Trying to use ssl in a reverse proxy without success

I’m trying to use ssl in a reverse proxy without success, I use the same in my jellyfin docker and it works normally, but for uptime-kuma this error appears:

Error: Let’s Encrypt validation status 400 (status.reloaded.com.br). Details: 403:“189.18.149.215: Invalid response from http://status.reloaded.com.br/.well-known/acme-challenge/aPS4Sf6SdkrMgOfzN6dACoScLoZtDLKAAJHgpeOp2Og: "\n<html lang=\"en\">\n\n <meta charset=\"UTF-8\" />\n <meta name=\"viewport\" content=\"width=device-width, init"”

The template I’m using looks like this:

status.stpl
server {
        listen      %ip%:%proxy_ssl_port% ssl;
        server_name status.reloaded.com.br;
        error_log   /var/log/%web_system%/domains/%domain%.error.log error;

        ssl_certificate     %ssl_pem%;
        ssl_certificate_key %ssl_key%;
        ssl_stapling        on;
        ssl_stapling_verify on;

        # TLS 1.3 0-RTT anti-replay
        if ($anti_replay = 307) { return 307 https://$host$request_uri; }
        if ($anti_replay = 425) { return 425; }

        include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

        location ~ /\.(?!well-known\/|file) {
                deny all;
                return 404;
        }

        location / {
                proxy_pass http://192.168.1.100:3002;
        }
}
status.tpl
server {
        listen      %ip%:%proxy_port%;
        server_name status.reloaded.com.br;
        error_log   /var/log/%web_system%/domains/%domain%.error.log error;

        include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

        location ~ /\.(?!well-known\/|file) {
                deny all;
                return 404;
        }

        location / {
                proxy_pass http://192.168.1.100:3002;
        }
}

In the Jellyfin container that is working, the only differences are the server_name, which is ‘media.reloaded.com.br’ and the proxy_pass which only changes the port from 8096 to 3002.

The reverse proxy without SSL is working, the problem is when I enable “Use Let’s Encrypt to obtain SSL certificate”.

You missed to add the required include in status.tpl after location / block:

include %home%/%user%/conf/web/%domain%/nginx.conf_*;

And this in status.stpl

include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;

You should modify the templates and rebuild your web domain.

Regarding media.reloaded.com.br you have the same problem, the certificate should have been renewed 15 days ago and it isn’t because the same missing include directives in the templates.

I’m sorry for the error, I thought only these lines would be necessary:

status.tpl

include %home%/%user%/conf/web/%domain%/nginx.forcessl.conf*;

status.stpl

include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

Could you tell me the steps or the documentation link so I can rebuild the domain, because generally I just do ‘systemctl restart nginx’

I think I’ll have to wait a while to try again, because the last error presented was 429, this means I’ve reached the Let’s Encrypt attempt limit, am I correct? Can you tell me how long this takes?

You also need the other include.

From Web UI, select the domain, select the action Rebuild and click on -> button to rebuild the domain:

Or from command line:

v-rebuild-web-domain HereTheUser HereTheDomain

Yes, that’s right.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

Thank you very much, I waited a few hours to try again and I managed to obtain the ssl certificate.
In addition to placing the 2 includes that you mentioned, in the .tpl and stpl, I also added the following as requested by the uptime-kuma documentation:
Reverse Proxy · louislam/uptime-kuma Wiki · GitHub

proxy_http_version 1.1;
proxy_set_header Connection "upgrade";

I didn’t include the option:

proxy_set_header Upgrade $http_upgrade;

Because with it the nginx server does not start, giving an error just in http_upgrade.

The documentation says it is to enable/accept WebSocket via reverse proxy.

Do you know if the two options I left are still necessary, both proxy_http_version 1.1;'as for proxy_set_header Connection "upgrade"; ?

If the developer of that app is saying that you should use those directives, maybe you should do it :wink:

What is the complete error message?

Strange, after SSL is activated correctly, I can no longer replicate the error.

I added the option proxy_set_header Upgrade $http_upgrade;, rebuilt the domain and everything worked, I even tried restarting the nginx service and everything worked normally.

BUT I’m sure that with this option before the certificate was generated, it gave an error, in the web ui it gave the message that nginx cannot be restarted.

So I forced a restart through the server settings in the web ui, but instead of nginx being restarted it just stopped.

I tried to start, it informed me that it was not possible to start Nginx.

So I went to the cli via ssh, gave systemctl status nginx and saw that it couldn’t start because of the invalid http_upgrade command (I don’t remember exactly the msg here).

So I removed the option proxy_set_header Upgrade $http_upgrade; from both .tpl and .stpl, and I started the nginx service normally.

Generated the ssl certificate, and it worked.

Well, as I added the option again, and it’s working, I’ll leave it, if anything happens, I’ll come back here to inform you.

Or if you want me to carry out some tests, just let me know and I can do it.

Try adding:

To nginx.conf

From what I understand, this would work for all the next templates created, and so I wouldn’t need to have this in all additional templates, correct?

Yes this need to be added only once added to /etc/nginx/nginx.conf

1 Like

Done, I restarted the nginx service, and everything is still working.

Thanks a lot for the help.