Been trying to create an SSL cert via nginx-proxy-manager and it fails to create an SSL challenging my domain. Checking ports I see I have forwarded port 80 properly but for whatever reason any port checker still tells me 443 is closed.
/etc/config/firewall here
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_ip '192.168.5.241'
option dest_port '443'
option name 'HTTPS'
option proto 'tcp'
Your config looks fine. Check if port 443 is open and responding on 192.168.5.241.
From the server itself (192.168.5.241), check if the server is listining to port 443. I'm assuming you're using some Linux distro, try:
ss -tulpn | grep 443
If the server is indeed listening, check if the firewall isn't blocking that port by checking if the port is open on a differen device in the same LAN networkt. Again in Linux:
If you have run these test on the machine with 192.168.5.241 itself, it means that the server is listening on port 443. So that works. The numbers in the third and fourth column just shows the send and receive queue and are not relevant here.
Now check if that port is reachable from another machine in your LAN network (perhaps the firewall on your server is blocking that port).
Edit: By any chance you're running your OpenWRT router behind your ISP router? That only works if your ISP device acts as a modem only. If it has router functionality, you should do double port forwards or put your OpenWRT router in the DMZ on your ISP router. I guess not because port 80 is open, but just to be sure.
The NC command on a Linux Desktop right? However, behavior might differ between distros. If NC is not working, there's always good old telnet (also works in Windows if that feature is enabled) and nmap. NC should yield this output:
$ nc -zwv4 192.168.222.10 443
nc: connect to 192.168.222.10 port 443 [tcp/https] succeeded!
$ nc -zwv4 192.168.222.10 4443
nc: connect to 192.168.222.10 port 4443 (tcp) timed out: Operation now in progress
This part tells me you're running Docker and port 443 is not mapped in your container, while port 80 is. So the port forward in OpenWRT probably works, and your server is listening to 443 but it goes no where.
You're one or two commands away from fixing your problem. Your goal is to open port 443 on your server. How to do this totally depends on your configuration. nginx-proxy-manager also run in a docker container right?
Unfortunately, it's 2 AM here so it's really bedtime for me. If I get a response before I hop in bed I might respond with a the command which is your solution.
Hey get some sleep I appreciate the help though! nginx-proxy-manager does also run in a docker and as per the docker compose file I used these are the ports used 443:440 80:80 82:81
You wrote that file yourself? So Docker the docker composer file has two components regarding ports, the expose section and the port section. Expose only exposes ports to the container network but not the host itself. The relevant section is port, which is exposed to the host. The syntax is host:container, so port 443 is mapped to port 440 of your container running nginx-proxy-manager.
I'm not familiar with nginx-proxy-manager, but this is an example composer file given by the nginx-proxy-manager website:
So the ports are just mapped one on one (443:443, 80:80, 81:81). You need to fix that, because your composer file indicates that 1) you've changed the listening port to 440 instead of the default 443 in the docker container, and 2) want to reach the admin interface on port 82 instead of the default 81 from the outside. Is this correct? If you didn't do this, change them to the default settings.
Edit: realized i said some gibberish things in my previous post misinterpreting the iptables output, my bad it's late hehe. The point still remains the same.
That's weird. Since it's using the original source files, I'm 100% sure it's an error written by the author of that article.
Change the ports in your composer file to
- '80:80'
- '81:81'
- '443:443'
And you're ready to go.
Edit: The following comment seems to acknowledge my observation.
Hey brother,
Fantastic walkthrough. I think there may be a typo in the config file (a final bracket missing at the bottom) and also the port numbers in the .yml file. I had to change them to 81:81 instead of 82:81 and 443:443 instead of 443:440 for the admin page to load up and I'm not sure what it is that specifically fixed it. Just a thought man. Keep up the amazing work!
So please note that guy saying there is a missing bracket in config.json - which is also a correct observation.
Repeat iptables command, confirm the container and the application are running on the server. Also repeat the NC command from another device in the same network.
Alternatively, delete the docker container and use a different guide hehe.