Forwarded URL from Google does not work

I have a local apache web server that runs my site (localhost). In order to get it into the internet, I used DDNSS to get a forward. My address is geheimbund.ddnss.de. I then purchased a domain name from Google and forwarded it to geheimbund.ddnss.de. The name of the domain is feenburg.net.
I then wanted to move the apache and website from http to https. I installed certbot, followed the instructions on the website, until I got to sudo certbot --apache. The process then asked me to put in my domains. I entered geheimbund.ddnss.de and feenburg.net. The former seems to get accepted, the latter does not. What am I doing wrong?

My domain is:
www.feenburg.net

I ran this command:
sudo certbot --apache

It produced this output:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: feenburg.net
Type: unauthorized
Detail: 2001:4860:4802:34::15: Invalid response from http://geheimbund.ddnss.de: "\r\n<html lang="en">\r\n\r\n <meta charset="UTF-8">\r\n <meta http-equiv="X-UA-Compatible" content="IE=edge">"

My web server is (include version):
apache/2.4.52

The operating system my web server runs on is (include version):
Ubuntu Server 20.4.1 LTS

My hosting provider, if applicable, is:
self-hosting

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.32.2

Welcome to the community @pikewerfer

First, URL forwards work fine with HTTP but they do not work with HTTPS. You will need to re-think how this works. The reason is that HTTPS requires a certificate at the system the client (like a browser) connects to. If you first connect to feenburg.net at google then google needs a certificate for that name but you can't do that with URL Redirect services.

Do you require a dynamic DNS service? That is, does your IP change regularly?

For HTTPS, you will need to have your DNS use A (IPv4) and/or AAAA (if IPv6) records to point directly to your Apache server.

Right now your geheimbund.ddnss.de points to 87.145.181.243. If you setup google DNS to point to that too you should be fine. Of course, if your IP changes you need to change it here too. CNAME is sometimes helpful but cannot be used at the apex (or top level) domain just subdomains.

Right now you should be able to have a VirtualHost in Apache for your geheimbund.ddnss.de domain and get a cert for that to use HTTPS. You could just abandon the use of feenburg once you have that working

5 Likes

I'd start by creating a CNAME for
www.feenburg.net
to point to:
geheimbund.ddnss.de

Instead of Google Hosting:

nslookup www.feenburg.net
Name:    ghs.googlehosted.com
Addresses:  2607:f8b0:4008:807::2013
          142.250.64.147
Aliases:  www.feenburg.net
5 Likes

And what for feenburg.net ? (a 302 redirect service)

4 Likes

Since it is the apex, it has to be handled via HTTP.
I'd catch the HTTP and redirect to "www".
But for HTTPS...
They would have to have an actual site for it.
But if they have that, why need the CNAME?

4 Likes

And if someone does https://feenburg.net ? (even like Chrome behind the scenes)

That's why I suggested A / AAAA records in feenburg.net

5 Likes

Hello all,

wow, vibrant community. I think I will stick around and learn. Thank you for the replies. I am what is usually called a "noob", so let me see if I understood your input. Since I definitely will continue to have a Dynamic DNS Service and would like to host this from home:

  1. I need to create a CNAME for www.feenburg.net (I will look up how to do that)
  2. people just using feenburg.net (omitting the www.) will not be covered by this, so I would also need to use A/AAAA records (will also look that up - no idea how to do that)
  3. If all that fails, I would need to abandon my idea of using www.feenburg.net as the top domain name, and just go with geheimbund.ddnss.de (which would be an inconvenience, but possible).

Have I gotten it right? If so, I will continue my little project accordingly. Thanks for all the help!

2 Likes

#1 can be done in your DNS zone control panel
#2 [normally] can't be CNAMEd, so they will not reach your DDNS IP [without using "www"].
#3 failure is NOT an option! - LOL

2 Likes

As to "failing" it mostly depends on your needs regarding the apex name feenburg.net. It will need an A / AAAA record for your server IP. You say that IP changes which is why you need DDNS. So, you will have to manually change this DNS record whenever your IP changes.

If that is not viable then it "fails".

If you have programming skills you could move that domain name to another DNS provider that offers DDNS. Some, like Cloudflare, require you to write your own script to auto-update the DNS records when your IP changes (that is, do your own DDNS). For Cloudflare there are some 3rd party tools to do that. Other DNS providers can/may offer similar.

The problem with Google Domains is it does not offer an API for changes so you can't automate it.

This really comes down to how many people will be using these names and how often does this IP change. If the answers are many and often you will want an automated solution.

4 Likes

I predict very little traffic, as this sight is for my family and friends only. But still, automating this manually does not sound good. So I think my action plan should be something like this:

a. deactivate feenburg.net for now.
b. use certbot to get the website onto https using geheimbund.dnss.de
c. move feenburg.net to a different provider that would allow me to do https/DDNS (like cloudflare) - I live in Germany and would be open to suggestions on how to get that done best.

Sounds good?

1 Like

Yes, getting geheimbund working is a good first step.

How often does your IP actually change? Daily, rarely?

As for Cloudflare, this topic (link here) explains some DDNS options. The Cloudflare community is a good resource too.

When you request the cert for the gehiembund domains that cert will only work when that domain is used to connect to your domain. When you get feenburg working you will need to get a cert with all 4 names (the apex and www of each).

Cert renewals (every 60 days usually) will need to have each domain name working (that is, the IP addresses in the DNS records must be right).

3 Likes

OK - I think I solved it....

So I did sudo certbot --apache. When it asked me for the domain, I just put in geheimbund.ddnss.de and it worked like a charm. All done.

I then went to my browser and entered https://geheimbund.ddnss.de and immediately went to my little website - secure!

I then went to Google in order to turn the domain off - and realized that I was forwarding to http://geheimbund.ddnss.de. I changed this, forwarding now to https://geheimbund.de.

And now, both www.geheimbund.net and geheimbund.net forward to https://geheimbund.ddnss.de and are - secure! Which is just what I wanted :slight_smile:

Thanks for all your help and input! So happy to have been able to get this up and running!

2 Likes

No, I don't think those are working. And, what about your feenburg.net domain?

I do see https://geheimbund.ddnss.de working properly. Just not any of the others. Examples:

curl -iL -m8 https://geheimbund.net
curl: (28) Connection timed out after 8001 milliseconds

curl -iL -m8 https://www.geheimbund.net
curl: (6) Could not resolve host: www.geheimbund.net

curl -iL -m8 https://feenburg.net
curl: (35) error:0A000126:SSL routines::unexpected eof while reading

curl -iL -m8 https://www.feenburg.net
curl: (35) error:0A000126:SSL routines::unexpected eof while reading
3 Likes

Sorry, my brain was addled.

So, https://geheimbund.ddnss.de is working.

And www.feenburg.net and feenburg.net both reroute now to https://geheimbund.ddnss.de. Which is secure. (I do not know who actually owns www.geheimbund.net and geheimbund.net, that was my brain being confused, as I actually first wanted those domains because I did own them like 20 years ago and had my website running there. But they are owned by someone).

I get that both www.feenburg.net and feenburg.net are just reroutes, and are not themselves https domains, but just point towards one - but actually, for this little project of mine, that is completely sufficient.

1 Like

Just to be clear. Anyone trying to reach https://feenburg.net (or www.feenburg) will fail as I showed above. If they force or try http:// it will redirect to your https://geheimbund.ddns.de.

Note that browsers are moving towards favoring (or even requiring) https over http so don't be surprised if redirects from feenburg don't always work as you have it now.

3 Likes

Sounds like that just took care of step "`b."

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.