:

IPv6 Test 2024-01-17702×437 17.8 KB

It seems the IPv6 issues has been mostly resolved. The last issue is the "Could not connect to rpiweather.net on port 80 over IPv6." Does this mean I should be forwarding port 80 to 443 on my router?

www.rpiweather.net is still not reachable. This is what I have on my Google Domains DNS records:

Google Domains 2024-01-17821×832 56.9 KB

No; You should never mix secure and insecure channels.

GOOD:
80 > 80
80 > 8080
8080 > 80
443 > 443

BAD:
80 > 443
443 > 80
8080 > 443

Not at all. What is important now is the connection to your nginx server. Please use Let's Debug (https://letsdebug.net) to test that connection. It is perfect for that (and it currently fails the same as it did earlier).

Here's a few things to start with

Your DNS for the www subdomain only has an IPv6 address defined and it is not working to reach your server. You should add an A record for your IPv4 to that subdomain so it matches your root domain

The AAAA record for both your domains has the same IPv6 address but that address is failing to reach your nginx server.

You can determine the correct IPv6 address many ways. One way is to run this command

curl -4 https://ifconfig.io
curl -6 https://ifconfig.io

Whatever is returned for the -6 command belongs in your DNS AAAA record.
If there is no value returned then you should remove the AAAA record from both domains.

The value for the -4 belongs in the A record for each of your domains (currently correct for your root domain but missing from your www subdomain)

Ah ha! Look at this, on my Raspberry Pi I get this result:

pi@HomeAutomation:~ $ curl -4 https://ifconfig.io
71.174.250.159
pi@HomeAutomation:~ $ curl -6 https://ifconfig.io
2600:4040:5050:8900:b176:3528:f70d:7c67
pi@HomeAutomation:~ $

But on my laptop I get this:
C:\Users\micha>curl -4 https://ifconfig.io
71.174.250.159

C:\Users\micha>curl -6 https://ifconfig.io
2600:4040:5050:8900:e076:d08f:f264:844f

Same IPv4 addresses, but different IPv6 addresses, why is that?

I just now changed the Google AAAA records to match the RPi address and I got this:

Lets Debug 2024-01-171005×292 29.9 KB

So I'm all good now?