Hi!
I followed the installation guide, but I’m stuck in the last part, with the Nginx configuration:
Specially, this part:
Then modify the webserver configuration file. Please pay attention to:
the alias, root and rewrite directives paths, the paths must correspond to your PeerTube filesystem location
In a standard installation (I carefully followed the previous steps), which line should I change?
(I see the path "root /var/www/certbot; " but there isn’t such folder in www
Also, and I understand it’s linked, when I try to generate the certificate, with the command "sudo certbot certonly --standalone --post-hook « systemctl restart nginx »,
I get the error:
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
I added an A and AAA DNS entry to link the subdomain to the IP of my server and with a ping to the subdomain, it seems to redirect correctly to the server.
Can you help me to generate the SSL certificate and go through the last steps?
Thank you a lot !
I generated the certificate using other commands because I also had problems with certbot. I don’t remember well how I did it but searching on the internet I got it. Then, you must enable the ‹ https › block in the Nginx configuration file and update the paths to the certificates on your system. Even if the directory does not exist, you can create it without problems if you want to keep that base configuration.
In my case, I put the certificates inside the directory of the PeerTube installation and that was the path I put in Nginx
Do you mean certificate files that are normally in /etc/letsencrypt?
This could be a security issue. Have you paid attention to the permission of the folder where you put the certificates files?
The private key should not be readable by the peertube user. Otherwise any compromise packaged (or plugin) could still your certificates, and spoof your server.
The folder should be created by certbot.
Currently, your webserver does not respond on port 80 (required for the letsencrypt process).
Here is what i get trying to make a request:
john@laptop2:~$ curl http://video.europalestine.com -vvv
* Trying [2001:1600:13:101::750]:80...
* Trying 193.108.53.34:80...
* connect to 2001:1600:13:101::750 port 80 failed: Connexion terminée par expiration du délai d'attente
* connect to 193.108.53.34 port 80 failed: Connexion terminée par expiration du délai d'attente
* Failed to connect to video.europalestine.com port 80 after 129500 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to video.europalestine.com port 80 after 129500 ms: Couldn't connect to server
It timeouts.
This could be because of a firewall. Check that you have not closed ports 80 and 443.
Please note that the certbot command given in the documentation also requires that you stop nginx before running it:
sudo systemctl stop nginx
sudo certbot certonly --standalone --post-hook "systemctl restart nginx"
sudo systemctl start nginx # the documentation says "reload" instead of "start", but this is a mistake, i will submit a fix
The is because the --standalone option will run its own webserver, for the certificate process. So it need to use the port 80.
I know, it was punctually to have them localized for testing with https, it is not in production. I usually put them in the secure route, although I was unaware of those vulnerabilities that you told me. Thank you very much
ubuntu@ov-a2c66a:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
80 ALLOW IN Anywhere
22/tcp ALLOW IN Anywhere
443 ALLOW IN Anywhere
80 (v6) ALLOW IN Anywhere (v6)
22/tcp (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
Do you understand why it is still imposible to reach the server?
Should I first desactivate the SSL in the configuration file of Nginx?
Do you know which line should I change in this file?
/etc/nginx/sites-available/peertube
and like this, I could generate the certificates which have been saved in /etc/letsencrypt/live/video.europalestine.com/…
And afterwards, uncomment these lines.
Maybe, it was obvious…
I could continue the steps and get my instance up.
Thanks you.