Issue to obtain letsencrypt certificate

NethServer Version: 7.7.1908
Module: Server certificate

I have an issue to obtain a letsencrypt certificate in order to replace the default self signed one. I have done a lot of research on the net and community and found a lot of info, but nevertheless could not sort it out for me.

My Nethserver is installed in my home network. It is connected to the router of my ISP. Ports 80 and 443 are forwarded to my Nethserver. I tested port 80 and this works according https://canyouseeme.org/
I have only configured a green Interface on Nethserver (but have 3 more physical interfaces left on the server that are not used yet).
Furthermore I defined the hostname as server1.test.com. I have no public domain name.

If I try to obtain a letsencrypt certificate , it gives the error message: “Validation failed: Challenge failed for this domain(s)”.

Does this has to do with the fact that I have no public domain name and I need a DNS provider?

Yep, it does.

Ok, thanks for this quick feedback, then I know in what direction to proceed.

What could you recommend as the easiest way to obtain this? Would Cloudflare be a recommended option?

Buy a domain, than create the hostname. I do not have experience in your country, so i don’t know which are the cheapest and most reliable DNS service provider, so i cannot answer you. But if you’re just trying to test NethServer, consider to buy a quite cheap service.
If you are going to use the server as a part of a job or organization, things could change.
Last but don’t least, i did not buyed anything from Cloudflare, so i cannot tell you if could fit your needs.

As @pike says, yes, it has everything to do with these two things. For a domain name, there are hundreds of registrars, so you can pretty much take your pick. If you want something free, check out freenom.com, though they have limited TLDs and their renewal requirements are a bit frustrating. If you’re willing to pay, I’ve been happy with easydns.com. You should be able to get a domain for $15/yr or less, in any case.

For DNS, I’ve been very happy with Cloudflare, and it’s free for just the DNS service. Some of their other services carry a charge, but DNS itself is free. They’re also a domain registrar, but I don’t see any way to register a new domain there–everything I have there now I bought elsewhere, then transferred to them.

Ok, I am currently still testing Nethserver, but have no problem to buy a domain, thanks for your advice’s for this.
Just to be sure that I understand the process correctly. After buying my own domain I have to change the server hostname using this domain name. Correct?
But how do I then point this domain name to the server IP? Do I have to organize this with the DNS provider?

Correct, that’s a matter of the DNS records.

So, I have now bought a domain at godaddy. I see that I can add a type A DNS record to link to my external IP received from my ISP. What should I fill in for “Host”? The full hostname of my Nethserver?
And should I then also do something on my Nethserver side to point to the DNS server of Godadday?

My Nethserver is not a DHCP server but connected to my ISP router, which is managing DHCP and firewall. I have forwarded port 80 and 443 to the server.

I don’t have Godaddy’s DNS, but here’s what I do with Cloudflare:


The @ stands for the root domain–in this case, the domain is spare-oom.com, so the entry is for the domain itself. And the IPv4 address, of course, is the external IP address (the example above is a private IP, which you shouldn’t use).

Then, for other hostnames on the same domain that I want to point to the same place, I set up additional records like this:
image
This record will have test.spare-oom.com point to spare-oom.com. You could just as well set up another A record for test.spare-oom.com, but that’s one more thing you need to update in case your IP address changes. One very common use for this would be to have domain.com and www.domain.com point to the same place. With your Neth server, you may also want to set up an alias for mail.domain.com, and possibly for other services.

If you’re going to use multiple hostnames for your Neth server (as many people do; the example I just gave of www. and mail. is pretty common), make sure to put all of them on the certificate request. You’ll then get a cert that covers all of them.

Nothing to do there, though you will need to set its hostname to match your new domain. As to the rest, the new DNS record will propagate throughout the network and your Neth server will pick it up automatically.

2 Likes

Thanks Dan for this extensive explanation, I know understand the concept.
For Godaddy the DNS recording is similar to Cloudflare and following your instructions I have now got it working and received the certificate for different hosts.

The strange thing however is that I just discovered that Nextcloud is now complaining about the Letsencrypt certificate. The self signed was no issue before. It warns that the IP address I used to connect to Nextcloud server is not a valid certificate for the host name, despite that I pointed the host name to this IP address with Godaddy. Obtaining a Letsencrypt certificate for the IP address did not work.

What do I miss?

It will never work; Let’s Encrypt doesn’t issue certs for IP addresses (few CAs do).

That’s correct; the IP address isn’t listed in the certificate (it only covers FQDNs, not IP addresses).

You need to configure your router, or whatever’s providing DNS for your LAN, to correctly resolve your Neth server. If it’s on your LAN, it should ideally return the internal IP address.

Hi MB76,

This is from GoDaddy:

image

Example for mail record: FQDN = toto.com -> mail.toto.com

If you want to miss nothing.

You have to google a little bit for the SPF record.
image
Do not forget to save all at GoDaddy.

Make sure you have * (asterisk) on the DNS page in NethServer GUI interface. You can add mail.FQDN as an alias also.

You should put your ADSL modem in bridge mode ant let NethServer handle all the PPPoE connection stuf. NethServer is more secure than any modem, router, etc…

All should work well.

Michel-André

Not sure what you mean with the * on the DNS page. Do you mean in below area to create a new record?

image

My server is now behind the ISP router and everything is controlled by the ISP modem.
However, I saw that on my nethserver the DNS server is enabled.

image

image

My hostname is linked to the godaddy domain.

I like your proposal to let Nethserver take over the routing and firewall tasks of the ISP modem to increase security, but first would like to get it working in the current set-up before digging into this.

So for my current situation, do I need to turn of the DNS server on Nethserver?

Hi MB76.

For the *, I mean to check the Wildcard DNS record field in your above image.

For the DNS on the server, it has to be there for the client using your server as a router to be able to resolve external domain names. For DHCP, there must be only one by IP segment - the modem or NethServer if the stations and NethServer are all connected to the modem. If the stations are connected to the LOCAL network of the server, then DHCP on the server has to be enable if the IP of the stations are configured as “Automatically obtain an IP address” and not static IP…

You can check https://dokuwiki.micronator-dev.org/doku.php?id=nethserver_101_cahier_05_vdsl_fqdn_internet_et_nethserver#configuration_detaillee. It is in French but you should be able to follow the cammands and the images; Google translation is your friend.

Also, you can use 1.1.1.1 instead of the 8.8.8.8 of Google. The first one is faster than the second one and it does not spy on you as Google does…

Michel-André