[SOLVED] I had to open ports 80 and 443 (maybe 1 was enough, idk) while renewing certs ! Now its time to learn how to do it without opening ports (:

Hey guys, I have nginx proxy manager running in docker container on my home server. I don’t have any ports open (other than wireguard) and I was using custom local domain .tride to access my services. Everything works fine, I can use https://portainer.tride, https://homeassistant.tride, etc.

I want to get rid of warnings about the risk that I have to accept to continue. Not a big deal for Firefox on desktop, but its kinda annoying on Android. Also I think it stops me from using some services that require SSL certs (like floccus). I tried to create a LetsEncrypt certificate using DNS challenge and DuckDNS in NPM. I also tried to download certs and import to Android, CA cert is added successfully, but didn’t work.

Now I bought example.com domain from porkbun.com and trying to set it up:

  1. Created CNAME on porkbun - *.example.com pointing to my example.duckdns.org
  2. Created cert using same procedure (DNS challenge and DuckDNS in NPM) with hosts *.example.com and example.com
  3. Created Local DNS records in PiHole

Now I get strange behavior, sometimes I can open portainer.example.com with no problem, no warning, perfect. Then sometimes it doesn’t load at all and it says “Server Not Found”. Some services open normally, but like bookstack.example.com opens broken page and if I click anywhere it redirects me to my old bookstack.tride (still exists in NPM and PiHole) and asking to accept the risk.

I’m trying to use services from local network or wireguard only, at least for now.

I am also using the same domain for my e-mail at mailbox.org if that matters. Not sure what I’m doing wrong, but I’m sure there is something. I’m happy to listen any suggestion, and sorry for being noob <3

  • stown@sedd.it
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    1 year ago

    For your local PiHole DNS, where are your records for your domain pointing? I believe you should have an A record for *.example.com that points to the IP of your NPM server and then an MX which points to the IP of your mail server. If this is already the case then you can ignore this.

    Also, if you are using DHCP do not have it assign your public domain to any of your hosts because that could screw up name resolution as well.

    • rambos@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      I did try A record *.example.com but back then I didn’t open ports on router so It didn’t work. Later on a switched to manually adding DNS records in pihole GUI 1 by 1. I might try A record another time. Thanks.

      I have set static local IP for my server so I guess I’m safe, but thank you for tips <3