mastodon.world is one of the many independent Mastodon servers you can use to participate in the fediverse.
Generic Mastodon server for anyone to use.

Server stats:

12K
active users

Any experts having a quite saturday and willing to help me get my journey underway?

I've got a domain and a box with some working apps on it but I can't get to recognise my DNS and am struggling to get the working.

There's a few too many moving parts for my little brain, I'd really value a helping hand to get me up and running, please.

@thechildofroth whats going wrong with certbot? i have this same stack running on my server so maybe we can compare notes

@xandris When I try to get a certificate (either using dietpi-letsencrypt or directly from the prompt (as per the jellyfin instruction)) it tells me I don't have an A or AAAA record.

But when I do:
curl --verbose http://my.domain

it comes straight back with:
trying ip.of.router.im.looking.for

so curl seems to be finding the dns record ok

@xandris I think this may be the key to unlocking this, as without the certificates the Jellyfin provided nginx conf fails, so unless I can clear this hurdle I'm going to stay stuck

@thechildofroth @xandris You can try ‘dig @9.9.9.9 my.domain’ to have more information about the DNS information.
If you’ve got no answer, it’s definitely a DNS problem.

@rds @xandris So dig returns a seemingly sensible response (I can see my domain and my IP in there). The only concern is that I can see:

Query1, Answer1, Authority0, Additional1

Should Authority (I'm guessing this might be related to 'SOA') be 1 too?

(for any other rookies playing along 'dig' is in bind9-dnsutils on - not installed by default in it seems)

@thechildofroth @rds i found this tool in the letsencrypt forum. what does it tell you?

letsdebug.net/

letsdebug.netLet's Debug

@thechildofroth @rds does the ip actually fall into one of those ranges in the wikipedia article?

Roth Child

@xandris @rds Ahh, yes. It's in the range described as:

Shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT

Hmm, is there a way around that (I knew didn't have a fixed IP but I was going to use my domain providers DNS API to dynamically update the IP as required.

@thechildofroth @rds i haven't looked into dynamic dns solutions (aka dyndns) in a while. you may be able to buy a static ip for a little extra fee from your isp. last time i checked your router might be able to interface with your registrar's dyndns feature. asuswrt has such a feature. server side i found:

- ddclient (perl daemon)
- ez-ipupdate
- inadyn
- updatedd

or roll your own with just curl if your registrar gives you a url:

gist.github.com/gbraad/e167a50

Update Dynamic DNS using SystemD timers (instead of cron-schedule) - README.md
GistUpdate Dynamic DNS using SystemD timers (instead of cron-schedule)Update Dynamic DNS using SystemD timers (instead of cron-schedule) - README.md

@xandris @rds My domain is hosted by @beasts and they provide an api (that you can set up a script to reach) that updates their DNS records programmatically. I have previously had it working so was confident I'd get to it again.

@thechildofroth @xandris @rds @beasts

If you're having trouble getting regular certbot certificates (because that requires certbot service to talk to the computer trying to get the certificates), you can try using the certbot DNS verification for certificates (because that only needs you to prove that you control the domain name, and doesn't really talk to your servers)

eff-certbot.readthedocs.io/en/

eff-certbot.readthedocs.ioUser Guide — Certbot 3.2.0 documentation

@double_a_runi @xandris @rds @beasts Thank you! I will give the 'manual' plugin a try today.

@double_a_runi @xandris @rds @beasts I've continued to chase this around today and it does appear that there's no simple way around the CGNAT address issued by my ISP. I've reached out to them to find out what options they have to circumvent it.

@thechildofroth @double_a_runi @xandris @rds @beasts Worth checking if your ISP uses CGNAT for both IPv4 and IPv6 addresses. If you have a real IPv6 address, that might be the way to go.

@mdonkin @double_a_runi @xandris @rds @beasts There's no IPV6 address in the router control panel, although there is this article (from 2023) saying the ISP are ready and rolling it out to customers: ispreview.co.uk/index.php/2023

I wonder if there's something that I can do from my end to get upgraded?

@thechildofroth @xandris @rds @beasts if you've gotten the certificates in order, and are now only worried about access from outside your LAN, have you considered tailscale?

@double_a_runi @xandris @rds @beasts I've just seen reference to this as I read around bypassing CGNAT. It's available as a simple install from dietpi-software so I'm going to have a play.

Any particular tips/pointers/advice gratefully received!

@double_a_runi @xandris @rds @beasts Hmm, not as obvious as I'd hoped (or I've still got errors elsewhere in my setup). I installed Tailscale, registered an account and attached my server to it, then amended my dns records to point my domain at the tailscale IP instead but currently still not getting through to Jellyfin.

@thechildofroth @double_a_runi @rds @beasts

what do you get for a `curl -kvvv` of your server url?

@xandris @double_a_runi @rds @beasts

The main of it seems to be this (which is making me wonder if I've got something wrong with my nginx setup):

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>

@thechildofroth @double_a_runi @rds @beasts

it looks like it's working... in the browser you don't see anything? does the browser's developer tools show any errors on the Console or Network tabs?

@xandris @double_a_runi @rds @beasts Browser request times out with nothing happening in console or network tabs of the developer console.

Is it possible I've got something wrong in the Jellyfin 'network' settings? I've got 'allow remote connections' and 'enable automatic port mapping' ticked.

@thechildofroth @double_a_runi @rds @beasts

are you running curl and the browser from the same machine?

try this:

1. open a new tab
2. open the developer tools
3. switch to the network tab
4. check the box to "persist logs" (it might be hidden in a menu, click the gear icon or "…" icon if you don't see it
5. in the address bar, type the full url including protocol (https://)
6. in the Network tab, compare the first request to your curl command. is anything different?
7. right-click on the first command and choose "copy as cURL" and paste that into your terminal. what happens?

@xandris @double_a_runi @rds @beasts No, I'm using a browser on my laptop, but I'm running curl in the terminal (logged in over SSH) to my server box.

When I switched on 'persist logs' and freshly typed in the whole address I just got the same result or a timeout.

@thechildofroth @double_a_runi @rds @beasts

local connections (server to itself) will usually have fewer issues. is there any way you can run curl from the laptop?

@thechildofroth @double_a_runi @rds @beasts

ah sorry your curl log above has your ip addresses and dns name. dns still points to a CGNAT address which is why you still have this different behavior for local vs remote connections

@xandris @double_a_runi @rds @beasts Yeah, I just clocked that, although that address is the one that tailscale assigned me (not my ISP) - maybe tailscale isn't the answer?

@thechildofroth @double_a_runi @rds @beasts

so ive never used tailscale but it looks like the main usecase is a vpn, so a private network you can attach devices to. it works like a local network no matter where on the internet the devices are. if your laptop were on your tailscale network it would have access to your server using that 100.x.y.z address

this main use case doesn't imply access from the internet to your server, but skimming their docs suggests a tailscale funnel will do this:

tailscale.com/kb/1223/funnel

TailscaleTailscale Funnel · Tailscale DocsLearn how to securely route internet traffic to local services using Tailscale Funnel. Explore setup, limitations, and advanced features of Tailscale Funnel to share services within your tailnet.

@xandris @double_a_runi @rds @beasts That makes sense, thanks for clarifying. I can see the use of that but it's not quite what I was aiming for with my self-hosting odyssey, I just I'll just have to wait for my ISP to get back to me and hopefully get a proper IP address from them.

@thechildofroth @xandris @rds @beasts sorry that I dropped the keyword and disappeared. Yes, tailsacle is like a "build your own LAN" over the internet. Your server needs to have tailscale installed and configured, and all of your clients need to have tailscale installed and configured, and then these devices can talk to each other as if there was no NAT.

@thechildofroth @double_a_runi @rds @beasts

failing that the cloudflare thing should work. that was my backup plan if my isp didn't pony up an ip

@thechildofroth @double_a_runi @rds @beasts

do you have a ipv6 address from your isp? that ought to be unique and routable

@thechildofroth @rds oh wait hold up

you have cg-nat which means you don't have a unique external address at all from what i understand. if you go to ip.me or similar, the address it shows you is shared with other customers. the gateway would have no way to know which customer an incoming connection should go to

all that to say...more research needed on how to receive connections when behind cg-nat. i think cloudflare offers something for this for free...

@xandris @rds One potentially interesting aside is that when I opened the port for Jellyfin directly, on the router, I could access jellyfin via my domain, so it does seem that the IP does lead back to me at least. But if I just have 80 and 443 open, no dice.

@thechildofroth @rds on premises it would, but does it still work if you try from outside your house? like switch your phone to mobile data and try it