Certificate for local network behind fritzbox (custom domain)


Hi there,

I’d like to implement letsencrypt for my local network behind a Fritz!Box. I have a dynamic IP and use dynamic DNS for domain name.

The problem: fritzbox captures the 443 port. If I change this (just for sign-up purposes), I would probably be able to get a certificate (forward 443 to local client running certbot) and later add the certificate to the fritzbox as well.

However, I do not see how that would survive the renewal process?

My goal would be to
a) use single certificate for fritzbox UI on 443 and other services on different ports and
b) renew those certificates automatically

Is that possible?



If I understand it correctly, you have a machine behind the FrtizBox on which you intend to run a client. I would imagine that FB should only be listening on 443 on the LAN/WLAN side, so there should be no problem forwarding port 443 to your specific machine if you are using TLS-SNI or port 80 if you are using HTTP verification. You could also use DNS verification if you are able to create TXT records (I believe DNS verification is supported by bash clients for example, also supported by Crypt::LE in Perl).

FritzBox can be controlled from your other machine if you want to use port forwarding, but only enable it temporarily. See for example how FHEM (Hausautomations-Server) does it - http://www.fhemwiki.de/wiki/FRITZBOX

Also keep in mind that once you have your initial certificate, the verification results will hold for 300 days, so effectively you don’t need to re-verify for a year (that means no need to re-configure port forwarding or create DNS entries again for a year). I am not aware though which other clients support skipping verification, could only vouch for le.pl (Crypt::LE) there.


It’s actually listening on the WAN interface too as thats convenient but I could limit this to VPN. Good idea :wink: So 443 is available and can be forwarded.

I also understand I will have to recertify after 300 days and there are also no means of automatically deploying that certificate to the Fritzbox (according to wiki link). But- in regards to the 300 days- thats also ok, thank you!

Certificates for domains behind firewall / intermediate CA

To clarify - certificate validity period (at least at the moment) is 90 days. 300 days is for how long your domain verification results are still considered valid. That means you will have to renew every 3 months, but you will not need to re-verify domains for 300 days (with 3 months validity effectively makes that a year).

As for deploying the certificate automatically to FritzBox - I don’t have one, but seeing that you can upload the certificate via UI, you could always script the process. Additionally, you could enable SSH/telnet access and possibly upload new cert that way.

This resource might be helpful regarding what can be done to FritzBox - http://www.fritzmod.net/en/modification/telnet/


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.