Custom Port in domain name, port mapper, DS-Lite


#1

I’m running a webserver on a Raspberry Pi and got two different domain names which connects to it. One is connecting directly and the other connects over a port mapper service, because my ISP is delivering me DS-lite access, that means no global IPv4 address, only a global IPv6 address.

Unfortunately my first attempt to get a certificate, which is valid for both domains didn’t work:
letsencrypt certonly --webroot -w /var/www/ -d example.port-mapper.com:12345 -d example.com

Is giving me:

An unexpected error occurred: The request message was malformed :: Error creating new authz :: Invalid character in DNS name

Apperently the custom port :12345 is not supported. Is there a way to get a certificate which is valid for both of my domains?

Web server: nginx 1.10.3
OS: Raspian (Debian Strech)


#2

Certificates are not assigned to port numbers, they can be used on any port. The argument you pass to -d is the domain that should appear on the certificate.

Where ports become involved is during the ACME validation process in which you prove control over the domain.

To use the --webroot validator (the HTTP challenge), your domain(s) must be available over port 80 - there’s no working around that.

If your server is only accessible over port 12345 over the port mapper service, then you can’t have a certificate for the port mapper domain - you don’t control the domain in the eyes of the CA.


#3

P.S. You can try to use DNS to proof ownership.

An addon to @_az’s response:
Does your server accessible on Port 80? (In IPV6 ?)

If it does, you can just set your domain with IPV6 address (without an IPV4) and still pass the test. (Since LE’s validation service honor IPV6)

Thank you


#4

Thanks for the quick answer.
Yes that is right, I don’t control the domain, so I won’t get a certificate for it - I understand now.


#5

And yes, generating a certificate for my direct domain via IPv6 works.
The only problem is that when connecting over the port mappers domain name I still get warnings from my browser, that the certificate is not correctly configured because the name of the certificate doesn’t match the address. But accordingly to @_az it seems, that there is no solution to that.

Thanks for your help.


#6

If you domain can be accessed via IPV6 from port 80 (Regular HTTP Port)

Consider sign up a cdn service like Cloudflare…

They can proxy your domain using their cdn and without an IPV4 address…


#7

That’s a great idea, way more convenient than using a port-mapper service for sure.


#8

OK, thanks for this new idea. I will have a look at this.


#9

@stevenzhu: Unfortunately that doesn’t work, too. I didn’t tell you the whole truth. I’m using a dyndns service by AVM. So my domain looks like: raspberrypi.abcdefghiklmn.myfritz.net
And accordingly to this cloudflare won’t work for subdomains.

But thanks for this good idea anyway.


#10

Hi,

In this case, Cloudflare sure can’t let you use this subdomain.

However, You can still use CF with some extra actions.

You can either register a free domain name from freenom.com (Only .gq, ga, and other free extensions) or register a domain name and cname it to your AVM domain.

P.S. the root of your registered domain name might not be able to use cname, so you can either use a domain redirect or enter the IPV6 address manually and use a simple API script to update the record. (The script thing only works if your original ISP doesn’t block port 80 or your root domain can’t be accessed either)

In short:

  1. Try visit the IPv6 address directly… If port 80 isn’t blocked by your ISP, proceed.
  2. Grab a free domain name from freenom or Register one (Paid) from any domain name services
  3. Setup Cloudflare on your new domain name
  4. Create cname record on the www version of your new domain to the AVM subdomain (raspberrypi.abcdefghiklmn.myfritz.net)
  5. Enter the IPV6 address (The One ISP gave you) to the root domain record (AAAA Record)
  6. Click on the Gray Cloud and make it orange for both domain

Then your http should be working in both IPV4 & IPV6. HTTPS of the new domain might take sometime since Cloudflare takes some time to issue a free TLS certificate for your domain.


#11

I’m trying your idea, but it doesn’t work yet. At point 5: what IP exactly do you mean? Do you mean the IP of my Raspberry Pi, so the IP of raspberrypi.abcdefghiklmn.myfritz.net?

I’ve followed all of your steps, but for now visiting the new domain just redirects me to raspberrypi.abcdefghiklmn.myfritz.net, which can not be loaded from an access without IPv6.


#12

Yes.

In this part, it means the cloudflare is working…

However, now you need to change the vHost from the raspberrypi.abcdefghiklmn.myfritz.net to your newly registered domain.


#13

HOLY MOLY! It works, biggest thanks on earth to you!
I’ll just have to adjust some configurations now that everything works like intended. But seems like everything will be possible now!


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.