[SOLVED] I had to open ports 80 and 443 (maybe 1 was enough, idk) while renewing certs ! Now its time to learn how to do it without opening ports (:

Hey guys, I have nginx proxy manager running in docker container on my home server. I don’t have any ports open (other than wireguard) and I was using custom local domain .tride to access my services. Everything works fine, I can use https://portainer.tride, https://homeassistant.tride, etc.

I want to get rid of warnings about the risk that I have to accept to continue. Not a big deal for Firefox on desktop, but its kinda annoying on Android. Also I think it stops me from using some services that require SSL certs (like floccus). I tried to create a LetsEncrypt certificate using DNS challenge and DuckDNS in NPM. I also tried to download certs and import to Android, CA cert is added successfully, but didn’t work.

Now I bought example.com domain from porkbun.com and trying to set it up:

  1. Created CNAME on porkbun - *.example.com pointing to my example.duckdns.org
  2. Created cert using same procedure (DNS challenge and DuckDNS in NPM) with hosts *.example.com and example.com
  3. Created Local DNS records in PiHole

Now I get strange behavior, sometimes I can open portainer.example.com with no problem, no warning, perfect. Then sometimes it doesn’t load at all and it says “Server Not Found”. Some services open normally, but like bookstack.example.com opens broken page and if I click anywhere it redirects me to my old bookstack.tride (still exists in NPM and PiHole) and asking to accept the risk.

I’m trying to use services from local network or wireguard only, at least for now.

I am also using the same domain for my e-mail at mailbox.org if that matters. Not sure what I’m doing wrong, but I’m sure there is something. I’m happy to listen any suggestion, and sorry for being noob <3

  • Limit@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    I use nginx proxy manager with dns challenge to get a *.example.com cert that I then use to host services internally. I just checked, it supports dns challenge for porkbun, you may want to give it a try again. Also, you shouldn’t really need to forward dns to duckdns. You can have public dns records point to an internal ip.

    This is what I do, I have example.com (dns registered with cloudflare but should work the same with porkbun) I then create an a record for portainer.example.com to 192.168.0.5.

    Internally my nginxproxymanager is running at 192.168.0.5 and portainer is running at https://192.168.0.6:9443

    Then in nginxproxymanager I create a dns challenge (you’ll have to look up some videos on how to do this, it’s not very difficult it usually just takes a api key and secret key) then I create a new proxy host for portainer.example.com pointing to https://192.168.0.6:9443 and you select the *.example.com as your ssl cert for the proxy host

    Now internally go to https://portainer.example.com and it should work.

    • rambos@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Thank you! It does support porkbun, but I don’t have any “porkbun service” running on my server, but I do have duckdns (using it for VPN). Is that kind of service even necessary here? I tried using porkbun api key and it didn’t help, but opening ports did. I opened ports 80 and 443 and closed them after cert (with duckdns challenge tho). Also I made A record *.example on porkbun, seems better for my needs.

      You can have public dns records point to an internal ip.

      I tried pointing *.example.com to my local IP 192.168.0.40 but porkbun doesn’t allow me that, maybe I misunderstood this part. I sorted out the problem, thank you anyway <3

      • Limit@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        1 year ago

        So the opening of ports works, but it’s not the most secure or best way to do it imo… what happens is the certbot registers with letsencrypts api and attempts to request a cert via http challenge, it then hosts a small website with a code from letsencrypt to prove that you do in fact own the domain and are who you say you are. Let’s encrypt then goes to the url, verifies it sees the text, and issues a cert to the certbot. The problem here is you have to open these ports to the internet, and they need to be open when certificates are renewed (let’s encrypt only issues a 90 day cert)… if you want to leave those ports open that’s not exactly a safe practice, and manually doing it every 3 months is less than ideal…

        With dns challenge, the certbot uses the api of your dns provider (cloudflare or porkbun), the process is similar, it talks with letsencrypt, let’s encrypt gives it a string and a dns record it expects to see, then certbot talks to your dns, makes a txt record with the string provided, then let’s encrypt checks for that dns record, if it finds it, it issues a cert to the certbot. In this scenario, certbot is connecting out to your dns provider and making the record for you, no opening of ports. And if you leave the api key active, it will auto renew on a schedule so you don’t have to really worry about it.

        I highly recommend looking into dns challenge some more, watch some videos on it there are lots on YouTube.

        As for the dns record, not sure if it’s not allowing the wildcard record or what but I wouldn’t use *.example.com, make an entry for the actual host/service you are hosting, like portainer.example.com.

        • rambos@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Thank you for explaining this, its much more clear now. I’ll definitely look more into dns challenge and hopefully be ready before next renewal :D Have a nice day mate