Can letsencrypt be used on forwarding subdomains

ecronic · August 14, 2022, 6:00pm

Just to give some additional details before you can check the details below, my main purpose is to host my own personal sync server using syncthing. I have successfully installed and am able to back sync my devices on my personal server as well. I just wanted to additional security incase I have to backup the devices over the internet. I followed this article to install syncthing & apply for the SSL certificate.

This is my personal ubuntu server at home and because I don't have a static IP I use NOIP free DNS services.
So my sub/domains are forwarded as such:

www.parmars.me ---->> ecronic.ddns.net:18977 ---->> Apache Server(MyPersonalUbuntuServer)
backmeup.parmars.me ---->> backmeup.myddns.me:8384 ---->> Syncthing(MyPersonalUbuntuServer)

Thanks
Dev

My domain is:
www.parmars.me

I ran this command:
sudo certbot -v --apache --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.parmars.me

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for www.parmars.me
Performing the following challenges:
http-01 challenge for www.parmars.me
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain www.parmars.me
http-01 challenge for www.parmars.me

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.parmars.me
Type: unauthorized
Detail: 3.33.152.147: Invalid response from http://www.parmars.me/.well-known/acme-challenge/Lux8mvljqT78kx_EsVW2KthZIYJM_8B0zn6L_iGZCRU: 404

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.52 (Ubuntu)
Server built: 2022-06-14T12:30:21
Custom Port: 18977

The operating system my web server runs on is (include version):
Ubuntu Server
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy

My hosting provider, if applicable, is: godaddy.com & noip.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Osiris · August 14, 2022, 6:21pm

The service for the redirect seems to be AWS, correct? At least, the IP address is from AWS.

This redirect is problematic with regard to issuing a certificate using the http-01 challenge. It only redirects for the path /. I.e.: the path /.well-known/ or any path other than / results in a 404 File Not Found-response from your redirect service.

Also you're redirecting from HTTP to a non-standard port. This also makes the use of the http-01 challenge impossible, as it requires the use of a standard port (mandated by the CA/Browser Forum, not Let's Encrypt).

MikeMcQ · August 14, 2022, 6:41pm

Yes, GoDaddy uses an AWS service for its "URL Forwarding" feature (or maybe just called "Forwarding" or similar name).

They must disable that GoDaddy feature so they can setup an A record for the IP of their server.

The non-standard port is an issue too. I don't want to get involved right now just wanted to add color for the URL Forwarding

Osiris · August 14, 2022, 6:44pm

Ah, I see.

I recommend using a CNAME to the DDNS hostname

Even with removal of the GoDaddy redirect service, this is indeed an issue.

ecronic · August 14, 2022, 7:02pm

Thanks @Osiris @MikeMcQ for your replies. Really appreciate it.

So from what I understand I should do the following:

Use a CNAME to the DDNS hostname
Revert back to a standard port for the Apache webserver i.e. 80 or 8080

Am I correct?

Thanks
Dev

Osiris · August 14, 2022, 7:07pm

Almost. Port 8080 is not a standard port when it comes to the CA/Browser Forum:

Authorized Ports: One of the following ports: 80 (http), 443 (https), 25 (smtp), 22 (ssh).

You can find the document mandating this, the CA/Browser Forum Baseline Requirements, here: Baseline Requirements for TLS Server Certificates – CAB Forum

This means when using HTTP (e.g. for the http-01 challenge), only port 80 can be used. Although it is allowed to redirect HTTP (port 80) to HTTPS (port 443).

ecronic · August 15, 2022, 1:54pm

Sorry, but no dice. Still having an error.

I started everything from scratch by using apt purge and reinstalling everything.

Changed my godaddy & noip setup as: downme.parmars.me ---->> downme.ddns.net

As suggested I setup my godaddy subdomain CNAME to point to noip domain

I have a feeling my ISP is blocking access via port 80. How can I check this?

sudo certbot -v --apache --agree-tos --redirect --hsts --staple-ocsp --email ecronic@gmail.com -d downme.parmars.me
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for downme.parmars.me
Performing the following challenges:
http-01 challenge for downme.parmars.me
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain downme.parmars.me
http-01 challenge for downme.parmars.me

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: downme.parmars.me
Type: connection
Detail: 92.97.67.158: Fetching http://downme.parmars.me/.well-known/acme-challenge/cszT2yUlV6VmQ4XEznG-j8Pi32ruRwHqPWp4VX2ZoK8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

rg305 · August 15, 2022, 3:17pm

In order to use HTTP authentication, the site must be accessible via HTTP.

Osiris · August 15, 2022, 3:50pm

First make sure everything has been checked out from your end. E.g., firewalls (plural!), NAT routers missing portmaps et cetera. Only then I'd ask your provider if they're blocking ports and if they can be opened.

system · September 14, 2022, 3:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.