The officially official Devuan Forum!

You are not logged in.

#26 2023-01-01 05:03:05

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

Yes the DNS is all fine.

Now there seems to be some firewall to penetrate;  you'll need to allow incoming TCP connections for ports 80 (http) and 443 (https).

It might also be good if it responds to ICMP requests (aka ping).

Offline

#27 2023-01-01 05:05:11

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

If webroot is /var/www/html is it expecting /realupnow.com/index.html to be there?

Because I have it at /var/www/realupnow.com/index.html

Offline

#28 2023-01-01 05:06:17

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

ralph.ronnquist wrote:

Yes the DNS is all fine.

Now there seems to be some firewall to penetrate;  you'll need to allow incoming TCP connections for ports 80 (http) and 443 (https).

It might also be good if it responds to ICMP requests (aka ping).

Is this done via iftables, in the router, or both?

Offline

#29 2023-01-01 05:18:47

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Inbound Firewall Rules (Max Limit : 128)
Service Name     Remote IP/CIDR     Local IP     Port Range     Protocol     Add / Delete

Do I need to fill the "Remote IP/CIDR" or "Local IP" fields?

Am I correct that Protocol should only be TCP"?

Offline

#30 2023-01-01 05:35:28

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

If webroot is /var/www/html is it expecting /realupnow.com/index.html to be there?

Because I have it at /var/www/realupnow.com/index.html

No, but the "webroot path" needs to coincide with the served "root path".

  • certbot will put its file at $webroot/.well-known/acme-challenge/BLAH (i.e. using its $webroot), and

  • the "external" host will get it from http://realupnow.com/.well-known/acme-challenge/BLAH

    which nginx will want to find at $root/.well-known/acme-challenge/BLAH (i.e., using its $root).

Re firewall, I'm not totally clear about your setup. With the Internet to the left, and your service host to the right, I currently understand it as:

      Internet --- 66.172.90.106 = router ---- 192.168.50.4 = host

If that is the case, you'd make 2 rules:
   1 http blank 192.168.50.4 80 tcp
   2 https blank 192.168.50.4 443 tcp
("blank" means to leave the field blank)

Doing so will open those two ports for connection from the Internet.

Offline

#31 2023-01-01 06:03:30

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Ha! I was in the IPv6 area ... IPv4 looks like this and has been set ...

Source IP     Port Range     Protocol     Add / Delete

Offline

#32 2023-01-01 06:12:14

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Should "whereis acme-challenge" find the actual $webroot location?

Offline

#33 2023-01-01 06:15:48

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

I think it's better to change the "-w" argument to /var/www/realupnow.com since your nginx is already set up to serve from that root path.

Offline

#34 2023-01-01 06:26:08

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

I'm going to have to shut down soon ... running out of energy, but sure appreciate your help!

If this is what you intended - it's also failing the same way.

certbot certonly --webroot -w /var/www/realupnow.com -d realupnow.com

Offline

#35 2023-01-01 06:38:14

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

Yes, the http service is not accessible (from outside).

If you are sure there shouldn't be any blocking, then you could run

# tcpdump -n -i eth0

on the service host to see connection attempts for port 80.

But maybe best to get some sleep too smile

Offline

#36 2023-01-01 11:16:27

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 186  

Re: [SOLVED] Good nginx ssl instructions

I can now see an A record for unboundtest.com (165.227.59.74, which is on Digital Ocean).
I can't see one for realupnow.com.

Have you got a static IP or just a dynamic one assigned by your ISP? Dynamic IPs periodically change.
By default most ISPs only provide dynamic IPs for domestic users. Business users, who also pay more, usually get a static IP.
And of course you can also run a web and/or mail server in the cloud (such as Digital Ocean).
To run a website accessible on the internet you really need a static IP.

You can check that your ngingx website is running OK by opening it in your browser on its internal (NAT, IP4) network address e.g. http://192.168.50.4 .
I assume there is already a correctly configured index.html in ngingx : on my apache installation there is one there by default that says "Apache2 Debian Default Page: It works!".
I also assume you have opened any firewall on your server for ports 80 and 443.
For now you may need to disable or bypass any automatic redirection from http to https as https won't work until you have a certificate.
My recollection of how my apache server works is that I have automatic redirection set up except for a bypass for letsencrypts certbot, as that obviously needs to see a http site when doing a challenge.

You can then check that it works using its web IP e.g. http://66.172.90.106 (if that's your assigned IP for realudown.com). This doesn't require a DNS lookup.
At this stage you will need to have opened your router firewall for ports 80 and 443 for this to work. On my router I have 'virtual servers' enabled to direct any incoming traffic on posts 80 or 443 to tunnel through to my webserver.

And then you can check that the DNS lookup works OK http://realupnow.com ....

Online

#37 2023-01-01 14:22:23

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

I can access it  from my laptop using http://192.168.50.4

What they said when I requested, and paid extra for a static IP, was that it was dynamic but set to never change.

Router firewall is open on 80 & 443 & pining allowed.

I'll have to look for the virtual setting ...

Do these instructions look good?

https://www.asus.com/us/support/FAQ/114093/

Last edited by dcolburn (2023-01-01 14:34:42)

Offline

#38 2023-01-01 20:33:15

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

I had the Virtual Port set incorrectly ...

http://realupnow.com is now responding correctly!

I checked using a network-connected laptop and a phone set to connect via Verizon-only.

Progress!

However ...

http://www.realupnow.com and https://realupnow.com are not connecting.

Namecheap settings are ...

A Record 	@                66.172.90.106   Automatic
	
A Record 	realupnow.com    66.172.90.106   Automatic

Last edited by dcolburn (2023-01-01 21:19:39)

Offline

#39 2023-01-01 21:30:09

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

Well, this time ...

certbot certonly --webroot -w /var/www/realupnow.com -d realupnow.com

ran without error!

However ... http://www.realupnow.com and https://realupnow.com are still not connecting.

Offline

#40 2023-01-01 22:16:49

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

Great.

Your dns setup defines 2 FQDN, namely realupnow.com (by the @ line), and realupnow.com.realupnow.com (by the other line).

As I understand it, you want to provide several services:
     1. http://realupnow.com
     2. http://www.realupnow.com
     3. https://realupnow.com
     4. https://www.realupnow.com
but don't really care for http://realupnow.com.realupnow.com, which is serviced now.

That means firstly that your DNS setup must define the resolution for www.realupnow.com
(and rather not for realupnow.com.realupnow.com)

Secondly nginx needs to accept two alternative server names, and it also should use both plain http on port 80 and http over ssl on port 443.

For the latter, you need to locate where certbot has put the ssl credentials (as I mentioned before) and add that to the nginx configuration. (I think www.techrepublic.com has a good article for that).
(Also, keep in mind that by convention, nginx runs as user www-data)

Offline

#41 2023-01-01 22:22:45

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 186  

Re: [SOLVED] Good nginx ssl instructions

If I open my web browser on http://66.172.90.106 then, if I click through the warning about https: not enabled I see the webpage banner "Welcome to Realupnow.com!". So nginx is serving the index webpage to the internet.

However if I lookup realupdown,com with dig I still don't get the A record:

marjorie@grendel:~$ dig realupdown.com

; <<>> DiG 9.16.33-Debian <<>> realupdown.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3657
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;realupdown.com.			IN	A

;; AUTHORITY SECTION:
com.			599	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1672611035 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 01 22:16:02 GMT 2023
;; MSG SIZE  rcvd: 116

It may just be a propagation issue. Or it maybe a real issue with the DNS. I do note that the servers in the AUTHORITY section have changed.

Also despite the apparent success of certbot https is not enabled yet.

Last edited by Marjorie (2023-01-01 22:25:22)

Online

#42 2023-01-01 22:38:36

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

Or possibly a caching issue. Check the authoritative service with

dig realupnow.com @dns1.registrar-servers.com

Offline

#43 2023-01-01 22:46:12

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

ralph.ronnquist wrote:

Secondly nginx needs to accept two alternative server names, and it also should use both plain http on port 80 and http over ssl on port 443.

For the latter, you need to locate where certbot has put the ssl credentials (as I mentioned before) and add that to the nginx configuration. (I think www.techrepublic.com has a good article for that).
(Also, keep in mind that by convention, nginx runs as user www-data)

Your certificate and chain have been saved at:
/etc/letsencrypt/live/realupnow.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/realupnow.com/privkey.pem

I'm not clear as to where "realupnow.com.realupnow.com" was created - so I don't know how to fix that.

Last edited by dcolburn (2023-01-01 22:46:50)

Offline

#44 2023-01-01 22:50:02

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

ralph.ronnquist wrote:

Or possibly a caching issue. Check the authoritative service with

dig realupnow.com @dns1.registrar-servers.com
root@devuan1:/etc# dig realupnow.com @dns1.registrar-servers.com

; <<>> DiG 9.16.33-Debian <<>> realupnow.com @dns1.registrar-servers.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30902
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;realupnow.com.			IN	A

;; ANSWER SECTION:
realupnow.com.		1799	IN	A	66.172.90.106

;; AUTHORITY SECTION:
realupnow.com.		1800	IN	NS	dns1.registrar-servers.com.
realupnow.com.		1800	IN	NS	dns2.registrar-servers.com.

;; Query time: 24 msec
;; SERVER: 156.154.132.200#53(156.154.132.200)
;; WHEN: Sun Jan 01 17:47:21 EST 2023
;; MSG SIZE  rcvd: 114

Is it getting "dns1.registrar-servers.com" from namecheap.com or ??

Offline

#45 2023-01-01 22:51:37

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

You reported the setting

A Record 	realupnow.com    66.172.90.106   Automatic

That setting is for a host with local name  realupnow.com within your domain realupnow.com and it therefore defines the FQDN realupnow.com.realupnow.com.

Maybe you get confused by the fact that the local name looks the same as the domain name?

Offline

#46 2023-01-01 23:01:48

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

ralph.ronnquist wrote:

You reported the setting

A Record 	realupnow.com    66.172.90.106   Automatic

That setting is for a host with local name  realupnow.com within your domain realupnow.com and it therefore defines the FQDN realupnow.com.realupnow.com.

Maybe you get confused by the fact that the local name looks the same as the domain name?

I get confused by a lot of things when it comes to networking configuration.  lol

So, I can just eliminate

A Record 	realupnow.com    66.172.90.106   Automatic

and resolve that problem?

Offline

#47 2023-01-01 23:04:04

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

Yes, or edit it so it says "www" instead of "realupnow.com" and then it will define the resolution for "www.realupnow.com" smile

Offline

#48 2023-01-01 23:49:06

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

ralph.ronnquist wrote:

Yes, or edit it so it says "www" instead of "realupnow.com" and then it will define the resolution for "www.realupnow.com" smile

Doesn't the @ A record entry handle all of that?

Offline

#49 2023-01-02 00:01:44

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 868  

Re: [SOLVED] Good nginx ssl instructions

Nope. It only declares the resolution for the domain itself, without local host.

If their web gui allows, you could declare a resolution for "*" to mean "any local domain" and that would include "ralph" as well as "www" as well as "thisisagoodplacetobe" etc. Usually though "*" does not include local domain names with "." in (which is fine here I guess).

Offline

#50 2023-01-02 00:35:44

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: [SOLVED] Good nginx ssl instructions

OK, made the www.realupnow.com change and added a new A record for "*"

When I run certbot it asks if I want to keep the existing certificate or if I want a new one (and refers to a possible CA limitation).

Do I need a new certificate after the A record changes?

Will it automatically revoke and cancel the prior cert?

I still can only access http://realupnow.com

Last edited by dcolburn (2023-01-02 01:05:23)

Offline

Board footer