You are not logged in.
Yes the DNS is all fine.
Now there seems to be some firewall to penetrate; you'll need to allow incoming TCP connections for ports 80 (http) and 443 (https).
It might also be good if it responds to ICMP requests (aka ping).
Offline
If webroot is /var/www/html is it expecting /realupnow.com/index.html to be there?
Because I have it at /var/www/realupnow.com/index.html
Offline
Yes the DNS is all fine.
Now there seems to be some firewall to penetrate; you'll need to allow incoming TCP connections for ports 80 (http) and 443 (https).
It might also be good if it responds to ICMP requests (aka ping).
Is this done via iftables, in the router, or both?
Offline
Inbound Firewall Rules (Max Limit : 128)
Service Name Remote IP/CIDR Local IP Port Range Protocol Add / Delete
Do I need to fill the "Remote IP/CIDR" or "Local IP" fields?
Am I correct that Protocol should only be TCP"?
Offline
If webroot is /var/www/html is it expecting /realupnow.com/index.html to be there?
Because I have it at /var/www/realupnow.com/index.html
No, but the "webroot path" needs to coincide with the served "root path".
certbot will put its file at $webroot/.well-known/acme-challenge/BLAH (i.e. using its $webroot), and
the "external" host will get it from http://realupnow.com/.well-known/acme-challenge/BLAH
which nginx will want to find at $root/.well-known/acme-challenge/BLAH (i.e., using its $root).
Re firewall, I'm not totally clear about your setup. With the Internet to the left, and your service host to the right, I currently understand it as:
Internet --- 66.172.90.106 = router ---- 192.168.50.4 = host
If that is the case, you'd make 2 rules:
1 http blank 192.168.50.4 80 tcp
2 https blank 192.168.50.4 443 tcp
("blank" means to leave the field blank)
Doing so will open those two ports for connection from the Internet.
Offline
Ha! I was in the IPv6 area ... IPv4 looks like this and has been set ...
Source IP Port Range Protocol Add / Delete
Offline
Should "whereis acme-challenge" find the actual $webroot location?
Offline
I think it's better to change the "-w" argument to /var/www/realupnow.com since your nginx is already set up to serve from that root path.
Offline
I'm going to have to shut down soon ... running out of energy, but sure appreciate your help!
If this is what you intended - it's also failing the same way.
certbot certonly --webroot -w /var/www/realupnow.com -d realupnow.com
Offline
Yes, the http service is not accessible (from outside).
If you are sure there shouldn't be any blocking, then you could run
# tcpdump -n -i eth0
on the service host to see connection attempts for port 80.
But maybe best to get some sleep too
Offline
I can now see an A record for unboundtest.com (165.227.59.74, which is on Digital Ocean).
I can't see one for realupnow.com.
Have you got a static IP or just a dynamic one assigned by your ISP? Dynamic IPs periodically change.
By default most ISPs only provide dynamic IPs for domestic users. Business users, who also pay more, usually get a static IP.
And of course you can also run a web and/or mail server in the cloud (such as Digital Ocean).
To run a website accessible on the internet you really need a static IP.
You can check that your ngingx website is running OK by opening it in your browser on its internal (NAT, IP4) network address e.g. http://192.168.50.4 .
I assume there is already a correctly configured index.html in ngingx : on my apache installation there is one there by default that says "Apache2 Debian Default Page: It works!".
I also assume you have opened any firewall on your server for ports 80 and 443.
For now you may need to disable or bypass any automatic redirection from http to https as https won't work until you have a certificate.
My recollection of how my apache server works is that I have automatic redirection set up except for a bypass for letsencrypts certbot, as that obviously needs to see a http site when doing a challenge.
You can then check that it works using its web IP e.g. http://66.172.90.106 (if that's your assigned IP for realudown.com). This doesn't require a DNS lookup.
At this stage you will need to have opened your router firewall for ports 80 and 443 for this to work. On my router I have 'virtual servers' enabled to direct any incoming traffic on posts 80 or 443 to tunnel through to my webserver.
And then you can check that the DNS lookup works OK http://realupnow.com ....
Offline
I can access it from my laptop using http://192.168.50.4
What they said when I requested, and paid extra for a static IP, was that it was dynamic but set to never change.
Router firewall is open on 80 & 443 & pining allowed.
I'll have to look for the virtual setting ...
Do these instructions look good?
https://www.asus.com/us/support/FAQ/114093/
Last edited by dcolburn (2023-01-01 14:34:42)
Offline
I had the Virtual Port set incorrectly ...
http://realupnow.com is now responding correctly!
I checked using a network-connected laptop and a phone set to connect via Verizon-only.
Progress!
However ...
http://www.realupnow.com and https://realupnow.com are not connecting.
Namecheap settings are ...
A Record @ 66.172.90.106 Automatic
A Record realupnow.com 66.172.90.106 Automatic
Last edited by dcolburn (2023-01-01 21:19:39)
Offline
Well, this time ...
certbot certonly --webroot -w /var/www/realupnow.com -d realupnow.com
ran without error!
However ... http://www.realupnow.com and https://realupnow.com are still not connecting.
Offline
Great.
Your dns setup defines 2 FQDN, namely realupnow.com (by the @ line), and realupnow.com.realupnow.com (by the other line).
As I understand it, you want to provide several services:
1. http://realupnow.com
2. http://www.realupnow.com
3. https://realupnow.com
4. https://www.realupnow.com
but don't really care for http://realupnow.com.realupnow.com, which is serviced now.
That means firstly that your DNS setup must define the resolution for www.realupnow.com
(and rather not for realupnow.com.realupnow.com)
Secondly nginx needs to accept two alternative server names, and it also should use both plain http on port 80 and http over ssl on port 443.
For the latter, you need to locate where certbot has put the ssl credentials (as I mentioned before) and add that to the nginx configuration. (I think www.techrepublic.com has a good article for that).
(Also, keep in mind that by convention, nginx runs as user www-data)
Offline
If I open my web browser on http://66.172.90.106 then, if I click through the warning about https: not enabled I see the webpage banner "Welcome to Realupnow.com!". So nginx is serving the index webpage to the internet.
However if I lookup realupdown,com with dig I still don't get the A record:
marjorie@grendel:~$ dig realupdown.com
; <<>> DiG 9.16.33-Debian <<>> realupdown.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3657
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;realupdown.com. IN A
;; AUTHORITY SECTION:
com. 599 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1672611035 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jan 01 22:16:02 GMT 2023
;; MSG SIZE rcvd: 116
It may just be a propagation issue. Or it maybe a real issue with the DNS. I do note that the servers in the AUTHORITY section have changed.
Also despite the apparent success of certbot https is not enabled yet.
Last edited by Marjorie (2023-01-01 22:25:22)
Offline
Or possibly a caching issue. Check the authoritative service with
dig realupnow.com @dns1.registrar-servers.com
Offline
Secondly nginx needs to accept two alternative server names, and it also should use both plain http on port 80 and http over ssl on port 443.
For the latter, you need to locate where certbot has put the ssl credentials (as I mentioned before) and add that to the nginx configuration. (I think www.techrepublic.com has a good article for that).
(Also, keep in mind that by convention, nginx runs as user www-data)
Your certificate and chain have been saved at:
/etc/letsencrypt/live/realupnow.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/realupnow.com/privkey.pem
I'm not clear as to where "realupnow.com.realupnow.com" was created - so I don't know how to fix that.
Last edited by dcolburn (2023-01-01 22:46:50)
Offline
Or possibly a caching issue. Check the authoritative service with
dig realupnow.com @dns1.registrar-servers.com
root@devuan1:/etc# dig realupnow.com @dns1.registrar-servers.com
; <<>> DiG 9.16.33-Debian <<>> realupnow.com @dns1.registrar-servers.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30902
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;realupnow.com. IN A
;; ANSWER SECTION:
realupnow.com. 1799 IN A 66.172.90.106
;; AUTHORITY SECTION:
realupnow.com. 1800 IN NS dns1.registrar-servers.com.
realupnow.com. 1800 IN NS dns2.registrar-servers.com.
;; Query time: 24 msec
;; SERVER: 156.154.132.200#53(156.154.132.200)
;; WHEN: Sun Jan 01 17:47:21 EST 2023
;; MSG SIZE rcvd: 114
Is it getting "dns1.registrar-servers.com" from namecheap.com or ??
Offline
You reported the setting
A Record realupnow.com 66.172.90.106 Automatic
That setting is for a host with local name realupnow.com within your domain realupnow.com and it therefore defines the FQDN realupnow.com.realupnow.com.
Maybe you get confused by the fact that the local name looks the same as the domain name?
Offline
You reported the setting
A Record realupnow.com 66.172.90.106 Automatic
That setting is for a host with local name realupnow.com within your domain realupnow.com and it therefore defines the FQDN realupnow.com.realupnow.com.
Maybe you get confused by the fact that the local name looks the same as the domain name?
I get confused by a lot of things when it comes to networking configuration. lol
So, I can just eliminate
A Record realupnow.com 66.172.90.106 Automatic
and resolve that problem?
Offline
Yes, or edit it so it says "www" instead of "realupnow.com" and then it will define the resolution for "www.realupnow.com"
Offline
Yes, or edit it so it says "www" instead of "realupnow.com" and then it will define the resolution for "www.realupnow.com"
Doesn't the @ A record entry handle all of that?
Offline
Nope. It only declares the resolution for the domain itself, without local host.
If their web gui allows, you could declare a resolution for "*" to mean "any local domain" and that would include "ralph" as well as "www" as well as "thisisagoodplacetobe" etc. Usually though "*" does not include local domain names with "." in (which is fine here I guess).
Offline
OK, made the www.realupnow.com change and added a new A record for "*"
When I run certbot it asks if I want to keep the existing certificate or if I want a new one (and refers to a possible CA limitation).
Do I need a new certificate after the A record changes?
Will it automatically revoke and cancel the prior cert?
I still can only access http://realupnow.com
Last edited by dcolburn (2023-01-02 01:05:23)
Offline