Hostname or Domain?

I am trying to set up SSL on an Open Media Vault (OMV) NAS server using the Let’s Encrypt plugin.

The plugin asks for a domain name, but I don’t have a domain. Currently all I have is an IP address because I’m still configuring the server and don’t want to make it reachable by the outside world until I’m confident it’s secure and properly configured.

Furthermore, since this is just a home system, there’s no unique domain. Instead, for outside access I use dynamic DNS hostnames from a company called no-ip. So my existing hosts are all in the ddns.net domain, which no-ip owns. Then a hostname assigned to me would look like mydevice.ddns.net.

So what should I be using where the plugin asks for a domain?

It’s asking what name you want the certificate to cover, so you can tell it mydevice.ddns.net.

1 Like

Unless you use DNS-validation, you won't be able to issue a certificate until it's accessible. You could get by with a self-signed until you're happy with your config and are ready to open it up, of course.

1 Like

Thanks!

I was misled by the nomenclature in the plugin. It asks for a domain name, but you’re saying a host name will work.

Jared, thanks for the reply.

But please forgive me. I’m really a newbe on everything SSL. So I’m still unsure what to do.

First, if I understand correctly, DNS-validation verifies that an entity seeking a SSL certificate actually has rights to the name for which it’s seeking a certificate. A trusted certificate authority (CA) does the validation. To use a validated host name, the CA has to be able to reach the host.

OTOH, a self-signed certificate is one in which the entity itself, rather than a CA, generates the SSL certificate.

Since I have no interest in configuring my own domain server, I don’t see how I could use a host name without making the NAS accessible from outside the local network. This leaves only the IP address for pre-production configuration.

Second, when the NAS goes into production mode, one has to set up port-forwarding, assign a host name, register the host name with a trusted CA, and install that certificate. Let’s call this process “going public.”

So I have two questions:

  1. Do I understand this correctly?
  2. Can one use just an IP address instead of a domain/host name to enable https while the system is being configured before it goes public (i.e., before it can use an external domain server to associate names with IP addresses)?

You’re close. Let’s Encrypt does validate that you have control over the domain name, but there are currently two ways to validate that. One is the http-01 challenge type, which establishes an http connection to your server to pull a challenge file. The other is dns-01, which requests a specific TXT record from your domain’s DNS. The latter never actually establishes a connection to four server, so you can issue a certificate for a server that doesn’t even exist yet, as long as you control DNS for that zone.

As for IP address, there’s no way to get a certificate for an IP address from Let’s Encrypt. Some commercial CAs will provide these, but there’s a lot of weirdness around that, since it’s not unlikely for someone to control an IP address now and then not control it 10 minutes later.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.