Request Let's Encrypt Certificate?

letsencrypt

(fpausp) #1

I would like to request a Let’s Encrypt Certificate, my internal server (DMZ) is reachable from the Internet on Port 80 and 443.

I used the DynDNS-Domain in the 2nd field. The hostname is not the same as the DynDNS… What else can I do?


(Dan) #2

For any domain that you seek a LE cert for, a few conditions must be true*:

  • The domain must have public DNS records
  • Those public DNS records must point to your Nethserver installation
  • Port 80 must be open to the Internet.

To test this, from outside your network (I like using a smartphone with WiFi turned off), try to browse to http://yourdomain.org. If you get something, create a text file on your Nethserver at /var/www/html/.well-known/acme-challenge/test.txt. See if you can see that file, from outside your network, at http://yourdomain.org/.well-known/acme-challenge/test.txt.

*If one or both of the latter conditions is not true, you may still be able to get a cert using DNS validation. See here for more information on that:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers


(fpausp) #3

I just did a portforward from my Internet-GW to my Firewall and from the Firewall a portforward with NAT to the Nethserver (80 and 443).

grafik

It works, what else could be done, I use no-ip.com (myname.zapto.org)?


(fpausp) #4

I like to test the 2nd method, now I am at this point:

export CF_Key="YourCloudflareGlobalAPIKey"

How/where can I get it for no-ip.com (zapto.org)?


(Dan) #5

You can’t; if you’re using no-ip.com, you aren’t using cloudflare. And it doesn’t look like acme.sh supports no-ip.com (either natively or by using lexicon), so you wouldn’t be able to use this method without changing your DNS provider.

So to your other testing. Your screen shot shows that you can reach something.zapato.org. Was that done from completely outside your network? If not, that testing is invalid.


(fpausp) #6

Yes.

OK, thank you for the clarification !

If I understand you, neither method one or two will work with no-ip.com ?


(Dan) #7

Any firewall rules? Anything else that might be blocking connections from (portions of) the Internet?

If “method one” is the built-in Let’s Encrypt support in Nethserver, there’s no inherent reason it shouldn’t work with no-ip.com.


(fpausp) #8

OK, I will use another NS7-VM and connect it directly to red, just for a test…


(fpausp) #9

Yes, I can confirm that… I setup a new Server, now with two NICs, one for green and the other one for red.

I used NS7.4 without any updates:


(Dan) #10

…which leaves the question of why the one works and the other doesn’t. What did you change between the two? You’d have had to change your port forwarding rules–anything else?


(fpausp) #11

The first Server had just one NIC and I put it into the DMZ (orange) LAN behind my Linux Firewall. The new Server has two NICs and the red is directly connected to the Internet-GW.

Should I set the new cert as default? How long does it need to take effect?
Can I remove the portforwarding right now?


(Dan) #12

…which would suggest that the issue was something to do with the port forwarding setup on your Linux firewall–when you removed that from the equation, things worked.

Yes, if you want to use it.

It takes effect immediately.

You could temporarily, but you’ll need it every 60 days or so to renew the certs.


(fpausp) #13

Maybe but the text.txt was reachable…

OK, good to know… Thank you very much, danb35 ! :slightly_smiling_face:


(Dan) #14

Yes, that is curious, which is why I mentioned firewall rules blocking (portions of) the Internet. The last time I dealt with this issue (just a few days ago), that was the issue–the user was blocking based on geography.