Webinoly is just the perfect tool for NGINX experts. Give it a try!
0 votes
2.2k views
by Talented

I need a certificate for my S3 object storage which is on remote Wasabi server.

`sudo site horseboxheaven.uk -ssl=on -wildcard`

then

`sudo site hbh-cdn.horseboxheaven.uk -ssl=on -add-to-wildcard=horseboxheaven.uk`

produces an [ERROR] Domain not found!

How do I add this cname sub-domain to the wildcard certificate?

by Talented
Should I set up a reverse proxy?

`sudo site hbh-cdn.horseboxheaven.uk -proxy=[hbh-cdn.horseboxheaven.uk.s3.eu-central-1.wasabisys.com]`
by Expert
Yes, that's exactly what a reverse proxy is for.

1 Answer

0 votes
by Expert
That makes no sense!

You cannot use a cert in a domain that is not hosted on the same server.
by Talented
So how do I set up an SSL connection to this subdomain when Wasabi doesn't provide a certificate?

I was doing it via Cloudflare before but I am now trying to use only their DNS and not their CDN or WAF.
by Expert
As you mentioned above: use a reverse proxy!
by Talented

OK, I added the reverse proxy with 

`sudo site hbh-cdn.horseboxheaven.uk -proxy=[hbh-cdn.horseboxheaven.uk.s3.eu-central-1.wasabisys.com]` 

then I added its certificate to the wildcard certificate with 

`sudo site hbh-cdn.horseboxheaven.uk -ssl=on -add-to-wildcard=horseboxheaven.uk` 

and everything with Webinoly seemed OK so far, but I am still getting 

"Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID" 

from the site, and no images of course.

How do I debug this one?

by Talented
A clue?  

"You cannot visit hbh-cdn.horseboxheaven.uk right now because the website uses HSTS."
by Talented
I thought `sudo webinoly -header-hsts=0` would solve that one, but it doesn't.
by Talented
Do you think it's going to be possible to access the hbh-cdn subdomain via Lets Encrypt certificate managed by Webinoly, without using Cloudflare, or should I start the process of removing the domain from the preload list?
by Expert
Terence, that's one of the most common uses of NGINX "Reverse Proxy" feature, so yes, it's totally possible, this is not something that I invented today.

And please, be careful when making decisions like adding your domain to the preload list.
by Talented
edited by

This is all new territory for me, so please be patient with me. 

And yes, you're quite right, if I had to do it all over, I wouldn't have implemented HSTS, or at least not the preload option.  However, that's all part of the learning process, and I am where I am. 

I learned something new today, I believe I have done the right thing in setting up a wildcard certificate and adding the subdomain as a reverse proxy, so what am I missing?

sudo site horseboxheaven.uk -ssl=off

sudo site horseboxheaven.uk -ssl=on -wildcard

sudo site hbh-cdn.horseboxheaven.uk -ssl=on -add-to-wildcard=horseboxheaven.uk

sudo site hbh-cdn.horseboxheaven.uk -proxy=[hbh-cdn.horseboxheaven.uk.s3.eu-central-1.wasabisys.com]

Why am I still getting...

Failed to load resource: net::ERR_CERT_COMMON_NAME_INVALID

and no images on the site?

by Talented
edited by

I have reset the header with...

sudo webinoly -header-hsts=off

and then deleted the HSTS settings in the browser, so its not reloading them, but still no images.

by Talented
edited by
The cert is valid for the domain, so the html and the CSS loads...

https://i.imgur.com/RZ5uXRP.png

It's only the images on the "HBH-CDN" subdomain that still don't load.
by Talented
I managed to open an image by ignoring the warnings and then checked the certificate and found out the problem...

https://i.imgur.com/ztQB001.png

The certificate is not valid for "hbh-cdn.horseboxheaven.uk"  and seems to be covering the proxy "*.s3.eu-central-1.wasabisys.com" instead.
by Expert
Did you do the DNS verification when the wildcard cert was requested?

If not, that means you don't have a wildcard cert and you're still using and old cert.
by Talented

Yes, I added the DNS text records when the wildcard cert was created, however I didn't have to verify anything when I added the subdomain. 

The certificate CN is simply the domain name horseboxheaven.uk 

Should a wildcard CN be written like this *.horseboxheaven.uk ?

by Talented

sudo site hbh-cdn.horseboxheaven.uk -delete

Now I can see the images, the certificate is valid but the  connection is not secure.

by Talented

I tried to update the certificates and got this...

sudo site -ssl=force-renewal-all

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/horseboxheaven.uk.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

Attempting to renew cert (horseboxheaven.uk) from /etc/letsencrypt/renewal/horseboxheaven.uk.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping.

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/horseboxheaven.uk/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/horseboxheaven.uk/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)

by Talented
edited by

I was not sure if I could fix this problem with letsencrypt so, because its so easy to migrate a site with Webinoly, I spun up a new VPS, installed Webinoly and did the following...

sudo webinoly -backup=local -export=horseboxheaven.uk

[new vps]

sudo webinoly -backup=local -import -file=/root/webinoly_horseboxheaven.uk_2021-02-21-01:04:53

sudo site horseboxheaven.uk -ssl=on -wildcard

[dns verfiy]

sudo site hbh-cdn.horseboxheaven.uk -proxy=[hbh-cdn.horseboxheaven.uk.s3.eu-central-1.wasabisys.com]

sudo site hbh-cdn.horseboxheaven.uk -ssl=on -add-to-wildcard=horseboxheaven.uk

And again, the result is that the certificate is valid, but the connection is not secure.

Cloudflare then sent me a Certificate Transparency Notification...

Cloudflare has observed issuance of the following certificate for horseboxheaven.uk or one of its subdomains:

Log date: 2021-02-21 01:54:10 UTC
Issuer: CN=R3,O=Let's Encrypt,C=US
Validity: 2021-02-21 00:54:10 UTC - 2021-05-22 00:54:10 UTC
DNS Names: *.horseboxheaven.uk, horseboxheaven.uk

Which seems to confirm the certificate is OK, but when I check an image I can see the certificate details show the certificate is invalid...

Common Name (CN) *.eu-central-1.wasabisys.com

What is it about the way I am creating this certificate or setting up the reverse proxy that's causing this problem, and how do I fix it?

by Expert

I have no idea what are you doing with all these Cloudflare and Wasaby things, but if you want to learn:

  • Try giving small steps, one reverse proxy site with single cert and no CF.
  • Then try adding a wildcard.
  • And if everything is working right, then you can try with CF.
You are adding complexity to very simple things. Read about NGINX reverse proxy, you will find a lot of documentation in Google.
by Talented
Cloudflare is now just my DNS host and Wasabi is just providing S3 object storage. However, they are not causing this issue. The problem seems to be, as you quite rightly pointed out, something to with NginX reverse proxy and, perhaps, Lets Encrypt. We'll see.

I have come a long way so far, sometimes with your help and sometimes not, but your insights are often what points me in the right direction.

Thanks. I have some reading to do.
by Expert

Terence, Webinoly makes a lot of things easy, but it's not magical, you won't find magical answers for every question. Reading and understanding the core NGINX concepts is the least everyone should do before asking for help in a professional community.

By the way, did you already try adding the scheme to the origin URL as is shown in the Webinoly docs?

sudo site hbh-cdn.horseboxheaven.uk -proxy=[http://hbh-cdn.horseboxheaven.uk.s3.eu-central-1.wasabisys.com]
by Talented
edited by
Unfortunately, reading and understanding are two different things, but everything I tried so far is as a result of reading the docs. Nevertheless I don't know what you mean by "adding the scheme".  What scheme? Don't forget I am a marketing guy, not a developer. I don't understand why you are quoting that back to me.
by Expert
Can you see the difference between the Webinoly instruction I wrote in my previous answer and the one you used and posted here previously?
by Talented

"http://"  laugh 

I also found over here in a message Diki wrote me, that he did things differently, and in a different order, which, as far as I can see, is not clear from the documentation.  Just goes to show, you don't know what you don't know... until some kind soul points it out to you!

by Expert
For comments like this is that sometimes I think that I should close this forum, seriously!

Your case is very different from the dikis case. Dikis case is reverse proxy with custom path, yours is a reverse proxy that requires a manual cert because the origin is in a different server.

Try accessing your origin server directly and you will see the same error, so that means that you need to force the http scheme, but you prefer to come here to say that the problem is in the docs, that is the author fault because you are a "marketing guy" that doesn't know and is my obligation to come here and give you a step by step guide because you don't even want to read.

That's exactly why I put a warning message on the installation page.
by Talented
You don't have to close the forum. I'll leave.
by Talented
Cristhian, you write excellent software. Some of the best I have ever found. But Webinoly documentation is minimalistic to the point of inadequacy. It's the prime reason why, sooner or later, we all end up here. Also, you shouldn't be trying to provide support — you don't have the temperament for the job. You are deliberately rude and unhelpful, when anyone asks a question which doesn't measure up to your high standards, and even though you could help, you don't. Too often you just criticize and denigrate, rather than helping your users, and that can never be the right way to treat people. I have put up with your attitude for a while now because I figured, as the software was free, I pretty much had to take the rough with the smooth. But, I have enough shit in my life right now, without having to put up with yours, so this is my last message before I cancel my subscription and leave you in peace. For all the great software you write I applaud you. For the lack of empathy and your control-freakery, trying to impose your personal world-view on everyone else, I hope one day you will realize both yours, and your documentation's limitations, and fix them both. I am only sorry I won't be around to see it. Bye, and thanks for all the fish.
by Expert
Sorry Terence, I know you're a nice guy, but we can't avoid having a bad expectations problem here.

Webinoly is a product focused on engineers and developers, like sysadmins and devops professionals, that means our docs are written with that in mind. Sorry, but it's not in our plans to have a product that satisfies any other segment of users.

I'm aware that we have a very significant base of users that not meet these criteria, and maybe in the future we can think about how to take advantage of this situation, but for now it would be impossible to think that we can assist all of them.

I know we have a lot of things to improve and we will surely make decisions to improve this little community that I have to admit that it hasn't worked as we expected.
Welcome to the Community site for Webinoly.

Our Optimized LEMP Web Server is a powerful set of commands for doing just about anything you could wish.

With Webinoly you can set up your NGINX web server in just one step.

* * * * * * *

To report a bug, please create a new issue on GitHub or ask a question here with the bug tag.
Webinoly Support Paypal Donations

PayPal · GitHub Sponsors · Bitcoin

It is very important that any visitor to the site read the disclaimer, terms of use and privacy and legal statement before start browsing.

...