[SOLVED] Good nginx ssl instructions

dcolburn · 2022-12-31 03:26:31

Other than replacing a check-setup using "ufw" with one for "nftables" ...

... and replacing a "systemctl" restart with a "service" one ...

Does this step-by-step article look reliable (it's dated January 2019)?

https://www.techrepublic.com/article/how-to-enable-ssl-on-nginx/

If not, is there a newer one, that's Devuan-specific or better in some way?

Thanks

Head_on_a_Stick · 2022-12-31 12:51:44

I've never used nginx so I can only quote the self-signed certificate advice on the ArchWiki:

Most web browsers do not seem to accept CA certificates, deeming it necessary to request another certificate and sign it with the CA cert and CA key. The "Generate a certificate issued by own CA" procedure in this forum post is what seems to satisfy browsers.

https://wiki.archlinux.org/title/OpenSS … ertificate, https://wiki.archlinux.org/title/Nginx.

So it looks like that javascript-infested, ad-ridden techrepubulic site might be wrong.

Probably best to wait for somebody who has actually used the software though :-)

Last edited by Head_on_a_Stick (2022-12-31 12:52:39)

xinomilo · 2022-12-31 13:40:42

self-signed wont work on most browsers... you could get a free ssl cert from Lets Encrypt (or other providers). there's a python3-certbot-nginx package to facilitate certificate issue and installation...

as for ssl configuration for nginx, this is probably better : https://ssl-config.mozilla.org/
choose nginx + openssl versions, security level, and copy output to a ssl-params.conf file (customizing to your needs ofcourse...)

dcolburn · 2022-12-31 15:27:34

OK re. TechRepublic. I have my Ghostery Dawn browser cranked down so tight I barely noticed the debris - or maybe I just filter it in my mind?

I'm going to need some coffee before I can process https://bbs.archlinux.org/viewtopic.php?pid=1776753#p1776753 - thanks for that link!

OK re. Let's Encrypt and a python3-certbot-nginx package to facilitate certificate issue and installation ... that sounds promising.

Thanks to you both ...

dcolburn · 2022-12-31 18:34:00

Deleted ... I had fat-fingered "certbot" as "cerbot" ... sigh ...

Last edited by dcolburn (2022-12-31 21:26:06)

dcolburn · 2022-12-31 22:28:26

Account registered.
Requesting a certificate for realupnow.com
Performing the following challenges:
http-01 challenge for realupnow.com
Waiting for verification...
Challenge failed for domain realupnow.com
http-01 challenge for realupnow.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: realupnow.com
   Type:   dns
   Detail: no valid A records found for realupnow.com; no valid AAAA
   records found for realupnow.com

2022-12-31 16:32:16,754:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Any thoughts, please?

EDIT1: I ran an https://unboundtest.com/ test for AAAA and these were the last several lines of output ...

Dec 31 22:32:15 unbound[667849:0] info: query response was ANSWER
Dec 31 22:32:15 unbound[667849:0] info: validated DNSKEY com. DNSKEY IN
Dec 31 22:32:15 unbound[667849:0] info: resolving realupnow.com. DS IN
Dec 31 22:32:15 unbound[667849:0] info: response for realupnow.com. DS IN
Dec 31 22:32:15 unbound[667849:0] info: reply from <com.> 2001:503:d2d::30#53
Dec 31 22:32:15 unbound[667849:0] info: query response was nodata ANSWER
Dec 31 22:32:15 unbound[667849:0] info: NSEC3s for the referral proved no DS.
Dec 31 22:32:15 unbound[667849:0] info: Verified that unsigned response is INSECURE

Last edited by dcolburn (2022-12-31 22:34:51)

dcolburn · 2022-12-31 23:36:05

Looking here ...

https://community.letsencrypt.org/t/no-valid-a-records-found/174627

root@devuan1:~# sudo certbot certonly --manual --preferred-challenges dns
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): realupnow.com
Requesting a certificate for realupnow.com
Performing the following challenges:
dns-01 challenge for realupnow.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.realupnow.com with the following value:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue^CCleaning up challenges

What does this mean, please? "Before continuing, verify the record is deployed."

Last edited by dcolburn (2022-12-31 23:39:27)

ralph.ronnquist · 2022-12-31 23:54:22

Note that the SSL credentials system is built upon "domain name control"; i.e., that you are the current renter of the proposed domain name, and in control of the DNS resolution for it.

The "http" validation done by Let's Encrypt via certbot involves them, at an external host, looking up the domain name (realupnow.com) so as to access a file via HTTP that certbot has prepared. This is only possible if you have control of the domain resolution to make that name resolve for that external host to your host and then also run an HTTP service for offering that file.

Marjorie · 2022-12-31 23:55:41

Doesn't look like you've set up an A record, or the record hasn't been propagated yet.

digging your website:

; marjorie@grendel:~$ dig realupnow.com

<<>> DiG 9.16.33-Debian <<>> realupnow.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56743
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 0
;; QUESTION SECTION:
;realupnow.com.			IN	A

;; AUTHORITY SECTION:
realupnow.com.		3599	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1664668104 43200 3600 604800 3601

;; Query time: 71 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Dec 31 23:48:36 GMT 2022
;; MSG SIZE  rcvd: 112

While if I dig mine:

; <<>> DiG 9.16.33-Debian <<>> meeble.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62974
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;meeble.net.			IN	A

;; ANSWER SECTION:
meeble.net.		2399	IN	A	88.97.31.244

;; Query time: 99 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Dec 31 23:49:04 GMT 2022
;; MSG SIZE  rcvd: 55

Last edited by Marjorie (2022-12-31 23:58:19)

dcolburn · 2023-01-01 02:08:08

OK, I set up an A record on namecheap about an hour ago.

Dig is still responding with the same output.

So is https://unboundtest.com/

Do I need to run this

root@devuan1:~# sudo certbot certonly --manual --preferred-challenges dns

Or ... this

root@devuan1:~# sudo certbot --nginx -d realupnow.com -d realupnow.com

first?

Last edited by dcolburn (2023-01-01 02:09:22)

ralph.ronnquist · 2023-01-01 02:33:03

I tend to prefer the command variant

certbot certonly --webroot -w /var/www/html -d my.domain.name

where then the file will be placed in the directory

/var/www/html/.well-known/acme-challenge/

which thus my HTTP service needs to serve.

This starts with

my domain name registration being configured so that the nameserver(s) for my.domain.name point out my authoritative DNS service, and then
I configure that with A and/or AAAA records for my.domain.name point to the external IP for my server.

Thereafter I configure SSL for nginx to use the public certificate and private key under /etc/letsencrypt/live/my.domain.name/ (sometimes with a version code added into that pathname).

dcolburn · 2023-01-01 02:51:56

Do I need DNSSEC toggled on at namecheap?

ralph.ronnquist · 2023-01-01 02:59:09

No that shouldn't be needed.

dcolburn · 2023-01-01 03:04:58

OK, cool. I'm impatiently waiting ...

A record set via namecheap still hasn't propagated per dig.

ralph.ronnquist · 2023-01-01 03:07:52

Did you configure your domain registration to point at namecheap nameserver(s)?

EDIT: also check on their "Domain" tab that the domain is active.

EDIT 2: the "nameservers" slot should be fine with "Namecheap BasicDNS".

EDIT 3: The A record entry should be for host "@" to indicate the basic domain name (realupnow.com), with other host names like "www" and "mail" for "www.realupnow.com" and "mail.realupnow.com".

dcolburn · 2023-01-01 03:39:56

ralph.ronnquist wrote:

EDIT: also check on their "Domain" tab that the domain is active.

Active.

ralph.ronnquist wrote:

EDIT: the "nameservers" slot should be fine with "Namecheap BasicDNS".

It is.

ralph.ronnquist wrote:

Did you configure your domain registration to point at namecheap nameserver(s)?

Is this a third thing - or does it summarize the above?

My goal is to self-host as much of this as possible and to rely as little as possible on external resources/

ralph.ronnquist · 2023-01-01 03:46:21

ralph.ronnquist wrote:
Did you configure your domain registration to point at namecheap nameserver(s)?
Is this a third thing - or does it summarize the above?

That was my mistake, before I realized that dns[12].registrar-servers.com are namecheap's nameservers.

edit.. the above post had another actual third which might have criss-crossed our postings

dcolburn · 2023-01-01 04:04:45

EDIT 3: The A record entry should be for host "@" to indicate the basic domain name (realupnow.com), with other host names like "www" and "mail" for "www.realupnow.com" and "mail.realupnow.com".

I tried "@realupnow.com" and "*realupnow.com" and it red flagged both as invalid host names.

Also, the IP I'm using is what's assigned to my Server by my Router - I presume that's correct?

Last edited by dcolburn (2023-01-01 04:07:14)

ralph.ronnquist · 2023-01-01 04:07:45

Yes, it should be just @
that means realupnow.com for that configuration

dcolburn · 2023-01-01 04:12:30

ralph.ronnquist wrote:

Yes, it should be just @
that means realupnow.com for that configuration

OK, so I have one A record for "realupnow.com" and one that just says "@"

Is that correct, or should I delete the first one?

My ISP doesn't, yet, support IPv6 so no need for an AAAA record.

ralph.ronnquist · 2023-01-01 04:14:53

Looks better. Though that IP address is a s.c. private address that is not usable across the Internet. I.e., only hosts on your network can use that IP address.

It will not be something that Let's Encrypt's server can use.

dcolburn · 2023-01-01 04:38:58

ralph.ronnquist wrote:

Looks better. Though that IP address is a s.c. private address that is not usable across the Internet. I.e., only hosts on your network can use that IP address.
It will not be something that Let's Encrypt's server can use.

Well, that's not good.

So, I need to use the static IP address?

https://ipchicken.com/

?

Last edited by dcolburn (2023-01-01 04:44:27)

ralph.ronnquist · 2023-01-01 04:49:37

If your host ("the static IP") is directly on the Internet then that should do.

It needs to be an IP address that an "external" host can use for accessing your HTTP service.

Assuming you can suffer an amount of ads, you could check your externally visible IP address at https://whatismyipaddress.com/

dcolburn · 2023-01-01 04:54:44

the ipchicken.com resource confirmed what my router was telling me.

I changed the two A record settings at namecheap and I think that dig is showing them as already propagated.

"ANSWER:" now shows a "1".

Can you verify, please?

dcolburn · 2023-01-01 05:01:59

I ran the certbot string and it returned this error:

Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

The officially official Devuan Forum!

#1 2022-12-31 03:26:31

[SOLVED] Good nginx ssl instructions

#2 2022-12-31 12:51:44

Re: [SOLVED] Good nginx ssl instructions

#3 2022-12-31 13:40:42

Re: [SOLVED] Good nginx ssl instructions

#4 2022-12-31 15:27:34

Re: [SOLVED] Good nginx ssl instructions

#5 2022-12-31 18:34:00

Re: [SOLVED] Good nginx ssl instructions

#6 2022-12-31 22:28:26

Re: [SOLVED] Good nginx ssl instructions

#7 2022-12-31 23:36:05

Re: [SOLVED] Good nginx ssl instructions

#8 2022-12-31 23:54:22

Re: [SOLVED] Good nginx ssl instructions

#9 2022-12-31 23:55:41

Re: [SOLVED] Good nginx ssl instructions

#10 2023-01-01 02:08:08

Re: [SOLVED] Good nginx ssl instructions

#11 2023-01-01 02:33:03

Re: [SOLVED] Good nginx ssl instructions

#12 2023-01-01 02:51:56

Re: [SOLVED] Good nginx ssl instructions

#13 2023-01-01 02:59:09

Re: [SOLVED] Good nginx ssl instructions

#14 2023-01-01 03:04:58

Re: [SOLVED] Good nginx ssl instructions

#15 2023-01-01 03:07:52

Re: [SOLVED] Good nginx ssl instructions

#16 2023-01-01 03:39:56

Re: [SOLVED] Good nginx ssl instructions

#17 2023-01-01 03:46:21

Re: [SOLVED] Good nginx ssl instructions

#18 2023-01-01 04:04:45

Re: [SOLVED] Good nginx ssl instructions

#19 2023-01-01 04:07:45

Re: [SOLVED] Good nginx ssl instructions

#20 2023-01-01 04:12:30

Re: [SOLVED] Good nginx ssl instructions

#21 2023-01-01 04:14:53

Re: [SOLVED] Good nginx ssl instructions

#22 2023-01-01 04:38:58

Re: [SOLVED] Good nginx ssl instructions

#23 2023-01-01 04:49:37

Re: [SOLVED] Good nginx ssl instructions

#24 2023-01-01 04:54:44

Re: [SOLVED] Good nginx ssl instructions

#25 2023-01-01 05:01:59

Re: [SOLVED] Good nginx ssl instructions

Board footer