FQDN on split horizon private dns forwarders for VPN hosts with webmin

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wingarmac.org

I ran this command: root@ubserv:/var/www/public_html2# certbot certonly --dns-route53 -d ubserv.wingarmac.org
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ubserv.wingarmac.org
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
I ran this command: root@ubserv:/var/www/public_html2# cat /var/log/letsencrypt/letsencrypt.log | nc termbin.com 9999
It produced this output: https://termbin.com/bg0us

My web server is (include version): Bind9, Wireguard, Apache2 and Webmin for wich I would like a certificate for each host part of my VPN

The operating system my web server runs on is (include version): Ubuntu server 22.04 Jammy Jellyfish

Domain names hostings:
wingarmac.org (easyhost.be pointing my fixed public IP)
wingarmac.com (Google domains pointing my fixed public IP)
wingarmac.org is for VPN DNS forwarding and host names
with the both servers at:
ubserv.wingarmac.org (ns1) (VPN IP 10.5.5.1)
ubcynt.wingarmac.org (ns2) VPN IP 10.5.5.2)

wingarmac.com are registered the lan IPs of my both bind split horizon DNS servers ns1.wingarmac.com (192.168.1.10) and ns2.wingarmac.com (192.168.1.20)

I can login to a root shell on my machine (yes or no, or I don't know):
ubcynt and ubserv are my own servers at home.
ubcynt is installed with Cinnamon desktop and SSH to ubserv for setting up above webmin that should also be installed on all futur VPN hosts of my private network.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO, only have set the domain to point my public IP on each respective dashboard (Google and Easyhost)

I could get the cert for wingarmac.org but not for my host names.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

I do not require webhosting, and rather wouldn't have a webpage. I only installed Apache in order to be able to cert my entire domain and eventualy for login options to the VPN hosts later, if I need to use it after all.

all my devices can ping to eachother using their FQDN and give results with dig and nslookup. Some applications uses 127.0.0.1 and need to be set to use my own DNS so these could find my hosts with their names.

I think something might be wrong with the settings in bind after all. but since my local servers can reach eachother and my mobile can't when on the VPN reach by name my servers, only by VPN IP.

This last was resolved by using default dns in the Chrome security settings. so it uses the dns provided by the VPN connection instead of Google's open DNS that was set before.

if you want to use http-01 or tls-apln challange it will need a server answering by public ip (not need to be same server with internal one)
add usbserv and ubcynt subdomand pointed to same public fixed IP or use DNS-01 challange, using api from google domain .
(and sleep an hour, as it's rate-limited currently)

3 Likes

Or even better: use the staging environment until testing succeeds!

Also, I'm seeing the Route53 DNS plugin being used? But I don't see any reference to AWS/Amazon in the text?

What's also puzzling me is how the same domain could be hosted by easyhost.be and Google Domains? Currently it seems to be hosted by easyhost.be and not with Google. Google also isn't the registar, which seems to be ComBell according to the whois.

So OPs post leaves me with more questions than answers unfortunately.

4 Likes

They'd have to use the API for Easyhost because that's who is currently authoritative for the public zone.

>dig +noall +authority wingarmac.org ns @a0.org.afilias-nst.info
wingarmac.org.          3600    IN      NS      ns1.easyhost.be.
wingarmac.org.          3600    IN      NS      ns3.easyhost.be.
wingarmac.org.          3600    IN      NS      ns2.easyhost.be.
4 Likes

If you look closer, you'll see it is NOT the same domain.
LAN = com
VPN = org

I've a ISP router 192.168.1.1 that has my fixed public IP.
My both ubserv and ubcynt computers are connected to it.
Other VPN devices can be everywhere on the net (my daddy's laptop and mobile for example).

The goal is that the VPN PC have all webmin hosted that only ubcynt and my own mobile could reach.
It will also be true for ssh on Linux hosts part of my VPN.

I will do maintenance and provide all open DNS forward (like Google DNs or else) and my ISP DNS also, so that my father can surf in another country as if he was home, and by the way on an encrypted connexion that I manage on my own.

I rather not outsource anything (cloud DNS or else is never realy free), since it's private I've no benefits to invest.

I would eventualy go for an higher SSL security if I could find an easy way to set it up for what I'm intend to. All my VPN hosts with Webmin should be reachable from mobile and ubserv as they are connected to my VPN by using their name on my FQD. https://ubserv.wingarmac.org should open 10.5.5.1:10001 without showing this IP and port in the browser, since I've my own DNS servers and I should be able to request SSL for my domain so that every host is SSL when I enter on any of these.

Is this possible? Without any outsourced option except eventualy your services? And if so, at what cost?

Maybe this will give you a beter overview of the wingarmac.org domain and its VPN zone:

$TTL 86400
@	IN	SOA	ubserv.wingarmac.org. admin.wingarmac.org. (
			2023031103
			3600
			1800
			604800
			86400 )

; Name Servers
@     IN NS  ubserv.wingarmac.org.
      IN NS  ubcynt.wingarmac.org.

; A records for VPN network
ubserv      IN A   10.5.5.1
ubcynt      IN A   10.5.5.2
niang       IN A   10.5.5.3
mobile      IN A   10.5.5.4
daddypc     IN A   10.5.5.10

; Reverse DNS records for VPN network
1.5.5.10.in-addr.arpa.    IN PTR ubserv.wingarmac.org.
2.5.5.10.in-addr.arpa.    IN PTR ubcynt.wingarmac.org.
3.5.5.10.in-addr.arpa.    IN PTR niang.wingarmac.org.
4.5.5.10.in-addr.arpa.    IN PTR mobile.wingarmac.org.
10.5.5.10.in-addr.arpa.   IN PTR daddypc.wingarmac.org.

; Virtual hosts for SSL/TLS
ubserv  IN A     10.5.5.1
        IN NS    ubserv.wingarmac.org.

ubcynt  IN A     10.5.5.2
        IN NS    ubcynt.wingarmac.org.

; Webmin virtual hosts
webmin.ubserv IN A     10.5.5.1

webmin.ubcynt IN A     10.5.5.2

; HTTPS server blocks for virtual hosts
server  IN  A  10.5.5.1
        IN  NS  ubserv.wingarmac.org.
        IN  MX  10  ubserv.wingarmac.org.
        IN  TXT  "v=spf1 mx -all"

server  IN  A  10.5.5.2
        IN  NS  ubcynt.wingarmac.org.
        IN  MX  10  ubcynt.wingarmac.org.
        IN  TXT  "v=spf1 mx -all"

Please edit your first post, 'cause now both are .org:

4 Likes

Sorry for my mistake. I apologise.

1 Like

If you are trying to obtain a cert for ubserv.wingarmac.ORG and ubcynt.wingarmac.ORG, then wingarmac.COM and where it is hosted is irrelevant. All the CA cares about are the records in the internet copy of wingarmac.ORG.

If those records either don't exist or point to private IPs in the internet copy of that zone, you can't use the http-01 challenge and you only option is dns-01 which will require either manually or via a plugin creating TXT records at Easyhost.be where the wingarmac.ORG zone is being hosted.

I'm not sure why Route53 would be in your command if it's not actually being used to host any of your DNS.

6 Likes

Because I'm no professional that tested diverse options he found on the web and tried to make some sense out of it on its own. I've installed and purged a lot of software and tested many things before coming disturbing people with my problems on a forum. (like Google DDNS client, NoIP, and many more to know what would meet my needs)

I've reinstalled my main server so much times I din't count them.

It would be nice if I had some log of all what I did to make people understand my point of view and what I'm intend to faster and with lesser errors while trying to explain.

I thank you for trying, anyway !

You are right, there were wtill some problems with my dns servers and domain setup Istill try to solve. It should already be working better now, but I've still work to do to make it work like it should be.

For the ssl encryption, I'll wait I'm sure every host can be found by the main Webmin host. Then I'll double-check with someone I've talk Webmin's forum too what I've to do to make it work as I'm intend to.

Normaly, if I did understand it right, there would be no need for that. These host would be part of the same domain and also virtual hosts that would be available on my webserver as each Webmin host page proxied to the right url of the main Webserver. i don't know if I explain it right. But it seem I can use the build-in proxi of apache to redirect urls to ip:port what would be convinient for what I'm intend to. All my VPN Webmin hosts would be part of the same password protected website that I finally could ask SSL for.

1 Like

Here are my last results:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.