You are not logged in.
- Topics: Active | Unanswered
#151 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-02 02:27:26
Type Host Value TTL
A Record @ 66.172.90.106 Automatic
A Record * 66.172.90.106 Automatic
A Record www 66.172.90.106 Automatic#152 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-02 01:43:31
OK re. correct sysadmin style, thanks.
This is what I now have in /etc/nginx/sites-available/realupnow.com (which, maybe, needs to be renamed realupnow.conf?)
All the SSL Port 443 is commented out until I get the first part correct.
server {
listen 80;
root /var/www/realupnow.com;
index index.php index.html index.htm;
server_name realupnow.com www.realupnow.com;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
}
# server {
# listen 443 ssl realupnow.com;
# server_name realupnow.com www.realupnow.com;
# root /var/www/realupnow.com;
# index index.php index.html index.htm;
#
# location / {
# try_files $uri $uri/ =404;
# }
#
# location ~ \.php$ {
# include snippets/fastcgi-php.conf;
# fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
# }
# }#153 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-02 01:18:33
You still need to update your nginx configuration both so that it also services www.realupnow.com
You may do the first by adding www.realupnow.com to the server_name directive (space separated).
Do I recall, correctly, that requires altering the contents of these?
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;#154 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-02 01:13:59
Do I need to do this, first (adjusting to reflect nginx vs apache)?
certbot certificates
Find the path to the fullchain certificate you wish to reinstall
certbot revoke --cert-path /etc/letsencrypt/live/... path to the cert from above
certbot delete --cert-name yourdomain.com
rm -Rf /etc/apache2/sites-available/000-default-le-ssl.conf or whatever the name of the apache conf you had it configured on
rm -Rf 000-default-le-ssl.conf or whatever the name of the apache conf you had it configured on
sudo apache2ctl restart
certbot follow the guide to setup the new certificate#155 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-02 00:49:05
Ooops, looks like namecheap rejected those changes.
I just tried this, instead:
A Record *.realupnow.com 66.172.90.106 Automatic#156 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-02 00:35:44
OK, made the www.realupnow.com change and added a new A record for "*"
When I run certbot it asks if I want to keep the existing certificate or if I want a new one (and refers to a possible CA limitation).
Do I need a new certificate after the A record changes?
Will it automatically revoke and cancel the prior cert?
I still can only access http://realupnow.com
#157 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 23:49:06
Yes, or edit it so it says "www" instead of "realupnow.com" and then it will define the resolution for "www.realupnow.com"
Doesn't the @ A record entry handle all of that?
#158 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 23:01:48
You reported the setting
A Record realupnow.com 66.172.90.106 AutomaticThat setting is for a host with local name realupnow.com within your domain realupnow.com and it therefore defines the FQDN realupnow.com.realupnow.com.
Maybe you get confused by the fact that the local name looks the same as the domain name?
I get confused by a lot of things when it comes to networking configuration. lol
So, I can just eliminate
A Record realupnow.com 66.172.90.106 Automaticand resolve that problem?
#159 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 22:50:02
Or possibly a caching issue. Check the authoritative service with
dig realupnow.com @dns1.registrar-servers.com
root@devuan1:/etc# dig realupnow.com @dns1.registrar-servers.com
; <<>> DiG 9.16.33-Debian <<>> realupnow.com @dns1.registrar-servers.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30902
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;realupnow.com. IN A
;; ANSWER SECTION:
realupnow.com. 1799 IN A 66.172.90.106
;; AUTHORITY SECTION:
realupnow.com. 1800 IN NS dns1.registrar-servers.com.
realupnow.com. 1800 IN NS dns2.registrar-servers.com.
;; Query time: 24 msec
;; SERVER: 156.154.132.200#53(156.154.132.200)
;; WHEN: Sun Jan 01 17:47:21 EST 2023
;; MSG SIZE rcvd: 114Is it getting "dns1.registrar-servers.com" from namecheap.com or ??
#160 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 22:46:12
Secondly nginx needs to accept two alternative server names, and it also should use both plain http on port 80 and http over ssl on port 443.
For the latter, you need to locate where certbot has put the ssl credentials (as I mentioned before) and add that to the nginx configuration. (I think www.techrepublic.com has a good article for that).
(Also, keep in mind that by convention, nginx runs as user www-data)
Your certificate and chain have been saved at:
/etc/letsencrypt/live/realupnow.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/realupnow.com/privkey.pemI'm not clear as to where "realupnow.com.realupnow.com" was created - so I don't know how to fix that.
#161 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 21:30:09
Well, this time ...
certbot certonly --webroot -w /var/www/realupnow.com -d realupnow.comran without error!
However ... http://www.realupnow.com and https://realupnow.com are still not connecting.
#162 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 20:33:15
I had the Virtual Port set incorrectly ...
http://realupnow.com is now responding correctly!
I checked using a network-connected laptop and a phone set to connect via Verizon-only.
Progress!
However ...
http://www.realupnow.com and https://realupnow.com are not connecting.
Namecheap settings are ...
A Record @ 66.172.90.106 Automatic
A Record realupnow.com 66.172.90.106 Automatic#163 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 14:22:23
I can access it from my laptop using http://192.168.50.4
What they said when I requested, and paid extra for a static IP, was that it was dynamic but set to never change.
Router firewall is open on 80 & 443 & pining allowed.
I'll have to look for the virtual setting ...
Do these instructions look good?
https://www.asus.com/us/support/FAQ/114093/#164 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 06:26:08
I'm going to have to shut down soon ... running out of energy, but sure appreciate your help!
If this is what you intended - it's also failing the same way.
certbot certonly --webroot -w /var/www/realupnow.com -d realupnow.com#165 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 06:12:14
Should "whereis acme-challenge" find the actual $webroot location?
#166 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 06:03:30
Ha! I was in the IPv6 area ... IPv4 looks like this and has been set ...
Source IP Port Range Protocol Add / Delete
#167 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 05:18:47
Inbound Firewall Rules (Max Limit : 128)
Service Name Remote IP/CIDR Local IP Port Range Protocol Add / Delete
Do I need to fill the "Remote IP/CIDR" or "Local IP" fields?
Am I correct that Protocol should only be TCP"?
#168 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 05:06:17
Yes the DNS is all fine.
Now there seems to be some firewall to penetrate; you'll need to allow incoming TCP connections for ports 80 (http) and 443 (https).
It might also be good if it responds to ICMP requests (aka ping).
Is this done via iftables, in the router, or both?
#169 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 05:05:11
If webroot is /var/www/html is it expecting /realupnow.com/index.html to be there?
Because I have it at /var/www/realupnow.com/index.html
#170 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 05:01:59
I ran the certbot string and it returned this error:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.#171 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 04:54:44
the ipchicken.com resource confirmed what my router was telling me.
I changed the two A record settings at namecheap and I think that dig is showing them as already propagated.
"ANSWER:" now shows a "1".
Can you verify, please?
#172 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 04:38:58
Looks better. Though that IP address is a s.c. private address that is not usable across the Internet. I.e., only hosts on your network can use that IP address.
It will not be something that Let's Encrypt's server can use.
Well, that's not good.
So, I need to use the static IP address?
https://ipchicken.com/?
#173 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 04:12:30
Yes, it should be just @
that means realupnow.com for that configuration
OK, so I have one A record for "realupnow.com" and one that just says "@"
Is that correct, or should I delete the first one?
My ISP doesn't, yet, support IPv6 so no need for an AAAA record.
#174 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 04:04:45
EDIT 3: The A record entry should be for host "@" to indicate the basic domain name (realupnow.com), with other host names like "www" and "mail" for "www.realupnow.com" and "mail.realupnow.com".I tried "@realupnow.com" and "*realupnow.com" and it red flagged both as invalid host names.
Also, the IP I'm using is what's assigned to my Server by my Router - I presume that's correct?
#175 Re: Hardware & System Configuration » [SOLVED] Good nginx ssl instructions » 2023-01-01 03:39:56
EDIT: also check on their "Domain" tab that the domain is active.
Active.
EDIT: the "nameservers" slot should be fine with "Namecheap BasicDNS".
It is.
Did you configure your domain registration to point at namecheap nameserver(s)?
Is this a third thing - or does it summarize the above?
My goal is to self-host as much of this as possible and to rely as little as possible on external resources/
Board footer
