Does DynDns.org support Lets Encrypt having troubles with it

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.daddykins.mine.nu

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
dyndns.org my person Nginx and pfsense
I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

so i dunno what to fill out
but Nginx doesnt offer Dyndns.org as an option for Lets Encrypt
Pfsense my router for Lets Encrypt ACME certificate offers only dyn.com but not dyndns.org so pfsense cant create lets encrypt certificate

i using *.daddykins.mine.nu as the domain as i wanna setup opencloud and other things but i can not see option for dyndns.org is it not supported? i been with dyndns.org for 20 years but yet its not an option.. so any help be great

2

You could try using other challenge methods, such as http-01 or tls-alpn-01, but that would require you to specify individual hostnames in the certificate request (should be fine for small number of these).

If you positively need a wildcard certificate, try DNS Alias Mode | pfSense Documentation and point DNS to a provider that pfSense has support for.

3

@Patryk well i already point my dyndns.org dns address to pfsense already for 10 years using there dynamic dns updater... but cuz i want to use like opencloud and convert home assistant http to https i need i guess nginx and in nginx doesnt have dyndns... and seems every video you find on youtube all uses cloudflare.. but i wanted to avoid that incase when it goes down my address still be up but things wont work just to get a https using lets encrypt ngix and cloudflare tunnel..

i have tried the http-01 as its an toggle in the nginx but always gives internal error.. when i dont offer a dns chellege... it sucks when videos are made just for cloudflare tunnel and u gotta try to reverse enginineer it to work for your own dns address when doesnt show up in the drop down lol

but ill check out that dns alias mode and read up on that

i appreciate your response.. as i was just getting frustrated and nothing but cloudflare tunnel videos

4

I'd recommend switching away from using wildcard certificate to one or many certificates with individual hostnames. That way you could use certbot with nginx integration to use http-01 challenge method, which does not need DNS support.

Or, you could use Caddy web server instead of nginx, which has Automatic HTTPS — Caddy Documentation, and aside from easier config, it'll order certificates effectively automatically.

5

Are you talking about Nginx Proxy Manager (NPM)?

2 Likes
6

ah ok the *. i used as i want to use
opencloud.daddykins.mine.nu
homeas.daddykins.mine.nu
unraid.daddykins.mine.nu
testserver.daddykins.mine.nu
and some others.. so then they would all be https and get diverted to each comp.. but so far its just cloudflare tunnel the videos mostly of

as i have the different dns that point to my pfsense but and for the most part standard http or domain address going towards a certain minecraft server.. works but i wanted to do opencloud and opencloud cant be used without a https and all this headache to setup certs..

i did try a video for ACME and haproxy but the acme wasnt working right on pfsense i wasnt getting the cert from lets encypt.. either cuz my internet poor or what not

then watched video for pfsense nginxy proxy manager.. but that didnt work either cuz they use the cloudflare tunnel and i just trying to use my dyndns.org account

but ill give that a shot the certbot or the caddy webserver

as the opencloud on unraid you need a working https connection cant use ip address cant be http has to be https://example.com

but ill read up on both those things

7

oh forgot to ask

so you wouldnty make a *.daddykins.mine.nu as a certificate
but youd do

cert for opencloud.daddykins.mine.nu
cert for unraid.daddykins.mine.nu and so on

8

Both are possible.
The wildcard "*." requires DNS authentication.
The individual names don't require DNS authentication.

3 Likes
9

@Patryk i havent gotten around to working on this stuff till now.. on my unraid machine i installed caddy app.. and i tried to follow the templates they have but that didnt help me shows like creating a webpage... but i didnt see where it sends directly to a ip address and adds a cert so its now https
i try
all i got was
immich.testserver.example.com {

}

as i want
immich.testserver.example.com to point http://192.168.0.3:8090
nextcloud.testserver.example.com to point to http://192.168.0.22:7282
sftpgo.testserver.example.com to point to http://192.168.0.3:62221/

and so on so they will all be considered secure but if you have a link how to set them up to point to it and create each so they simply secure with the https be great.. i still going through that site but figured maybe youd know more and point me in the right direction

10

You can use something like

immich.testserver.example.com {
  reverse_proxy http://192.168.0.3:8090
}

nextcloud.testserver.example.com {
  reverse_proxy http://192.168.0.22:7282
}

sftpgo.testserver.example.com {
  reverse_proxy http://192.168.0.3:62221
}

Although before Caddy v2.11.0 this keeps the host header so you might need to do something like

immich.testserver.example.com {
  reverse_proxy http://192.168.0.3:8090 {
    header_up Host {upstream_hostport}
  }
}

Edit: The documentation for reverse proxying is at reverse_proxy (Caddyfile directive) — Caddy Documentation.

1 Like
11

ah ok i dont know what all the stuff in the the file does.. i guessing the 8080 is the page where it say yay caddy is working..

so it should look like this then? and point 443 and 80 in pfsense to caddy ip?
as i couldnt understand all the stuff doing the localhost etc. i just wanted something simple

and ok ill check out that link.... i appreciate it

{
	http_port 8080
	https_port 8443
}

(block_world) {
	@block not remote_ip private_ranges
	abort @block
}

(security_headers) {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains;"
		X-Frame-Options "SAMEORIGIN"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "strict-origin"
		X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
	}
}

(log_settings) {
	log {
		output file /config/access.log
		level WARN
	}
}

# Default http file server
:8080 {
	import log_settings
	root * /app/www
	file_server
	import block_world
}

# Default reverse proxy template for your domain
# sub.yourdomain.com {
#   import log_settings
#   import security_headers
#   reverse_proxy server:8080
# }

immich.testserver.example.com {
  reverse_proxy http://192.168.0.3:8090
  header_up Host {upstream_hostport}
}

nextcloud.testserver.example.com {
  reverse_proxy http://192.168.0.22:7282
  header_up Host {upstream_hostport}
}

sftpgo.testserver.example.com {
  reverse_proxy http://192.168.0.3:62221
  header_up Host {upstream_hostport}
}
12

:8080 adds an additional HTTP listener on port 8080.

Also the header_up directive is part of the reverse_proxy directive and so should be within braces (curly brackets) like this

immich.testserver.example.com {
  reverse_proxy http://192.168.0.3:8090 {
    header_up Host {upstream_hostport}
  }
}

Edit: I did not see the http_port and https_port directives at the top, this will make it so that the three domains you've added are served on port 8443.

1 Like
13

ah that file is the default file so i
so i need to change the 8443 or would i set in pfsense 443 gets redirected to 8443

or do i change
{
http_port 8080
https_port 8443
}
to
{
http_port 80
https_port 443
}

do i leave all that other stuff in there the blockworld etc

14

cuz i needed a certificate just to try the program opencloud which is frustrating cuz u need a https cert dns address just to get farther then just installing it... this https sometimes sucks lol

15

I think the default file is for people just trying to get Caddy working without any permissions (on Linux this would be CAP_NET_BIND_SERVICE) and so uses 8080 and 8443.

If you're running Caddy as root or with this capability (the default service provides this) then you can change the http and https ports to 80 and 443 respectively and forward to these ports from your router/NAT.

Also, after looking at the setup instructions at https://opencloud.eu/en/install-opencloud-simply-your-own-server, particularly the section "Setting up Apache as a reverse proxy". It appears that you need to replace the header_up directive to header_up Host {hostport} to replicate the behavior of the ProxyPreserveHost On statement in the example configuration.

2 Likes
16

ok so make it

opencloud.example.com {
	reverse_proxy https://192.168.40.11:9200
	header_up Host {upstream_hostport}
}

so how i set it up is in unraid server you have community apps and just install it.. they have default port set up 8080 and 8443 but since at the time ports were used already it said

caddy docker
i set 8087 --- container port 8080
i set 8047 --- container port 8443

and pfsense
i set 443 wan and lan to goto caddy ip and port 8047
i set 80 wan and lan to goto caddy ip and port 8087

but so far doesnt work yet... just playing with it so far

17

The header_up directive needs to be part of the reverse_proxy directive like so:

opencloud.example.com {
  reverse_proxy http://192.168.40.11:9200 {
    header_up Host {hostport}
  }
}

Also, the scheme in the reverse_proxy url (http/https) refers to the connection between Caddy and the backend application, unless you have a private certificate authority or self-signed certificates, you should use http in the reverse_proxy url.

18

ah ok so i fixed the bracket stuff thats why i was getting errors in the logs.. damn dyslexia i have always missing something

so doesnt seem to be working yet... and no i dont have anything certficates.. i figured caddy creates these certificates?

as for the opencloud you cant use http://192.168.40.11:9200 it has to access https://
but it wont let you access
https://192.168.40.11:9200 gives you a warning... and from other forums you have to set up cert or the domain name to goto it
so you need to be able to access open cloud
https://opencloud.example.com it wont let you access it https://192.168.40.11:9200

it drives me nuts all these hurdles u gotta do just to try a program lol

19

and i guess i need to configure dns now when i had the nginx proxy manager it worked for local address's but caddy doesnt i just couldnt do the lets encrypt in ngix proxy manager.. i tried for days to play with that and acme and all that stuff.. just to try to get a non dns address to get a certificate lol
is it the weekend yet need a drink lol