I have a raspberry pi that runs nginx and hosts a personal website. My pi says that nginx is running on port 80, but is refusing connections. This is an issue because it means I can't renew my SSL certificate with certbot.
I know that nginx and my website are working because if I go to https://<IP address of PI> on my home network, I get to my website.
Yes, I have checked that my DNS settings are correct. If I ping getty.nz, I get a response.
My configuration should be okay because nginx -t doesn't show any issues.
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
I have ufw set up to block all ports except ports 22, 80, and 443. Here is the output of the status.
$ sudo ufw status
Status: active
To Action From
-- ------ ----
443 ALLOW Anywhere
80 ALLOW Anywhere
22 ALLOW Anywhere
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)
Here is the output of ss to show that my ports are being listened to:
$ sudo ss -lntp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 244 127.0.0.1:5432 0.0.0.0:* users:(("postgres",pid=502,fd=6))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=399,fd=3))
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1932,fd=10),("nginx",pid=415,fd=10))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=1932,fd=9),("nginx",pid=415,fd=9))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=399,fd=4))
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=1932,fd=11),("nginx",pid=415,fd=11))
LISTEN 0 511 [::]:443 [::]:* users:(("nginx",pid=1932,fd=8),("nginx",pid=415,fd=8))
LISTEN 0 244 [::1]:5432 [::]:* users:(("postgres",pid=502,fd=5))
Here is the output of certbot for my domains (getty.nz and rss.getty.nz):
$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: getty.nz
2: rss.getty.nz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/getty.nz.conf)
It contains these names: getty.nz
You requested these names for the new certificate: getty.nz, rss.getty.nz.
Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for getty.nz and rss.getty.nz
Performing the following challenges:
http-01 challenge for getty.nz
http-01 challenge for rss.getty.nz
Waiting for verification...
Challenge failed for domain getty.nz
Challenge failed for domain rss.getty.nz
http-01 challenge for getty.nz
http-01 challenge for rss.getty.nz
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: getty.nz
Type: connection
Detail: 122.61.157.36: Fetching
http://getty.nz/.well-known/acme-challenge/7KasvsA5z6yvpzXlOv5hzmT_u7lOgtzlaoEY6DAMmic:
Timeout during connect (likely firewall problem)
Domain: rss.getty.nz
Type: connection
Detail: 122.61.157.36: Fetching
http://rss.getty.nz/.well-known/acme-challenge/cqhf7anWcw1_you9q90y18UVdCfjAJeEg88tNeDoWig:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Is port 80,443 open on your router and forwarded to your raspberry pi IP before you send the cert renewed request?