Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: onolan dot net
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Currently I'm using a LetsEncrypt certificate to help secure remote logins to my Synology Diskstation using DSM 6.2. I'd like to expand it to add a subdomain on different computer (a raspberry pi running Apache). Currently, ports 80 and 443 are forwarded to the Diskstation and a number of services hosted on it are enumerated. My Pi web server traffic is redirected from an external DNS server (DNSmadeEasy) with an http redirect sending with the router port forwarding to port 80.
My understanding is that I can't get a wildcard cert via the Synology except for a Synology domain. I've skimmed this: https://www.blackvoid.club/lets-encrypt-docker-wild-card-certs/, which seems a tad complicated and I'd prefer something that didn't need manual updates every 3 months. Is it really necessary to use Docker?
Should I scrap my existing certificate and move things over to the Pi and then import the private key and certificate from there?
My Pi web server traffic is redirected from an external DNS server (DNSmadeEasy) with an http redirect sending with the router port forwarding to port 80.
I'm having a hard time understanding this. How do you actually access the website on your Raspberry Pi? Is it proxied through your Synology?
But I'm not sure whether you expect your Synology to handle SSL for your Pi, or whether you are somehow going to connect directly to your Pi, bypassing the webserver on the Synology.
Thanks for your reply and for the dnsmadeeasy link. I will have a look.
I have an http redirect in place at DNSmadeeasy that forwards to my router at a port #### (not port 80) and my router redirects to port 80 on the Pi. I'd like to leave the Synology alone if I can, for now anyway, and connect directly to the Pi but currently the Diskstation "owns" ports 80 and 443.
I'm not clear on whether I can use port forwarding like this for certificate renewal on the Pi and whether, given the limitation on getting a wildcard certificate with the Diskstation, I should seek to do that on the Pi. Also not clear on how many certificates I can have in use at once. (If I get a wildcard cert for use with the Pi do I need to replace the existing one?).
The good thing about the "DNS validation" method is that it does not rely on any port forwarding to obtain the certificate. You could have no ports forwarded and it would still work, because the proof of domain control is done via the DNS Made Easy API.
Many thanks. Unfortunately, I've just discovered that DNSmadeEasy only makes API keys available to business level memberships (however I discovered my address was very out of date!)
Now I need to see if there's list of DNS service providers offering API support? My usage level of DME doesn't justify extra cost.
$29.95? for DME? No, it's $59.95 for up to 25 domains for Business membership. It's not clear if Small Business Membership ($15 for up to 10 domains) grants access to the API. I'll inquire. I think I used to pay $29.95 for 3 domains but obviously it's changed.
Thanks for the recc for Cloudflare. I have been with DME for many years and have generally avoided free services on the assumption that they aren't really free (thus Fastmail not Gmail).
I know about the DDOS protection and malware site traffic filtering; not really an issue for me. Do you use Wireguard? Does it work out of the box w Cloudflare?
I have a fairly dormant AWS account; I'll take a look if I have to move. Thanks.
The lowest level membership we offer that includes API access is the Business Membership ($59.95/yr). Please note that the Small Business Membership is no longer offered and is a grandfathered plan as is the Home User plan.
I had belatedly discovered the footnote and logged in. Your 2nd link was faster than I could find the info myself! I only have a couple of domains with DME but have 9 in all with Namecheap so the $ criterion is easily met.
Yeah ... I just read the footnote and could not for the life of me understand why I excluded Namecheap on that criteria, while listing other paid providers. I think I will integrate Namecheap into the table.
To have had an average of 2.5 domains paid up annually is hardly an onerous criterion (nb singular). However, I see that their API access seems largely about reselling domains and certificates. I've signed up for Cloudflare.
(however I discovered my address was very out of date!)
.