skip to Main Content

I have a raspberry pi that runs nginx and hosts a personal website. My pi says that nginx is running on port 80, but is refusing connections. This is an issue because it means I can’t renew my SSL certificate with certbot.

I know that nginx and my website are working because if I go to https://<IP address of PI> on my home network, I get to my website.

Yes, I have checked that my DNS settings are correct. If I ping getty.nz, I get a response.

My configuration should be okay because nginx -t doesn’t show any issues.

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I have ufw set up to block all ports except ports 22, 80, and 443. Here is the output of the status.

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
443                        ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
443 (v6)                   ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)   

Here is the output of ss to show that my ports are being listened to:

$ sudo ss -lntp 
State     Recv-Q    Send-Q       Local Address:Port        Peer Address:Port    Process                                                      
LISTEN    0         244              127.0.0.1:5432             0.0.0.0:*        users:(("postgres",pid=502,fd=6))                           
LISTEN    0         128                0.0.0.0:22               0.0.0.0:*        users:(("sshd",pid=399,fd=3))                               
LISTEN    0         511                0.0.0.0:80               0.0.0.0:*        users:(("nginx",pid=1932,fd=10),("nginx",pid=415,fd=10))    
LISTEN    0         511                0.0.0.0:443              0.0.0.0:*        users:(("nginx",pid=1932,fd=9),("nginx",pid=415,fd=9))      
LISTEN    0         128                   [::]:22                  [::]:*        users:(("sshd",pid=399,fd=4))                               
LISTEN    0         511                   [::]:80                  [::]:*        users:(("nginx",pid=1932,fd=11),("nginx",pid=415,fd=11))    
LISTEN    0         511                   [::]:443                 [::]:*        users:(("nginx",pid=1932,fd=8),("nginx",pid=415,fd=8))      
LISTEN    0         244                  [::1]:5432                [::]:*        users:(("postgres",pid=502,fd=5)) 

Here is the output of certbot for my domains (getty.nz and rss.getty.nz):

$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: getty.nz
2: rss.getty.nz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/getty.nz.conf)

It contains these names: getty.nz

You requested these names for the new certificate: getty.nz, rss.getty.nz.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for getty.nz and rss.getty.nz
Performing the following challenges:
http-01 challenge for getty.nz
http-01 challenge for rss.getty.nz
Waiting for verification...
Challenge failed for domain getty.nz
Challenge failed for domain rss.getty.nz
http-01 challenge for getty.nz
http-01 challenge for rss.getty.nz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: getty.nz
   Type:   connection
   Detail: 122.61.157.36: Fetching
   http://getty.nz/.well-known/acme-challenge/7KasvsA5z6yvpzXlOv5hzmT_u7lOgtzlaoEY6DAMmic:
   Timeout during connect (likely firewall problem)

   Domain: rss.getty.nz
   Type:   connection
   Detail: 122.61.157.36: Fetching
   http://rss.getty.nz/.well-known/acme-challenge/cqhf7anWcw1_you9q90y18UVdCfjAJeEg88tNeDoWig:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

2

Answers


  1. Certbot attempts to access the verification file required to install the SSL certificate, which is located under the ".well-known" folder. However, when trying to browse the URL "http://getty.nz/.well-known/acme-challenge/7KasvsA5z6yvpzXlOv5hzmT_u7lOgtzlaoEY6DAMmic,&quot; an error occurs stating, "This site can’t be reached." Additionally, pinging the domain name "getty.nz" results in a timeout.

    This issue seems to stem from the inability to access the URL necessary for Certbot, thus causing problems in renewing the SSL certificate. To address this, I suggest two possible solutions:

    Reboot the server or contact your hosting provider to resolve the "This site can’t be reached" issue. Once the underlying problem is fixed, attempt to renew the SSL certificate using Certbot.

    Alternatively, you can try rebooting the server directly and then attempt to renew the SSL certificate using Certbot.

    Both options may help in resolving the current SSL renewal issue. If the problem persists, you may want to seek further assistance from your hosting provider or system administrator.

    Login or Signup to reply.
  2. Is port 80,443 open on your router and forwarded to your raspberry pi IP before you send the cert renewed request?

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search