My YunoHost server

Hardware: Old laptop or computer
YunoHost version: 11.0.10.2
I have access to my server : On logal network only -Through SSH | through the webadmin | direct access via keyboard / screen | …
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

My noho.st domain has been inaccessible since 1/1/23 when I received an email that all my ports suddenly were closed from diagnostics. This seemed to have been internet problems that night, as I was having problems going online from other devices. After restarting my modem, internet was back, but I was now unable to access my server via mydomain.noho.st. When I try to visit the site, it just times out. I am able to access it via IP address on my local network and found that all my ports are correctly open and it is throwing no errors.

Things I’ve tried:
Rebooting server/router
sudo yunohost dyndns update --force, which resulted in the server successfully updating my dns.
I can ping dyndns.yunohost.org from the server
I can ping mydomain.noho.st from a different device

There are 2 other threads similar to this, but I do not have the same errors:
Cant access instance using domain (mydomain.nohost.me) in WAN\LAN - I do not have the “CONNECTION REFUSED ERROR”, mine states “The connection has timed out.”
Can't access my server over domain - #11 by jarod5001 - I am able to go to DNS config in the admin panel and it states “Automatic configuration seems to be OK!”

Then I would double check that port forwarding is still enabled on your router …

Port forwarding is enabled. No change in them from before this happened. I know they are working because I ssh through a non-standard port.

Looks like Diagnosis finally popped something just now. Maybe this is the issue? How do I go about fixing it?

DNS records (dnsrecords)

[ERROR] Some DNS records are missing or incorrect for domain maindomain.tld (category basic)

• This domain’s DNS configuration should automatically be managed by YunoHost. If that’s not the case, you can try to force an update using ‘yunohost dyndns update --force’.
• The following DNS record does not seem to follow the recommended configuration:
  Type: A
  Name: @
  Current value: 159.235.5.39
  Expected value: xx.xx.xx.xx

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category xmpp)

[WARNING] Some DNS records are missing or incorrect for domain maindomain.tld (category extra)

• This domain’s DNS configuration should automatically be managed by YunoHost. If that’s not the case, you can try to force an update using ‘yunohost dyndns update --force’.
• The following DNS record does not seem to follow the recommended configuration:
  Type: A
  Name: *
  Current value: 159.235.5.39
  Expected value: xx.xx.xx.xx

‘yunohost dyndns update --force’ gave me:

Info: Updated needed, going on…
Success! Updated your IP on DynDNS

And here is the log:

args:
domain: null
dry_run: false
force: true
ended_at: 2023-01-05 06:28:02.313619
error: null
interface: cli
operation: dyndns_update
parent: null
related_to:

• • domain
  • marchek.nohost.me
    started_at: 2023-01-05 06:28:01.606981
    success: true
    yunohost_version: 11.0.10.2

============

2023-01-05 01:28:01,612: INFO - Updated needed, going on…
2023-01-05 01:28:01,612: DEBUG - Reusing IPv4 from cache: xx.xx.xx.xx
2023-01-05 01:28:01,612: DEBUG - Reusing IPv6 from cache: None
2023-01-05 01:28:01,781: DEBUG - initializing ldap interface
2023-01-05 01:28:01,783: DEBUG - Formating result in ‘export’ mode
2023-01-05 01:28:01,785: DEBUG - Now pushing new conf to DynDNS host…
2023-01-05 01:28:01,786: DEBUG - id 30384
opcode UPDATE
rcode NOERROR
flags
;ZONE
nohost.me. IN SOA
;PREREQ
;UPDATE
marchek.nohost.me. ANY ANY
marchek.nohost.me. ANY ANY
marchek.nohost.me. ANY ANY
mail._domainkey.marchek.nohost.me. ANY ANY
_dmarc.marchek.nohost.me. ANY ANY
*.marchek.nohost.me. ANY ANY
marchek.nohost.me. ANY ANY
marchek.nohost.me. 3600 IN A xx.xx.xx.xx
marchek.nohost.me. 3600 IN MX 10 marchek
marchek.nohost.me. 3600 IN TXT “v=spf1 a mx -all”
mail._domainkey.marchek.nohost.me. 3600 IN TXT “v=DKIM1; h=sha256; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCzA4Ib7zvq4zLV1OW8yKh2WCGF7qZybHuoCL+vOa17F7B+JGAXEiVCaB4Vex4iG0fiksBkOpT7kd6wI3xkn23NrLGdMt1RmR9QEngk1q6gkk2x4eoS9+qlAvt2nkYVysmPhbqe6SNQMy4OGZW1BI0+Kc4k+6lI20VCs48cVeA/AQIDAQAB”
_dmarc.marchek.nohost.me. 3600 IN TXT “v=DMARC1; p=none”
*.marchek.nohost.me. 3600 IN A xx.xx.xx.xx
marchek.nohost.me. 3600 IN CAA 128 issue “letsencrypt.org”
;ADDITIONAL
2023-01-05 01:28:02,313: SUCCESS - Updated your IP on DynDNS

You should share the link of the full diagnosis

Hi and Welcome,

First of all, you claim “Port forwarding” hasn’t changed since the issue being occurred,
The first question is how did you do a port forwarding,

1. did you use upnp for it?
   OR
2. did you open the necessary ports one by one on your router?

for case 1, you should take in account that some routers will still represent the “Open ports list” of the upnp opened ports, though, the list of the opened ports appear normally they are actually closed, because, most of home routers use javascript interface, and a very small memory available on these devices, sometimes under some conditions they are not able to handle sort of situations, as a computer based router with pfSense / OPNSense will do, Or at least WRT Based,

for instance, in a case we open a sort of a port range of about 14 ports with upnp along with other list of ports, in such case the router’s RAM will be occupied almost to the maximum,
in comparison to a FreeBSD (OPNsense) based router with a bigger RAM and a bigger capabilities what can produce a larger error log, and produce warnings in several ways through the interface (GUI), home routers no matter how expansive they are, mostly don’t have any notification function they can use to transfer the proper warnings to the admin, and can’t produce a larger and complex enough error log,

so what is actually happening, the router is struggling and cant handle the concurrent situation without any ability to “shout” help me, I am in trouble,

we, a router owners, in 99% of time are not rush to check the router’s logs as we do very often on any ordinary operating system / servers, cause we have the feeling or the illusion if the router seems running, and we are able to log into the interface, probably it doesn’t have any errors, nor any problems, which in many cases are not true,

i can tell you from my own experience sometimes a router can have an a serious issues to do its job and it will not even produce them in the error logs, especially if the router is not an expansive one what comes with a bigger RAM, and the only way to fix it to factory reset the router, that is just for a general knowledge, and bearing in mind things like this can happen,

now straight to the point how to analyze and solve the issue in such case,
because while i am writing this reply and I don’t know yet if you did use upnp I will assume for both cases,

1. upnp being used, even if you sees the open ports list on your “Port forwarding” section on your router, and upnp is marked as “Green” and enabled on Yunohost firewall under tools>firewall, you should re-click on upnp again to disable it, and re-click again to enable it,
   and see what if its works with no errors, and try to reach your domain from outside,

2. port forwarding being done without upnp, natively ports being forwarded one by one,
   in that case there are two things we need to to take account and check,
   the first one, is simply most of people haven’t set their Yunohost (Or any other server) to be using a static IP on their allocated DHCP server, a reboot of your router which probably being running for days or even for months without being off even once since you installed yunohost, did re-allocate your Yunohost server IP to another one,

in that case, all of your port forwarding for your Yunohost server is already irrelevant due the server is another IP,
for instance if your router’s DHCP server running on class C which is something like 192.168.x.x,
and your Yunohost server after the installation got an IP of 192.168.1.5, and you did open ports for 192.168.1.5, now Yunohost server after the router’s reboot can be in another IP, for instance 192.168.1.10,

There is two ways we can make sure the server is on the right IP,

1. on the server itself, by running the command:
   ifconfig

2. on the router’s interface under DHCP > Clients list,

in all of cases, steps you should take for the best practice:

1. Yunohost server console: edit your interfaces file by running the command:
   nano /etc/network/interfaces
   comment out the line with “inet dhcp”
   and add the following lines to get your server a static IP by the router,

iface yourcardname inet static
address 192.168.1.30
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1

of course change these parameters to your own desire and according to your router’s gateway and class,

save the file, reboot your server,
type if config to check if its got the defined ip, and then run:
ping 1.1.1.1
to check if the server is able to get out, if not check your configuration or ask me what to do, (I assume you have enough knowledge to simply follow and handle it yourself)

once your ip is static,
make sure your port forwarding is right for your specific Yunhost ip,

once all being set,
go to your Yunohost console, download nmap, with the next command:
sudo apt-get install nmap

and do check the ports on your server with nmap just to make sure there are no misunderstandings by the diagnosis tool,

nmap yourdomain -p 80

that should say: open,
if its says filtered, there is an issue with your Yunohost firewall OR else with your port forwarding,

once its says open, you’re good to go again.

I don’t think I have any ideas till this point, if you still get issues just update and i will suggest more.

First off, thanks for all the help guys. Now onto answers and what I’ve tried:

I used manual port forwarding because for some reason upnp always fails from my server to router even though upnp is “enabled” on the router. This is the error I always get:

Error: "500"

Action: `“PUT” /yunohost/api/firewall/upnp/enable

Error message:

Could not open port via UPnP`

The IP change is a good thought, as I had that problem when my router rebooted the first time I had setup yunohost. However, I have had my router set to give my server a static IP address since then:

Running the command ip -a shows me the same IP address that my router says is assigned for it in the DHCP client list and what the ports are opened for.

As for adding the ‘iface yourcardname inet static’ lines, what addresses would I use specifically? I can’t seem to find anything labeled with “broadcast”. My router shows items for IP Address, Subnet Mask, and Default Gateway in the IPv4 - Internet page, which is set to Dynamic IP. There is another page called LAN that only has the router’s IP Address (that I use to get into the router settings) and a Subnet Mask.

I tried nmap domain -80 and nmap domain -p 443 via ssh in the mean time and it states that both are open.

Edit: My server is also able to successfully ping 1.1.1.1

Also, apologies @jarod5001 for not sharing my entire diagnostics page. Here it is below, unchanged from the last time I ran it:

=================================
Base system (basesystem)

[INFO] Server hardware architecture is bare-metal amd64

• Server model is Gigabyte Technology Co., Ltd. B365 HD3

[INFO] Server is running Linux kernel 5.10.0-20-amd64

[INFO] Server is running Debian 11.6

[INFO] Server is running YunoHost 11.0.10.2 (stable)

• yunohost version: 11.0.10.2 (stable)
• yunohost-admin version: 11.0.11 (stable)
• moulinette version: 11.0.9 (stable)
• ssowat version: 11.0.9 (stable)

=================================
Internet connectivity (ip)

[SUCCESS] Domain name resolution is working!

[SUCCESS] The server is connected to the Internet through IPv4!

• Global IP: xx.xx.xx.xx
• Local IP: 192.168.0.132

=================================
DNS records (dnsrecords)

[ERROR] Some DNS records are missing or incorrect for domain maindomain.tld (category basic)

• This domain’s DNS configuration should automatically be managed by YunoHost. If that’s not the case, you can try to force an update using ‘yunohost dyndns update --force’.
• The following DNS record does not seem to follow the recommended configuration:
  Type: A
  Name: @
  Current value: 159.235.5.39
  Expected value: xx.xx.xx.xx

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)

[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category xmpp)

[WARNING] Some DNS records are missing or incorrect for domain maindomain.tld (category extra)

• This domain’s DNS configuration should automatically be managed by YunoHost. If that’s not the case, you can try to force an update using ‘yunohost dyndns update --force’.
• The following DNS record does not seem to follow the recommended configuration:
  Type: A
  Name: *
  Current value: 159.235.5.39
  Expected value: xx.xx.xx.xx

=================================
Ports exposure (ports)

[SUCCESS] Port 25 is reachable from the outside.

• Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 80 is reachable from the outside.

• Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 443 is reachable from the outside.

• Exposing this port is needed for web features (service nginx)

[SUCCESS] Port 587 is reachable from the outside.

• Exposing this port is needed for email features (service postfix)

[SUCCESS] Port 993 is reachable from the outside.

• Exposing this port is needed for email features (service dovecot)

[SUCCESS] Port 1538 is reachable from the outside.

• Exposing this port is needed for [?] features (service ssh)

[SUCCESS] Port 5222 is reachable from the outside.

• Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 5269 is reachable from the outside.

• Exposing this port is needed for xmpp features (service metronome)

[SUCCESS] Port 51413 is reachable from the outside.

• Exposing this port is needed for [?] features (service transmission-daemon)

=================================
Web (web)

[SUCCESS] Domain maindomain.tld is reachable through HTTP from outside the local network.

[SUCCESS] Domain books.maindomain.tld is reachable through HTTP from outside the local network.

=================================
Email (mail)

[SUCCESS] The SMTP mail server is able to send emails (outgoing port 25 is not blocked).

[SUCCESS] The SMTP mail server is reachable from the outside and therefore is able to receive emails!

[SUCCESS] 0 pending emails in the mail queues

=================================
Services status check (services)

[SUCCESS] Service audiobookshelf is running!

[SUCCESS] Service bazarr is running!

[SUCCESS] Service borg is running!

[SUCCESS] Service dnsmasq is running!

[SUCCESS] Service dovecot is running!

[SUCCESS] Service fail2ban is running!

[SUCCESS] Service jellyfin is running!

[SUCCESS] Service metronome is running!

[SUCCESS] Service mysql is running!

[SUCCESS] Service nginx is running!

[SUCCESS] Service php7.4-fpm is running!

[SUCCESS] Service php8.0-fpm is running!

[SUCCESS] Service postfix is running!

[SUCCESS] Service postgresql is running!

[SUCCESS] Service prowlarr is running!

[SUCCESS] Service radarr is running!

[SUCCESS] Service redis-server is running!

[SUCCESS] Service rspamd is running!

[SUCCESS] Service slapd is running!

[SUCCESS] Service sonarr is running!

[SUCCESS] Service ssh is running!

[SUCCESS] Service transmission-daemon is running!

[SUCCESS] Service yunohost-api is running!

[SUCCESS] Service yunohost-firewall is running!

[SUCCESS] Service yunomdns is running!

=================================
System resources (systemresources)

[SUCCESS] The system still has 13 GiB (84%) RAM available out of 16 GiB.

[SUCCESS] The system has 976 MiB of swap!

• Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.

[SUCCESS] Storage / (on device /dev/nvme0n1p6) still has 238 GiB (54%) space left (out of 443 GiB)!

[SUCCESS] Storage /boot (on device /dev/nvme0n1p1) still has 116 MiB (54%) space left (out of 213 MiB)!

[SUCCESS] Storage /home/ironwolf (on device /dev/md0) still has 6.1 TiB (89%) space left (out of 6.9 TiB)!

=================================
System configurations (regenconf)

[SUCCESS] All configuration files are in line with the recommended configuration!

=================================
Applications (apps)

[SUCCESS] All installed apps respect basic packaging practices

@anbu

unpn fails cause of incompatibility between the python code to the router’s API, sometimes some routers require more steps to take and its fine,

I have had my router set to give my server a static IP address since then:

if you have set the router to assign a static ip for your server how did you do that?
the only way to tell the router to assign the server a static ip is to set the server’s MAC address on the “Address reservation” if you didn’t set your servers MAC on that section on your router the router will never know to dedicate that specific ip to the server,

As for adding the ‘iface yourcardname inet static’ lines, what addresses would I use specifically? I can’t seem to find anything labeled with “broadcast”. My router shows items for IP Address, Subnet Mask, and Default Gateway in the IPv4 - Internet page, which is set to Dynamic IP. There is another page called LAN that only has the router’s IP Address (that I use to get into the router settings) and a Subnet Mask.

there is no place you will find any “broadcast”, its a netmask calculation for a Class range
netmask for class A will be 255.0.0.0
netmask for class B will be 255.255.0.0
netmask for class C will be 255.255.255.0

an ip range in Class A will start from 0.0.0.0 to 127.255.255.255
which local LAN always staring from 10.0.x.x (By default if you don’t touch it - in case its in use)

an ip range in Class B will start from 128.0.0.0 to 191.255.255.255
consumer routers in 99% of time don’t use this range

an ip range in Class C will start from 192.0.0.0 to 223.255.255.0
which local LAN always staring from 192.168.x.x (By default if you don’t touch it - in case its in use)

The broadcast will be calculated according to the Gateway + Class
for example if your router address is 192.168.1.1
**The Third number is what is important, in that case its 1 so the broadcast will be: **
192.168.1.255

if the gateway is 192.168.3.5 for example the broadcast address will be:
192.168.3.255

the address you’re using to log into the router’s interface its your “Gateway” address,
**so if your gateway is 192.168.1.1 as mine **
your settings should be that way:
iface interfacename inet static
address 192.168.1.whatever ip you like to be assigned by the router
netmask 255.255.255.0
broadcast 192.168.1.255
gateway 192.168.1.1

i will give another example of a use in Class A, in a scenario your router’s ip is 10.0.0.1
your setting would be that way:
iface interfacename inet static
address 10.0.0.whatever ip you like to be assigned by the router
netmask 255.0.0.0
broadcast 10.0.0.255
gateway 10.0.0.1

take a look on my pihole server how is it looks like for example:
(/etc/network/interfaces)

image800×600 7.68 KB

I tried nmap domain -80 and nmap domain -p 443 via ssh in the mean time and it states that both are open.

if nmap shows the ports are open so they obviously open, also, your logs indicate all are alright and the ports are open,

now the question is there is no something else what prevent you from accessing the domain from outside on the device you’re using trying access it,

where do you try to access your domain from? a computer?
another computer? phone? please little bit details,
did you try to clear the browser cache?
sometimes a cookie can prevent you from accessing a domain,
what operating system do you use trying to access your domain ? windows / linux ?

My router has an “IP & MAC Binding” page that I assumed allows me to give my server a static IP. If this is the incorrect way to do it, do I need to “unbind” and only use the inet static profile you’ve suggested?

Let’s see if I have this correct. I currently have my server IP bound and ports open for 192.168.0.132 (So will be easiest to set the IP of the server to that). My router seems to be a class C as its IP address is 192.168.0.1 and subnet mask is 255.255.255.0. So my correct config would be something like this?

iface enp10s0 inet static
address 192.168.0.132
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1

where do you try to access your domain from? a computer?
another computer? phone? please little bit details,
did you try to clear the browser cache?
sometimes a cookie can prevent you from accessing a domain,
what operating system do you use trying to access your domain ? windows / linux ?

I access it from my laptop, phone, and several roku devices not on my local network. I have tried using Brave, Firefox, and Bromite in guest/private browser and deleting cookies/cache without success. I run Linux on my laptop and CalyxOS on my phone.

My router has an “IP & MAC Binding” page that I assumed allows me to give my server a static IP. If this is the incorrect way to do it, do I need to “unbind” and only use the inet static profile you’ve suggested?

to my opinion there is no reason to use “IP & MAC Binding” i have it too on my router i have never used it,
the correct way is to do it always through the server itself, and you can also insert your server’s mac into the reservation list, so the router will never allocate that ip to another device,

i suggest you will take off the server from the binding,
delete all the forwarded ports and leave only the 80 and 443 forwarded
make sure your unpn is disabled,
reboot your router + your server,

check with ifconfig whats your ip after that, and then correct the port forwarding to the correct ip and try,

iface enp10s0 inet static
address 192.168.0.132
netmask 255.255.255.0
broadcast 192.168.0.255
gateway 192.168.0.1

yes… that’s correct.

i had some things in my mind but because you said you used so many browsers and OS’s i will skip them,

do you have d-link or tp-link by any chance?

The webadmin is online. The certificate is self-signed.

@jarod5001

hello, do you mean his admin is online ?

Yep, the nohost.me domain in the third reply

i didn’t noticed his domain appeared there otherwise i will nmap myself
its refused to connect now anyway probably he already did reboot his router,

@anbu
what is your ip? i will run some commands from my end it will be easier

run dyndns update again and check if you don’t get any errors after you follow the unbinding please update

Followed your steps, and still nothing. Server rebooted and was back on the same IP address as before.

I have tp-link on my router.

@jarod5001

I am able to access my web admin via https://192.168.0.132/yunohost/admin/#, however, I am unable to go to my userinterface/SSO. Not even 192.168.0.132/yunohost/sso. Not sure if it’s trying to redirect to the domain. When I check my domain certificate is says this:

image1145×584 35.3 KB

IP is still showing 192.168.0.132

Looks like we are getting somewhere now. After trying to update dyndns:
Error: Corrupted JSON read from https://dyndns.yunohost.org/test/marchek.nohost.me (reason: Expecting value: line 1 column 1 (char 0))
Error: Could not check if marchek.nohost.me is available on dyndns.yunohost.org.

@anbu
i mean what is your public ip

your router looks like this?
i suspect you have a similar router to mine since you said you have “IP & MAC Binding” thats how it defined in tp-link routers

image1920×883 106 KB

Sorry, not sure where to find that. This is what I get from ip a on the server.

admin@marchek:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp10s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether b4:2e:99:ee:d2:5b brd ff:ff:ff:ff:ff:ff
inet 192.168.0.132/24 brd 192.168.0.255 scope global enp10s0
valid_lft forever preferred_lft forever
inet6 fe80::b62e:99ff:feee:d25b/64 scope link
valid_lft forever preferred_lft forever
3: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether c8:e2:65:a0:35:5c brd ff:ff:ff:ff:ff:ff

use this https://www.whatsmyip.org/
it will show you your public ip

public IP is 24.241.8.61

Yes my dashboard looks similar, just updated I guess:

image795×901 71.3 KB

yes thats newer

okay please wait i will run some commands