Fritz!Box: add fritz.box as local Only Domain to Certificate additional to myfritz.net

Hello all,

I using MyFritz! Service, which provides per default an automatic generated Let's Encrypt certificate.
As far, as good.

But when try to reach my local Fritz!Box web services like "https://fritz.box", I still get a certificate error Message, message in Chrome "ERR_CERT_AUTHORITY_INVALID".
OK, a look into the Certificate and as i unterstood the root cause is:
Fritz!Box creates a certificate, that has only the as Subject e.g. "1234567890abcdef.myfritz.net" and not fritz.box.
So I started an Standalone Windows Server with IIS, added Port 80 Bindings "1234567890abcdef.myfritz.net" and "fritz.box" and enabled port forwarding on Fritz!Box, so that "http://1234567890abcdef.myfritz.net" was reachable via internet.

With win-acme I've tried to create a new certificate on that server and selected following options:
M: Create certificate (full options)
1: Read site bindings from IIS
=> 1: Default Web Site (2 bindings)
=> 1st: 1234567890abcdef.myfritz.net
=> 2nd: fritz.box
Site identifier(s) or to choose all:
Binding identifiers(s) or menu option:
Please pick the main host, which will be presented as the subject of the certificate:
=> Selected 1234567890abcdef.myfritz.net
Continue with this selection? (y*/n) - yes
Suggested friendly name '[IIS] (any site), (any host)', press to accept or type an alternative:
How would you like prove ownership for the domain(s)?:
=> 2: [http-01] Serve verification files from memory
What kind of private key should be used for the certificate?:
=> SRA key
How would you like to store the certificate?: 2
=>2: PEM encoded files (Apache, nginx, etc.)
Path to folder where .pem files are stored: C:\Temp
Password to use for the private key .pem file or for none: **********************
Would you like to store it in another way too?:
=> 5: No (additional) store steps
Which installation step should run first?:
=> 4: No (additional) installation steps

But then I got following error message:
[1234567890abcdef.myfritz.net] Cached authorization result: valid
[fritz.box] Authorizing...
[fritz.box] Authorizing using http-01 validation (SelfHosting)
[fritz.box] Authorization result: invalid
[fritz.box] {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for fritz.box - check that a DNS record exists for this domain",
"status": 400
}
Create certificate failed, retry? (y/n*)

As I under stand that result, the win-acme can validate myfritz.net address, but not the fritz.box address.

How I can add fritz.box as second subject entry to the certificate? :slight_smile:
Or may I'm totally wrong? :zipper_mouth_face: :roll_eyes:

Thanks a lot for Feedback :relaxed:

IIS web server is Version 8.0
OS of my web server runs on is Windows Server 2012
win-acme Version is 2.1.16.1037

1 Like

Hi @tralveller

you are not the owner of the domain fritz.box. So you can't create a certificate with that domain name.

  • Add a browser exception (or)
  • use only the unique internet address.
2 Likes

Hi @JuergenAuer

thanks for fast reply :slight_smile:
Hmm, also not if I create locally a DNS server and change any config so that this request will re-directed to local ressource? :slightly_frowning_face:

Thanks a lot and kind regards
Tralveller

Please see:

All validations must be publically accessible from the world wide web. Otherwise anyone could generate a publically valid certificate for any hostname. You need to be able to prove ownership.

2 Likes

You are not the domain owner.

I have also a fritz.box - that's not a worldwide unique domain name.

2 Likes

@Osiris @JuergenAuer
maybe I had missed something and I found no other clear entry about this
Ok, Then that's how it is.

Thanks for the explanations and details :slight_smile:
May this details are helpful for others :+1:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.