Following my installation of Dokuwiki on Nethserver and using the AD as its user base, I decided to extend that to other servers including OPNSense. After asking a few questions this would require me to purchase a domain name and have Letsencrypt produce a valid certificate that I would need to use on Nethserver and then copy to that same certificate to the AD. Lets call my domain name “MyDomain.net”. So the idea is to produce a certificate for that domain name. All my network is set with that domain name currently but using the original certificates which are not valid certs.
I was recommended to use Cloudflare as my DNS manager for my domain name. I purchased a name from Google and transfered the management to Cloudflare. My ISP does not attribute me a fixed IP so I would have to use Duckdns to update my IP address when it changes. That would prevent me from using any kind of A record in Cloudflare which requires an IP. So I thought no problem, I would link my domain name with a CNAME something like this, CNAME : mydomain.net -> mydomain.duckdns.org. I didn’t use the proxy as this seemed to cause me some issues and it is in DNS only.
I had to wait a while for all this to propagate and be seen my DNS servers. Eventually I used NSlookup and noticed something interesting : nslookup -query=a mydomain.net 188.8.131.52 it would return the IP address assigned to mydomain.duckdns.org although I didn’t set any A record. When I tried to query the cname, it returned this :
So I guess something is wrong as it appears to point to 184.108.40.206
I decided to try to get a certificate anyways to see what would happen through Nethserver but it failed with the mydomain.net.
I tried to access my network (which has OPNSense in front of it) with https://mydomain.net, which didn’t work as I was returned a page stating : “A potential DNS Rebind attack has been detected”. So I wonder if that could be the source of my problems but not entirely sure.
I looked at the letsencrypt logs and saw this :
Domain: mydomain.net Type: connection Detail: Fetching http://mydomain.net/.well-known/acme-challenge/nPDkTl7rDJXeVIEFsuUua35e_g35Y3jfTaucstaIocA: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
As additional information there is a port forwarding rule in place that allows the passage of traffic for ports 80 / 443. I thought I would mention that since the message does state it could be a firewall issue.
I’m hoping some of you could help me understand what I am not seeing. I am not a DNS expert so I am not sure if my problem could be because I do not have an A record and frankly don’t know how I would make this work since I would have to manually update my A record every time my ISP attributes a new one, hence the reason why I used a CNAME. Also, seeing that in the logs under DETAIL it tries to fetch to mydomain.net which OPNSense detected as a dns rebind attack, possibly this is the problem but I am not sure.
If anyone has any ideas or suggestions, anything that could help really, I would appreciate it.
Thanks in advance.