NGINX: not replying on Port 80 [kindof solved]

[ruggerio]

Hello,

Since weeks i have a problem with the letsencrypt plugin on my sense.

I configured 2 http-Servers on it:

1 Webserver, reached via reverse proxy function on nginx
1 local webserver on nginx with a separate hostname, and an webroot containing just a index.html

The local webserver has the cross on enable letsencrypt plugin. Nevertheless, it does not work. I read, that le needs port 80 opened, so i tested this.

Result connecting to local webserver on port 443 gives back my dummy index.html
Result connecting to local webserver on port 80 gives ERR_EMPTY_RESPONSE

both ports (80/443) are enabled - but for both webservers, i just can connect to port 443. Port 80 btw. is opened on WAN-Port and redirected to "this firewall".

Might it be, that port 80 is still in use by lighttpd from the sense? I change it to a higher port und use just https (so configured in Web-GUI)

ACME results in hcocde 6, btw.

Thanks for any idea.
Roger

[seed]

I would start with basic checks. Like starting tcpdump on the OPNsense and the webserver. Checking if the NGINX Reverse Proxy is even trying to reach the backend webserver.

[ruggerio]

i try to understand what this here is doing:

_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '

After that, i get the response, that the host is not resolveable. Might it be, that kindof header should be dumped into that file, which is needed for further action for acme?

[Fright]

Hi!

Port 80 btw. is opened on WAN-Port and redirected to "this firewall".

not sure that it possible. "This firewall" as a "Redirect target IP"?
and why you need it btw? : if nginx is supposed to listen on this port, why not just open this port with pass rule, without forwarding?
moreover, such a rdr-rule can intersect and work before the 'rdr pass' rule that the acme plugin creates on the fly for HTTP challenge types

Might it be, that port 80 is still in use by lighttpd from the sense?

its possible if "Disable web GUI redirect rule" not set at System: Settings: Administration.
in this case nginx should complain about port binding in Global Error log

the end goal is not entirely clear, but if the nginx config is as intended, then i would start by disabling GUI redirection, removing the redirect rule and adding just a pass rule for the 80 port.

acme client plugin will take care of itself imho  ;)

[ruggerio]

not sure that it possible. "This firewall" as a "Redirect target IP"?

This is done, because my webserver is behind nginx, acting as a reverse proxy.

its possible if "Disable web GUI redirect rule" not set at System: Settings: Administration.

i already did this in my personal desperation  :)

i see, that opnsense's plugin tries to make a rdr rule from wan to localhost, using Port 80 -> 40583. Port 80 is already used for the https-server from nginx, which acts as reverse proxy. So, i tried also to stop nginx and then run acme-client, still no luck. ::)

[ruggerio]

erm, i really am not 100% sure, what i did, but now it works.

I clicked in GUI on issue/renew-Button instead of the renewal-button directly, which is with the certificate.

Thanks!
Roger

[ruggerio]

hmmm...once again...

tried via Web-GUI, no fun

copied command from webgui into shell: ok

/usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt' --webroot /var/etc/acme-client/challenges --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/.../cert.pem' --keypath '/var/etc/acme-client/keys/.../private.key' --capath '/var/etc/acme-client/certs/.../chain.pem' --fullchainpath '/var/etc/acme-client/certs/.../fullchain.pem' --domain 'mydomain.com' --domain 'subdomain.mydomain.com' --domain 'also_subdomain.mydomain.com' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/..._prod/account.conf'