Check that your DNS and NGINX configuration is correct

Support
,
1

My YunoHost server

Hardware: Old laptop or computer
YunoHost version: started when using 3.6.4.6 but since updated to 3.7.0.12 problem persists.
I have access to my server: Through webadmin.

Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no

Description of my issue

My Yunohost is no longer accessible outside of my network (but browsers and internet are).

When I use the YunoHost port tester all appear red, however when I check my router and firewall settings the ports are open.

I havenā€™t figured this out and my instance has been in limbo since itā€™s a non-critical, family/testing at this point only. However recently I started receiving emails about the "Certificate renewing attempt for my.domain failed!"

Which gave me this clue

"YunohostError: It seems the domain my.domain cannot be accessed through HTTP. Check that your DNS and NGINX configuration is correct"

How do I check this?

Thanks in advance:)

2

Basically make sure that you followed https://yunohost.org/isp_box_config (though you seem to say that you already configured port stuff ā€¦)

Also check that you registered a DNS record on your DNS provider ?

Otherwise, this warning could be a false-negative and you can try to run from the command line "sudo yunohost domain cert-install yourdomain.tld --no-checks"

3

Iā€™m confused since this was working using the YunoHost provided subdomain and then one day just stopped, so I donā€™t thing DNS is an issue if Iā€™m using the Subdomain is it?

Iā€™ll try the command to see what I come up with and look at the isp_box_config. I checked my ports using https://ports.yunohost.org/

And again, this was working until a few weeks ago.

Thanks for your help:)

4

Hmyea, iā€™m just throwing pointers and just making sure that you did all the usual checks ā€¦

Anyway, just try to 'sudo yunohost domain cert-install yourdomain.tld --no-checks' and letā€™s see from what it says ā€¦

5

Okay, I tried that and it prompted me to ā€œā€“forceā€

Error: The certificate for domain ā€œmy.domainā€
is not self-signed. Are you sure you want to replace it? (Use ā€˜ā€“forceā€™ to do so.)

However it didnā€™t recognize the ā€œā€“forceā€ command:(

bash: --force: command not found

6

Hokay ā€¦ but is the issue really that your certificate is invalid ? You can check this using :

yunohost domain cert-status your.domain.tld

7

I donā€™t think so, Iā€™m just grasping at anything as I canā€™t figure out what happened. This occurred before the expiry of certificates.

Iā€™ve been considering just doing a fresh install on another drive and hoping to use the same subdomain, and restoring with a YunoHost backup. Is this possible?

8

Just ā€¦ give the result of the command (ideally redacting private info like domain name if you care about privacy)

Please no, itā€™s like moving to a new flat because your microwave doesnā€™t work ā€¦ Given the nature of the issue itā€™s not likely to solve anything, youā€™ll just waste your time ā€¦ We just need to precisely diagnose the issue and apply the appropriate fix.

1 Like
9

I recommand you to follow @Aleks suggestion to check your certificate.

If the command returns that your certificate is a valide Letā€™sEncrypt certificate, may be your isp share now your IP address with other customer OR change the settings of your box.
If your IP is shared you could need to ask your ISP for a ā€œfull stack ipā€.

10

That command returned

certificates:
my.domain:
CA_type: Letā€™s Encrypt
summary: CRITICAL
validity: -12

11

Alright, my bad, now I realize that my suggestion was wrong. What I meant to say was :

sudo yunohost domain cert-renew yourdomain.tld --no-checks

(so cert-renew instead of cert-install)

12

It returned this, Iā€™m including all without my domain of course

Info: Now attempting renewing of certificate for domain my.domain !
Info: Parsing account keyā€¦
Info: Parsing CSRā€¦
Info: Found domains: my.domain
Info: Getting directoryā€¦
Info: Directory found!
Info: Registering accountā€¦
Info: Already registered!
Info: Creating new orderā€¦
Info: Order created!
Info: Verifying my.domainā€¦
Error: Challenge did not pass for my.domain: {uā€™statusā€™: uā€™invalidā€™, uā€™challengesā€™: [{uā€™statusā€™: uā€™invalidā€™, uā€™validationRecordā€™: [{uā€™urlā€™: uā€™http://my.domain/.well-known/acme-challenge/TirihEnGdMQs5SXJZEcRYGGfG9AvIdNxhbt860pD5q0ā€™, uā€™hostnameā€™: uā€™my.domainā€™, uā€™addressUsedā€™: uā€™69.41.198.18ā€™, uā€™portā€™: uā€™80ā€™, uā€™addressesResolvedā€™: [uā€™69.41.198.18ā€™]}], uā€™urlā€™: uā€™https://acme-v02.api.letsencrypt.org/acme/chall-v3/3683059310/J1TqIwā€™, uā€™tokenā€™: uā€™TirihEnGdMQs5SXJZEcRYGGfG9AvIdNxhbt860pD5q0ā€™, uā€™errorā€™: {uā€™statusā€™: 400, uā€™typeā€™: uā€™urn:ietf:params:acme:error:connectionā€™, uā€™detailā€™: uā€™Fetching http://my.domain/.well-known/acme-challenge/TirihEnGdMQs5SXJZEcRYGGfG9AvIdNxhbt860pD5q0: Connection refusedā€™}, uā€™typeā€™: uā€™http-01ā€™}], uā€™identifierā€™: {uā€™typeā€™: uā€™dnsā€™, uā€™valueā€™: uā€™my.domainā€™}, uā€™expiresā€™: uā€™2020-04-07T23:42:29Zā€™}
Warning: Debug information:

  • domain ip from DNS 69.41.198.18
  • domain ip from local DNS 69.41.198.18
  • public ip of the server 69.41.198.18

Error: Certificate renewing for my.domain failed !
Info: The operation ā€˜Renew ā€˜my.domainā€™ Letā€™s Encrypt certificateā€™ could not be completed. Please share the full log of this operation using the command ā€˜yunohost log display 20200331-234226-letsencrypt_cert_renew-my.domain --shareā€™ to get help
Error: Traceback (most recent call last):
File ā€œ/usr/lib/moulinette/yunohost/certificate.pyā€, line 384, in certificate_renew
_fetch_and_enable_new_certificate(domain, staging, no_checks=no_checks)
File ā€œ/usr/lib/moulinette/yunohost/certificate.pyā€, line 577, in _fetch_and_enable_new_certificate
raise YunohostError(ā€˜certmanager_cert_signing_failedā€™)
YunohostError: Could not sign the new certificate

Error: Could not sign the new certificate

13

FYI I did some more searching and verified my NGINX configuration with this command and it seems fine

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

14

Alright so i confirm that I also cannot access your ip over http/https, so that definitely looks like an issue about port forwarding ā€¦ I understand that it was working a few days or weeks ago and that you probably dindā€™t touch anything, but you have to forget about this myth that ā€œcomputers things work foreverā€. In reality, they do have many stupid reasons to spontaneously break from one day to the nextā€¦ (Fortunately we will have regular automatic diagnosis shipped in YunoHost 3.8 to help make it easier and faster to spot this and pinpoint the actual issueā€¦)

Anyway, I can just advise you to carefully read https://yunohost.org/isp_box_config and make sure that your port forwarding configuration is correct on your router / internet box interface ā€¦

If that still isnt the issue, then I do agree with ljf about investigating the fact that your ISP might have decided that you canā€™t control port 80/443 anymore and/or maybe you now have an IP shared with other customer. But first letā€™s do the usual check on your router interfaceā€¦

15

Iā€™ve gone through the docs in the first place but will go over them again. I really hope I donā€™t need to deal with my ISP about this, thatā€™ll be a headache.

Unrelated to this but I thought Iā€™d ask anyway. Since I upgraded to Nextcloud 18 it went directly to Maintenance Mode. How do I get out of it? Itā€™s been over a day.

16

sudo -u nextcloud php7.3 occ maintenance:mode --off

17

Is it possible that all my ports are closed if it was only my ISP?

Screenshot%20from%202020-04-02%2018-36-30

18

Yes

On the other hand, I can tell that ports.yunohost.org is not always reliable ā€¦ But if you have a linux machine that is preferrably not on the same local network, you can make sure of this by running nc -w 3 your.ip 22 (for example to check port 22)

19

Iā€™m not sure I understand the command
is nc for nextcloud?
ā€œyour.ipā€ is literally that or itā€™s meant to be replaced as my actual ip address?

When i run it on the same local network it gave me this:

nc: getaddrinfo for host ā€œyour.ipā€ port 22: Name or service not known

20

For anyone following this thread I wanted to say I resolved my issue and @Aleks was correct. It had to do with my port forwarding. I discovered that the automatically assigned IP address for my device/server had changed from what I had in my ā€œVirtual Servers/Port Forwardingā€ dialogue on my router.

For example I had forwarded the ports for ā€œ192.168.0.108ā€ which my machine had automatically been assigned and after a power outage the router simply assigned another number ā€œ192.168.0.142ā€ but I didnā€™t change me port forwarding rules.

Now Iā€™m off to read the router docs on how to hold a specific IP address so this doesnā€™t happen again.

Thanks for all your help:)

1 Like