Yes, there is always a way (even if by hand!).
You could try DNS-01 authentication.
I said:
Not ALL authentication.
2 Likes
Don't think that's possible with a DDNS domain, as they probably got no control over DNS.
3 Likes
hmm...
Maybe NOT all for them offer this.
But what about this one:
Create TXT Record | Free Dynamic DNS Service (dynu.com)
2 Likes
yeah, that's my IP. I'm running this from my home network and yes, I'm behind NAT. Sorry for not mentioning.
My networking knowledge is very limited, unfortunately. Please bare with me!
The port that this service should respond on is 5001.
I think I'll get a domain somewhere. Just need to find a cheap one!
1 Like
If you control the NAT device, you may be able to set it to receive 80 and NAT that to 5001.
3 Likes
Ok everyone ,I purchased a domain to try to mitigate all these problems.
But now, before the certificate thing, I need to setup my nginx to redirect the traffic from the domain I created to the correct IP:PORT...
I'm not sure I should create another thread to ask for help setting nginx or even if I should create the thread here because it's not acme directly related. Or if anyone is willing to help me to setup nginx in this same thread, I would appreciate!
1 Like
I thought your whole point in purchasing a domain was to be able to use the TXT records to validate your DNS-01 authentication requests. 
If you are doing DNS-01 validation, you don't even need an IP (to get a cert).
nginx would only be necessary for HTTP-01 validation.
2 Likes
Well, my networking knowledge is quite limited, so please, bare with me.
I was told if it is true, that Letsencrypt didn't support 3rd level domains, as was the case of my DDNS service. That was one of the reasons that I bought the domain.
The other reason is that for what was said in this thread by now, that owning a domain would be easier to validate a CSR.
The reason I'm using nginx is not only to validate a CSR using some specific challenge (or whatever the name is), it's better cause I need it to run this LNBits service and also other services.
I'm sorry for my poor explanation.
I will try to get my domain working and then, I'll be back here if I'm still having problems with the CSR signing.
2 Likes
So, can I take it that you are "super paranoid" and will only use an ACME client if you can provide it with a CSR file?
[this is not a negative critique - I happen to consider myself as "super paranoid" - I just want to be clear on your goal (and reasoning)]
1 Like
I'm not sure if they meant that your DDNS would not support an additional level.
Here is an example of a very recent request: pri.dev.api.tfitaxsaver.ie
[5 levels deep - which is no problem for LE - (sorry to use you as an example)]
3 Likes
Well, maybe I can say so, about being a bit paranoid. This LNBits service uses a 3rd party application (Caddy) to deal with webserver configuration, if I'm not mistaken. Reverse proxy, etc. But I didn't want to install one more application in my device and I usually try to do things as manually as I can.
I wouldn't put it that way 
. If I just can't figure this out, I'll end up "asking" ACME a CSR too. But I like the idea of doing it myself with openssl. I'm not at home now, so I don't have access to my device right now, during work time, so, if you ask me to run any commands or change any configuration, I'll only be able to do it later when I'm home!
2 Likes
If you are going to use DNS-01 authentication, it really makes no difference where you are on the Internet.
If you are going to use HTTP-01 authentication, then you have to be able to satisfy the HTTP validation request to the FQDN that you want to get a cert for.
HTTP can be proxied to another internal device and it can also be redirected to any other HTTP(S) enabled site.
So the possibilities are rather vast.
You need to decide what works best for you.
Examine how much complexity you desire and go from there.
Information is key - read all you can on this process AND/OR ask plenty of questions.
2 Likes
Sure. Later today, when I'm at home, I'll continue reading and asking and experimenting.
Thanks
2 Likes
Ok, I was finally able to put my site up and running using Cloudflare DNSs... I was having some issues with configuration.
Now that @rg305 mentioned both DDNS-01 and HTTP-01 validations, I am a bit lost! Which one would be easier to complete? And where can I see the steps to perform this validation?
1 Like
Generally speaking HTTP-01 authentication is the simplest. [but there is no one-size-fits-all to it]
Some ISPs block HTTP - so that is not an option for those folks.
Some DSPs [DNS Service Providers] (still) don't offer API updating DNS zones - so that is not a straightforward and simple option to automate for those folks.
The right answer is... whichever method can be automated (FTW!).
Start here:
Getting Started - Let's Encrypt (letsencrypt.org)
3 Likes
Ok, from the link you sent me, I can only see the site that shows the different client implementations, which I chose acme.sh (bash). But for the steps for DNS-01 authentication I can't see any instructions. I'll try to find some youtube videos or so, in the meantime.
1 Like
@PsySc0rpi0n I have not read this whole thread but if you want DNS challenge instructions for acme.sh you might try here:
3 Likes
I have this in my CloudFlare account
Not sure which one is required for ACME thing or if I need to create new API tokens on the blue button "Create Token"
1 Like
Well, I have tried to issue the certificate, after adding to ~/.acme.sh/account.conf the lines that are suggested in that wiki of that link, like this:
export CF_Token="mytokenfromCloudflare - Global API Key"
export CF_Email="email-i-setup-in-cloudflare@myemail.com"
and then I try to issue the cretificate with the following command:
acme.sh --issue --dns dns_cf -d bitcoin-cryptoanarchy.com -d www.bitcoin-cryptoanarchy.com
and I get a notice saying that this domain already have a certificate, so I need to use the argument --ecc.
So I try to add it to the command like:
acme.sh --issue --dns dns_cf --ecc -d bitcoin-cryptoanarchy.com -d www.bitcoin-cryptoanarchy.com
but I still get errors. And I'm not sure if the errors are due to the lines I added to account.conf not being correct and it also says invalid domain:
$ ./acme.sh --issue --dns dns_cf --ecc -d bitcoin-cryptoanarchy.com -d www.bitcoin-crypt04n4rky.com
[Sat 20 Nov 22:05:15 GMT 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat 20 Nov 22:05:15 GMT 2021] Multi domain='DNS:bitcoin-cryptoanarchy.com,DNS:www.bitcoin-crypt04n4rky.com'
[Sat 20 Nov 22:05:15 GMT 2021] Getting domain auth token for each domain
[Sat 20 Nov 22:05:20 GMT 2021] Getting webroot for domain='bitcoin-cryptoanarchy.com'
[Sat 20 Nov 22:05:21 GMT 2021] Getting webroot for domain='www.bitcoin-crypt04n4rky.com'
[Sat 20 Nov 22:05:21 GMT 2021] Adding txt value: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx for domain: _acme-challenge.bitcoin-cryptoanarchy.com
[Sat 20 Nov 22:05:25 GMT 2021] invalid domain
[Sat 20 Nov 22:05:25 GMT 2021] Error add txt for domain:_acme-challenge.bitcoin-cryptoanarchy.com
[Sat 20 Nov 22:05:25 GMT 2021] Please add '--debug' or '--log' to check more details.
[Sat 20 Nov 22:05:25 GMT 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
More if it tells me this domain already has a certificate, why it even let's me create another one and also it suggests me to use --ecc.
Nonetheless, I was just trying those commands because my goal was only to sign the certificate I already have. Not sure if it is possible, though!
Edited;
I have now added export CF_Account_ID and export CF_Zone_ID but I still get the same errors!
And what I wanted was to sign the existing certificate, not issue a new one!
1 Like
Please show:
acme.sh --list
Example:
[mine shows]
acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
beer4.work "4096" www.beer4.work LetsEncrypt.org Wed Oct 20 04:25:22 UTC 2021 Sun Dec 19 04:25:22 UTC 2021
beer4.work "ec-384" www.beer4.work LetsEncrypt.org Wed Oct 20 04:25:28 UTC 2021 Sun Dec 19 04:25:28 UTC 2021
1 Like