Hello PeerTubers,
My installation has run beautifully, but I am failing to provision a Let’s Encrypt certificate. I think the issue may be that the NGINX service won’t start.
Jul 5 11:54:33 node68327-env-1939384 systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 5 11:54:33 node68327-env-1939384 nginx[3834]: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/video.winter.ink/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/video.winter.ink/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
Jul 5 11:54:33 node68327-env-1939384 nginx[3834]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jul 5 11:54:33 node68327-env-1939384 systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jul 5 11:54:33 node68327-env-1939384 systemd[1]: nginx.service: Failed with result 'exit-code'.
Jul 5 11:54:33 node68327-env-1939384 systemd[1]: Failed to start A high performance web server and a reverse proxy server.
I can see that the system seems to try and access a certificate that doesn’t exist, but if I try and generate a certificate that too fails:
Domain: video.winter.ink
Type: connection
Detail: Fetching http://video.winter.ink/.well-known/acme-challenge/7zXQA5OWmGuL_z6lA1yUZXB-4fgCRYvpnShW9YSnvbQ: Timeout during connect (likely firewall problem)
I am using Jelastic for my VPS and have turned the firewall off. So I don’t think it can be a firewall problem.
I should add, that I am trying to only use IPv6. I deliberately don’t want to configure an IPv4 address.
Any guidance would be appreciated as I have hit the proverbial wall.
Kind Regards,
RW
1 Like
For those who may follow in my footsteps, on Jelastic, and stuggle to get their NGINX running and certificates installed… I disabled the default Jelastic Firewall and installed iptables.
apt install -y iptables-persistent
Edit /etc/iptables/rules.v4
and put this inside:
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
With iptables-persistent, that configuration will be loaded at boot time. But to save needing to reboot the server, I ran:
iptables-restore < /etc/iptables/rules.v4
I also found I can’t access sites that are IPv6 only by using this test page: https://test-ipv6.com/
Thus I also enabled IPv4.
Hello,
By default, the 80 port on a VPS is closed. You may open it using the following steps:
Hello, thank you for taking the time to respond.
Valuable suggestions, but I think I have already account for both possibilities. To start, I don’t use the inbuilt firewall, but IPTABLES with the following setup:
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
# The -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
NGINX should also be listening on both IPv4 and IPv6:
listen 80;
listen [::]:80;
...
listen 443 ssl http2;
listen [::]:443 ssl http2;
I’m sure I’ll work it out one day. For now, it just means a little extra expense in having an IPv4 IP address for the site to work. Not ideal, but also not the end of the world. 