Certificate for noip ddns domain

My domain is: xsxtc.ddns.net

I ran this command: N/A

It produced this output: N/A

My web server is (include version): None

The operating system my web server runs on is (include version): None

My hosting provider, if applicable, is: None

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

I am not experienced in these matters. I run a Lets Encrypt certificate on my domain hosted on a VPS and it works fine.

I want to run Let’s Encrypt on my dynamic domain xsxtc.ddns.net which points at my home (ISP) router with a dynamic WAN and 192.168.1.0/24 LAN. The noip.com client (that maintains verification of the dynamic IP) is integrated into my ISP router and it works.

I then pass all traffic (except VOIP telephones) to a second openwrt router behind the ISP router which runs my dhcp service for all connections On 10.0.0.0/24 LAN. So there is no main web server as such.

The ISP Router forwards external ports to my openwrt router. My router forwards that port to internal machine ports. So for example xsxtc.ddns.net:12345 forwards to 12345 which then forwards to 8123 internally to access my home assistant server.

When I access any of my internal servers (such as home assistant) I get a Not Secure message as no certificate exists for xsxtc.ddns.net. To access the internal machine I have to go through the certificate acceptance process each time.

So how and where do I apply a security certificate to overcome this security barrier? I assume it should go on my first ISP Router but how? I do not own or control ddns.net of which xsxtc is a subdomain. Is there a solution?

Geoff

As long as you can control answers for http://xsxtc.ddns.net/.well-known/acme-challenge/* (Note http means port 80) as seen from the public Internet — you can get a certificate for xsxtc.ddns.net. There's also a DNS-01 option, but I doubt ddns services provide sufficient access to dns entries for it to work.

More info:

Hi,

I think this is where I am having problems understanding. Where is the termination of xsxtc.ddns.net? If I understood that I could generate the necessary folders to enable a .well-known challenge. I do not have a web server for xsxtc.ddns.net because I do not need one. I only use it to access my network externally then forward to the relevant ports so where does this challenge folder framework go?

Hi and thanks. So without a server of some type, the certificate will not work?

Without a "server of some type", there really isn't a concept of a certificate. Whatever system you're trying to connect to with your browser is a "server of some type" though, even if it's running on your home network, and that "server" is what you need to configure to request and use a certificate. Which many can do by themselves if set up right, though for some it's easier to just put Caddy in front of them.