NGINX Error

RobertW · Juillet 5, 2021, 12:04

Hello PeerTubers,

My installation has run beautifully, but I am failing to provision a Let’s Encrypt certificate. I think the issue may be that the NGINX service won’t start.

Jul  5 11:54:33 node68327-env-1939384 systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul  5 11:54:33 node68327-env-1939384 nginx[3834]: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/video.winter.ink/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/video.winter.ink/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Jul  5 11:54:33 node68327-env-1939384 nginx[3834]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul  5 11:54:33 node68327-env-1939384 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul  5 11:54:33 node68327-env-1939384 systemd[1]: nginx.service: Failed with result 'exit-code'.
Jul  5 11:54:33 node68327-env-1939384 systemd[1]: Failed to start A high performance web server and a reverse proxy server.

I can see that the system seems to try and access a certificate that doesn’t exist, but if I try and generate a certificate that too fails:

Domain: video.winter.ink
Type:   connection
Detail: Fetching http://video.winter.ink/.well-known/acme-challenge/7zXQA5OWmGuL_z6lA1yUZXB-4fgCRYvpnShW9YSnvbQ: Timeout during connect (likely firewall problem)

I am using Jelastic for my VPS and have turned the firewall off. So I don’t think it can be a firewall problem.

I should add, that I am trying to only use IPv6. I deliberately don’t want to configure an IPv4 address.

Any guidance would be appreciated as I have hit the proverbial wall.

Kind Regards,

RW

RobertW · Juillet 6, 2021, 10:08

For those who may follow in my footsteps, on Jelastic, and stuggle to get their NGINX running and certificates installed… I disabled the default Jelastic Firewall and installed iptables.

apt install -y iptables-persistent

Edit /etc/iptables/rules.v4 and put this inside:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

With iptables-persistent, that configuration will be loaded at boot time. But to save needing to reboot the server, I ran:

iptables-restore < /etc/iptables/rules.v4

I also found I can’t access sites that are IPv6 only by using this test page: https://test-ipv6.com/

Thus I also enabled IPv4.

JelasticGuru · Juillet 20, 2021, 8:23

Hello,

By default, the 80 port on a VPS is closed. You may open it using the following steps:

upon creation, you can set the required port through a ‹ JELASTIC_PORTS › variable, which is described at this page: Container Firewall Rules Management | Jelastic Dev Docs ;
after creation, it can be done through the UI as described here: Container Firewall Rules Management | Jelastic Dev Docs .
Additionally, Nginx listens to IPv4 by default, and it is required to modify the ‹ listen › directive so that it could listen to IPv6.

RobertW · Juillet 22, 2021, 4:36

Hello, thank you for taking the time to respond.

Valuable suggestions, but I think I have already account for both possibilities. To start, I don’t use the inbuilt firewall, but IPTABLES with the following setup:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#  The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT

NGINX should also be listening on both IPv4 and IPv6:

listen 80;
listen [::]:80;
...
listen 443 ssl http2;
listen [::]:443 ssl http2;

I’m sure I’ll work it out one day. For now, it just means a little extra expense in having an IPv4 IP address for the site to work. Not ideal, but also not the end of the world.