How to configure Umbrel BTCPay Server with NGINX reverse proxy

thank you

Hello!
I’ve tried this so many times and I can’t get it to work.
First, I was stuck on step 6. I was always giving an error “unauthorized”.
Then I managed to install a certificate (following this How to configure Umbrel LNbits app without Tor). Then I continued the steps.

Everything seems to be “fine”.
I can even access Umbrel and BTCPay throug http, but when I try HTTPS nothing loads and I get a “ERR_CONNECTION_REFUSED”.

I don’t know what else to do! Any ideas?

HTTPS must have port 443 / or any other secured port you used open and forwared to your node IP from your router.
Did you set that ?
Also the SSL certificate must be for the name of your btcpay subdomain.

Thank you for the quick reply @DarthCoin!

Unfortunately, I made those steps several times… And like I said, I can reach my node through http, so both ports must be open, I guess?
router

I am 100% sure it is for my domain name (don’t know how to check that now tho).

If you have any more tips, I would appreciate!

did you also open in ufw the ports? ufw is linux firewall.
sudo ufw enable
sudo ufw 443 allowed (or whatever port you want to use)

Then go to https://ping.eu/port-chk/ and put your port and click on the IP is on top (your browsing IP) and check if responds.

You could check if your nginx works fine with sudo nginx -t

Hello again @DarthCoin ,
Thank you for being so helpfull!
I reinstalled everything to make sure all the steps are on point.

did you also open in ufw the ports? ufw is linux firewall.
sudo ufw enable

No, I havent, actually it was not even installed.
So I did:
sudo apt-get install ufw
sudo ufw enable
sudo ufw allow 15443
sudo ufw allow 15080

Then go to Online Ping, Traceroute, DNS lookup, WHOIS, Port check, Reverse lookup, Proxy checker, Bandwidth meter, Network calculator, Network mask calculator, Country by IP, Unit converter and put your port and click on the IP is on top (your browsing IP) and check if responds.

You could check if your nginx works fine with `sudo nginx -t

umbrel@umbrel:~ $ sudo nginx -t
nginx: [warn] conflicting server name "btcpay.domain.com" on 0.0.0.0:15080, ignored
nginx: [warn] conflicting server name "btcpay.domain.com" on [::]:15080, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now the error on the browser is:
ERR_CONNECTION_TIMED_OUT

I really feel dumb, don’t know what else to try…

hmmm really strange, port respond to open, nginx respond ok
I supposed you replace your real domain name with “domain.com” in that post, to not dox your real one (is OK). So I hope you are not using exactly “domain.com” in that nginx config.

Go to ping.eu again and ping your subdomain you setup for your btcpay.my-domain.com see if responds with your public IP of your node.

Exactly, I purposely changed on the post. :sweat_smile:

It responds with my home IP, not my node IP. (the same that the DNS is pointing)

I also get this:
Captura de ecrã 2022-05-01 122415

So is all OK.
IP respond to domain name.
Port respond to domain/router, so is forwarding correctly your router.

Can you access btcpay normally from internal IP?

Yes I can! The first time I did the http://000.000.0.00:3003/ it took some time to go, but it worked.
When I try https://btcpay.domain.com ERR_CONNECTION_TIMED_OUT

:weary: :weary: :weary:

Thanks for the incredible guide. I’m getting stumped when trying to issue an SSL. I get the following error message:

Failed authorization procedure. btcpay.mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 10.10.10.10: Fetching http://btcpay.mydomain.com/.well-known/acme-challenge/WijFKs9_0yvz59LocqXY7FQ1hyvqw0lqp0-1Rh7cU7U: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: btcpay.mydomain.com
   Type:   connection
   Detail: 10.10.10.10: Fetching
   http://btcpay.mydomain.com/.well-known/acme-challenge/WijFKs9_0yvz59LocqXY7FQ1hyvqw0lqp0-1Rh7cU7U:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

For clarity, I’ve used mydomain.com in the error above and 0.0.0.0 as the ip, but in my actual file i’m using the correct subdomain and my correct public ip.

I’ve used https://ping.eu/port-chk/ to check to see if port 15080 is open, and it’s confirming that it is however when I try to check if port 15443 is open, it says that it’s closed? Should that be closed?

I can see btcpay when I go to my local ip and port 3003.

Any help would be much appreciated!

Hello!

I had the exact same problem as you.
To ovecome this I followed this tutorial (step 4): How to configure Umbrel LNbits app without Tor

The thing is, it’s not working for me either…
I can reach umbrel through http, but not https…

If you find a way, please do tell me! :wink:

Hi,
I am trying to request the SSL Certificate, but Let’sEncrypt says it can’t find a valid A record, despite it being propagated on sites like dnschecker.org. I also know it works because it successfully takes me to my home router configuration screen.

Why can’t Let’s Encrypt find a valid A record? (edited the output to remove links and remove my own domain)

  • The following errors were reported by the server:

    Domain: btcpay.mydomaindotnet
    Type: None
    Detail: no valid A records found for btcpay.mydomaindotnet; no
    valid AAAA records found for btcpay.mydomain.net

Thanks in advance.

Shout out to Jorijin for the amazing tutorial. Successfully running btcpay with the reverse proxy!

That means is not correctly configured to forward to the node.
You must open port 443 on your router and FW to your node IP.
In this way the lets encrypt can communicate with the machine and set the certificate.
Otherwise is all in vain.

Thanks. I found out I was using the wrong ip address for the A Record.

I’m having the same issue, were you able to resolve this?

Hi DarthCoin,

I was having a similar issue to @AN7ONYO and I tried your advice for ufw.

I enabled ufw and then allowed for ports 443 and 80. Still no luck. I came back to continue working today and now I can no longer SSH to my machine. I get a timeout error :frowning:

I’m afraid that enabling ufw blocked ssh access

Any advice on how to restore ssh???

Mark,

Sounds like you blocked yourself by enabling ufw without making an exception for the device you’re using to ssh.

Do this,
sudo ufw allow from the device ip address you’re using to ssh from.

Hope this helps.

bump- it appears i’ve locked myself out too by enabling ufw.

Will check back for a solution hopefully