I have a Google Cloud Compute Engine VM.
My domain is dropin.today
I used certbot to create a certificate and set up nginx to redirect all http traffic to https.
3 weeks ago my cert expired.
I tried to renew aaaaaand that's where my problems started.
certbot gave an error.
After some back and forth with the LetsEncrypt team (see https://community.letsencrypt.org/t/cerbot-certonly-fails-google-compute-vm/236031/6) it was determined:
dropin.today has an A (IPv4) record (104.196.57.33) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. The ip address is correct so I went to work on port 80.
nmap confirmed the port 80 is blocked
# nmap -Pn dropin.today
Starting Nmap 7.80 ( https://nmap.org ) at 2025-04-15 01:21 UTC
Nmap scan report for dropin.today (104.196.57.33)
Host is up (0.00046s latency).
rDNS record for 104.196.57.33: 33.57.196.104.bc.googleusercontent.com
Not shown: 993 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
587/tcp closed submission
3389/tcp closed ms-wbt-server
8080/tcp closed http-proxy
8081/tcp closed blackice-icecap
8443/tcp closed https-alt
Nmap done: 1 IP address (1 host up) scanned in 4.40 seconds
ufw is off
# ufw status
Status: inactive
iptables is off
# sudo systemctl status iptables
Unit iptables.service could not be found.
gemini tells me the problem may be the default firewall rules
here are all the firewall rules associated with my project
% gcloud compute firewall-rules list --project="braided-facet-139517"
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED
default-allow-http default INGRESS 1000 tcp:80 False
default-allow-https default INGRESS 1000 tcp:8443 False
default-allow-icmp default INGRESS 65534 icmp False
default-allow-internal default INGRESS 65534 tcp:0-65535,udp:0-65535,icmp False
default-allow-rdp default INGRESS 65534 tcp:3389 False
default-allow-ssh default INGRESS 65534 tcp:22 False
default-allow-tomcat default INGRESS 1000 tcp:8080 False
dev-2-network-allow-icmp dev-2-network INGRESS 65534 icmp False
dev-2-network-allow-ssh dev-2-network INGRESS 65534 tcp:22 False
dev-2-rules dev-2-network INGRESS 1000 tcp:443 False
gmail-smtp default INGRESS 1000 tcp:587 False
mysql-remote-access default INGRESS 1000 tcp:3306 False
tcp-port-8081 default INGRESS 1000 tcp:8081 False
test-https-8443 default INGRESS 1000 tcp:8443 False
here are all the firewall rules associated with the server who's domain is dropin.today
% gcloud compute instances network-interfaces get-effective-firewalls drop-in-back-end-server \
--zone="us-east1-d" \
--format="json" \
--project="braided-facet-139517"
{
"firewalls": [
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"8443"
]
}
],
"creationTimestamp": "2016-08-06T15:50:13.937-07:00",
"description": "",
"direction": "INGRESS",
"disabled": false,
"id": "8389635414311032650",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "default-allow-https",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/default-allow-https",
"sourceRanges": [
"0.0.0.0/0"
],
"targetTags": [
"https-server"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"80"
]
}
],
"creationTimestamp": "2016-08-06T15:49:58.104-07:00",
"description": "",
"direction": "INGRESS",
"disabled": false,
"id": "2038310172954974073",
"kind": "compute#firewall",
"logConfig": {
"enable": false,
"metadata": "INCLUDE_ALL_METADATA"
},
"name": "default-allow-http",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/default-allow-http",
"sourceRanges": [
"0.0.0.0/0"
],
"targetTags": [
"http-server"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"587"
]
}
],
"creationTimestamp": "2016-08-13T15:29:51.721-07:00",
"description": "",
"direction": "INGRESS",
"disabled": false,
"id": "3860193943677444528",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "gmail-smtp",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/gmail-smtp",
"sourceRanges": [
"0.0.0.0/0"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"8080"
]
}
],
"creationTimestamp": "2016-08-07T09:37:01.353-07:00",
"description": "",
"direction": "INGRESS",
"disabled": false,
"id": "4119832056820325698",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "default-allow-tomcat",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/default-allow-tomcat",
"sourceRanges": [
"0.0.0.0/0"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"8081"
]
}
],
"creationTimestamp": "2023-04-16T06:22:34.921-07:00",
"description": "allow tcp on port 8081",
"direction": "INGRESS",
"disabled": false,
"id": "7902043089585719413",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "tcp-port-8081",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/tcp-port-8081",
"sourceRanges": [
"0.0.0.0/0"
]
},
{
"allowed": [
{
"IPProtocol": "icmp"
}
],
"creationTimestamp": "2016-08-06T15:09:29.353-07:00",
"description": "Allow ICMP from anywhere",
"direction": "INGRESS",
"disabled": false,
"id": "5724337937735999222",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "default-allow-icmp",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 65534,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/default-allow-icmp",
"sourceRanges": [
"0.0.0.0/0"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"3389"
]
}
],
"creationTimestamp": "2016-08-06T15:09:29.340-07:00",
"description": "Allow RDP from anywhere",
"direction": "INGRESS",
"disabled": false,
"id": "3367079402575486710",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "default-allow-rdp",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 65534,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/default-allow-rdp",
"sourceRanges": [
"0.0.0.0/0"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"0-65535"
]
},
{
"IPProtocol": "udp",
"ports": [
"0-65535"
]
},
{
"IPProtocol": "icmp"
}
],
"creationTimestamp": "2016-08-06T15:09:29.317-07:00",
"description": "Allow internal traffic on the default network",
"direction": "INGRESS",
"disabled": false,
"id": "2816115882538557174",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "default-allow-internal",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 65534,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/default-allow-internal",
"sourceRanges": [
"10.128.0.0/9"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"22"
]
}
],
"creationTimestamp": "2016-08-06T15:09:29.329-07:00",
"description": "Allow SSH from anywhere",
"direction": "INGRESS",
"disabled": false,
"id": "7454081315496517366",
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "default-allow-ssh",
"network": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/networks/default",
"priority": 65534,
"selfLink": "https://www.googleapis.com/compute/v1/projects/braided-facet-139517/global/firewalls/default-allow-ssh",
"sourceRanges": [
"0.0.0.0/0"
]
}
]
}
What is blocking port 80?
/etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
/etc/nginx/sites-enabled/dropin.today
server {
listen 80;
server_name dropin.today www.dropin.today;
root /var/www/dropin.today/public;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
nginx -T
# nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;
configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;
configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;
configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;
configuration file /etc/nginx/mime.types:
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;
text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;
image/png png;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;
image/svg+xml svg svgz;
image/webp webp;
application/font-woff woff;
application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.wap.wmlc wmlc;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
configuration file /etc/nginx/sites-enabled/dropin.today:
server {
listen 80;
server_name dropin.today www.dropin.today;
root /var/www/dropin.today/public;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
