I'm running two websites from a Raspberry Pi. Until recently it all worked very well. Then I moved house and now nothing works. I don't think the moving of the house is the issue for various reasons. My set up is: Internet -> ISP Router -> Internal Router -> Raspberry Pi. I have port forwarding on ISP router 80:80 and 443:443. Same on Internal Router. Why two routers? ISP won't allow you to use your own, so I'm running an ethernet cable from theirs to mine (LAN 1 to WAN) and it works very well for all the devices. I can even access the internet from the Raspberry Pi, so I think that is a Herring Rouge. If I run

curl --head -iL sarahcorballis.com

I eventually get:

curl: (7) Failed to connect to sarahcorballis.com port 80: Connection timed out

Running ping against the IP Address works.

If I run letsencrypt --nginx then I get this:

Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.corballis.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.corballis.co.uk/.well-known/acme-challenge/aPRcvEhOaTd6kpM5yQQ07VuXRQNWExFocU8U8yW3ywg: Timeout during connect (likely firewall problem), www.sarahcorballis.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.sarahcorballis.com/.well-known/acme-challenge/gFOXzmgjZpHO1DIhgmQkAy8XEi47j7kJUHyo6ftzbuM: Timeout during connect (likely firewall problem), corballis.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://corballis.co.uk/.well-known/acme-challenge/w4cSZkJZWrAcmDSPQAFuKVgGhP73Lv9SMB59ShFb_uQ: Timeout during connect (likely firewall problem), sarahcorballis.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sarahcorballis.com/.well-known/acme-challenge/8QzVJ45bWes3yjXWTg5DkRIG5gxAjAyIia53tQ3o3HY: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.corballis.co.uk
   Type:   connection
   Detail: Fetching
   http://www.corballis.co.uk/.well-known/acme-challenge/aPRcvEhOaTd6kpM5yQQ07VuXRQNWExFocU8U8yW3ywg:
   Timeout during connect (likely firewall problem)

   Domain: www.sarahcorballis.com
   Type:   connection
   Detail: Fetching
   http://www.sarahcorballis.com/.well-known/acme-challenge/gFOXzmgjZpHO1DIhgmQkAy8XEi47j7kJUHyo6ftzbuM:
   Timeout during connect (likely firewall problem)

   Domain: corballis.co.uk
   Type:   connection
   Detail: Fetching
   http://corballis.co.uk/.well-known/acme-challenge/w4cSZkJZWrAcmDSPQAFuKVgGhP73Lv9SMB59ShFb_uQ:
   Timeout during connect (likely firewall problem)

   Domain: sarahcorballis.com
   Type:   connection
   Detail: Fetching
   http://sarahcorballis.com/.well-known/acme-challenge/8QzVJ45bWes3yjXWTg5DkRIG5gxAjAyIia53tQ3o3HY:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

It looks as though traffic is being redirected from http to https because if I look in /var/log/nginx I get this

2021/01/16 16:41:37 [error] 21244#21244: *1461 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:37 [error] 21244#21244: *1462 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:37 [error] 21244#21244: *1463 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:39 [error] 21244#21244: *1464 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:39 [error] 21244#21244: *1465 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:40 [error] 21244#21244: *1466 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:41 [error] 21244#21244: *1467 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:43 [error] 21244#21244: *1468 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:41:43 [error] 21244#21244: *1469 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 107.178.200.226, server: 0.0.0.0:443
2021/01/16 16:53:32 [error] 21244#21244: *1470 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 114.119.157.139, server: 0.0.0.0:443

But there is no redirect in the nginx configuration files. Here is the output of sudo nginx -T:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}


load_module modules/ngx_http_auth_pam_module.so;

load_module modules/ngx_http_dav_ext_module.so;

load_module modules/ngx_http_echo_module.so;

load_module modules/ngx_http_geoip_module.so;

load_module modules/ngx_http_image_filter_module.so;

load_module modules/ngx_http_subs_filter_module.so;

load_module modules/ngx_http_upstream_fair_module.so;

load_module modules/ngx_http_xslt_filter_module.so;

load_module modules/ngx_mail_module.so;

load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/corballis.co.uk:
server {
    listen 80;
    listen 443 ssl;
#    listen [::]:80;
#    listen [::]:443 ssl;

    server_name corballis.co.uk www.corballis.co.uk;
# Following line changed to remove nginx-root from the end of the line
    root /var/www/corballis.co.uk/system/;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2368;
        
    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;
}

# configuration file /etc/nginx/sites-enabled/sarahcorballis.com:
server {
    listen 80;
    listen 443 ssl;
    listen [::]:80;
    listen [::]:443 ssl;

    server_name sarahcorballis.com www.sarahcorballis.com;
    root /var/www/sarahcorballis.com/;

    index index.html;

    try_files $uri $uri/ /index.html;

    location ~ /.well-known/acme-challenge/ {
        allow all;
        default_type "text/plain";
    }

    client_max_body_size 50m;
}

Here is the output from nslookup sarahcorballis.com

Server:     10.1.0.1
Address:    10.1.0.1#53

Non-authoritative answer:
Name:   sarahcorballis.com
Address: 83.86.93.178

And here's the result of an nmap scan:

Nmap scan report for sarahcorballis.com (83.86.93.178) Host is up (0.16s latency). rDNS record for 83.86.93.178: 83-86-93-178.cable.dynamic.v4.ziggo.nl

PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
80/tcp   filtered http
110/tcp  filtered pop3
143/tcp  filtered imap
443/tcp  open     https
3389/tcp filtered ms-wbt-server

Which is weird because Port 80 isn't filtered at all, it's open for TCP on both routers and the Raspberry Pi. Here is the output from ufw status:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
5900:5910/tcp              ALLOW       Anywhere                  
631/tcp                    ALLOW       Anywhere                  
9191/tcp                   ALLOW       Anywhere                  
3306                       ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)             
5900:5910/tcp (v6)         ALLOW       Anywhere (v6)             
631/tcp (v6)               ALLOW       Anywhere (v6)             
9191/tcp (v6)              ALLOW       Anywhere (v6)             
3306 (v6)                  ALLOW       Anywhere (v6) 

The nmap ports don't appear to agree with the ufw status. The firewall is on on both routers but turning it off on either independently or both at once has no effect.

Any suggestions would be very welcome. This has been driving me nuts for weeks!


Solution 1:

OK, I solved it. In case anyone has a similar set up and encounters the same issue in the future the problem was that I'd deleted a third site (didn't need it anymore); however, that site had the ssl certs which covered all three sites and were now gone. Worse, I'm not using Letsencrypt but instead am using Cloudflare origin certificates with HSTS to ensure more robust security. Cloudflare was causing the redirect that was then failing due to there being no certificate. Solution:

  1. Generate a new certificate - one for each site
  2. Save the certificates (both pem and key) to directories on the server
  3. Amend the server blocks in nginx (/etc/nginx/sites-enabled) to point at the right directories and ensure http2 is enabled
  4. Ensure SSL Strict selected in Cloudflare.

Here's the nginx config block for one of the sites:

# configuration file /etc/nginx/sites-enabled/<website>.com:
server {
    listen 80;
    listen [::]:80;

    server_name sarahcorballis.com www.<website>.com;
    return 302 http://$server_name$request_uri;
}
server {

    # SSL Configuration for Cloudflare 

    listen 443 ssl http2; 
    listen [::]:443 ssl http2;
    ssl on;
    ssl_certificate /etc/ssl/certs/<website>.com.pem;
    ssl_certificate_key /etc/ssl/private/<website>.com.key;

    server_name <website>.com www.<website>.com; 

    root /var/www/sarahcorballis.com/;

    index index.html;

    try_files $uri $uri/ /index.html ;


    client_max_body_size 50m;
}

You'd need to change to whatever the website is you have and make sure that the suffix is the same as yours, if you happened to copy the block above.