How to secure Dynamic DNS

#1

My domain is: dragonosman.dynu.net

I ran this command:

It produced this output:

My web server is (include version): Boost.Beast version 1.0.0

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): I do have the web server on my own computer; I wrote a C++ console app that acts as the server and it uses example server code from Boost.Beast.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

I left the command stuff blank because I haven’t tried to run commands for this anywhere (don’t know what commands to run where, anyway).

I got a free Dynamic DNS subdomain name from dynu.com. I can’t use Port 80 or Port 443 to verify domain ownership because both Ports are used by the router. I have to open and use Ports other than one or those or 8080, so I’m using Port 5501 to host my application (it’s a web application I made).

I defined Inbound and Outbound rules in the Windows Defender Firewall settings to allow connections remotely from the IP addresses mentioned on the page for verifying domain ownership, but whenever click the link for automatically verifying the domain name, I get an error sayin that either the port, host and FTP type are wrong or the firewall is configured incorrectly. I tried to FTP and FTPS on Port 21. I’m completely lost now.

#2

Hi @DragonOsman,

Let’s Encrypt policy, and, to some extent, CA industry rules don’t give you this option. To prove your control of a name via an inbound connection, you must use port 80 or port 443. (I’m not sure what software is referring to FTP, or why.) The options supported by Let’s Encrypt are all described at

You might be able to use Let’s Encrypt’s DNS-01 challenge instead (where you create DNS TXT records to prove your control over the name). There are some previous discussions on the forum involving other dynu.net users:

https://community.letsencrypt.org/search?q=dynu.net

1 Like
#3

Posh-ACME might be a good fit. It’s a PowerShell based client which works well on Windows 10 and it has a native DNS plugin for Dynu.com. There’s a note on the plugin’s usage guide that indicates it may not work with Dynu provided domains. But it looks like that may be an old restriction that’s not valid anymore. Or it may just be limited differently now? When I try to add a TXT record from the web GUI for one of their domains on my own account, I get this message:

This DNS record type is only available for members, top level domain names and mature (registered for more than 30 days) non dynu.com third level domain names.

Yet, when I try the same action using the Posh-ACME DNS plugin, it seems to work. I also realized the plugin is using v1 of their API which has apparently been deprecated. So I may be updating that to use their new v2 version soon.

2 Likes
#4

I got a certificate via acme.sh using the method suggested in one of the others threads opened by dynu.com users. But the certificate appeared in a Git bash window and it was closed before I got the chance to copy down the certificate. Do I try it again? Is there a way to get the output copied to a text file so I can get the certificate that way?

#5

The acme.sh certs are generally in a domain folder where the acme.sh script lives (something like ~/.acme.sh/example.com). You don’t likely need to generate a new one.

If you continue to have problems, it might also help to post the answers to the typical support questions like what command you actually ran now that you’ve chosen a client and started trying things.

#6

I didn’t specify a directory. And the app I want to secure is in a directory inside the E drive on my computer. Also, I found the acme.sh directory but the certificate doesn’t seem to be in there.

#7

I believe it might be in a directory starting with ., which might be hidden by default in your interface.

#8

I’ve set it so I can see hidden folders too. Could it be in the .git folder? The only other folder I have whose name has a dot at the beginning is “.github”.

#9

@Neilpang, where could an acme.sh user on Windows expect to find the certificate data after a successful certificate request?

#10

It would be in C:\Users\{name}\.acme.sh, right?

#11

I found it.

I see ca.cer, dragonosman.dynu.net.cer and fullchain.cer. Which one do I need? I also see a .csr file, a csr.conf file, and a .key (the private key?).

By the way, I wan to ask: How do I make sure that the certificate is automatically renewed when needed? Do I have to do something for that?

#12

yes, @_az is right.

it’s in :

C:\Users\{myname}\.acme.sh\mydomain.com\

1 Like
#13

I see ca.cer, dragonosman.dynu.net.cer and fullchain.cer. Which one do I need? I also see a .csr file, a csr.conf file, and a .key (the private key?).

By the way, I wan to ask: How do I make sure that the certificate is automatically renewed when needed? Do I have to do something for that?

[This is copy-paste. Sorry.]

#14

You are on Windows, right ?

It’s a little more complicated than Linux.

  1. Make sure you have crontab installed and enabled. https://github.com/Neilpang/acme.sh/wiki#4-how-to-run-on-windows-with-cygwin
    acme.sh renews certificates by cronjobs, if the cronjob service is not enabled, the renewals won’t work.
  2. After the cert is successfully renewed, how do you use the cert ? You use it in IIS, or nginx or apache ? After every renewal, you must copy the cert and restart/reload the server again to make the cert propagate. You must use the --installcert command : https://github.com/Neilpang/acme.sh#3-install-the-cert-to-apachenginx-etc
    The doc is about Linux, you have to figure out how to restart nginx/apache on Windows.
1 Like
#15

I used Boost.Beast example server code to write my own web server for the app I want to secure. I’m not using Apache or Nginx for it. I’ll have to do something similar to what’s done in this example: https://github.com/boostorg/beast/blob/develop/example/http/server/sync-ssl/http_server_sync_ssl.cpp . Which is why I want to know which file the certificate I need is in. I’m guessing it’s ca.cer, but confirmation would be appreciated. Note: my app’s code is on GitHub at this repository: https://github.com/DragonOsman/currency_converter .

#16

@Neilpang and @_az : What is the DH certificate? Does this type of certificate provide that? And I did install ca.cer and dragonosman.dynu.net.cer, but the app itself as well as my domain name aren’t secured yet. Like I said before, I’ll have to do something like what’s done in this example: https://github.com/boostorg/beast/blob/develop/example/http/server/sync-ssl/http_server_sync_ssl.cpp , and what I currently have is this: https://github.com/DragonOsman/currency_converter . I made the server myself using the non-SSL sync server and client example code from Boost.Beast. Which certificate do I use, then, and what do I put for the DH certificate? And what about the fullchain?

#17

Assuming you mean this, DH parameters are used for the ciphersuite configuration of your server. They are totally unrelated to your Let’s Encrypt certificate. You can generate this file like:

 openssl dhparam 2048

Modern ciphersuite configurations use only ECDHE and not DHE key exchange, which makes worrying the above unnecessary. But that depends how you configure your ciphersuites.

For your certificate, you’re going to have to take your fullchain.cer file.

For your private key, you’re going to want to use your $DOMAIN.key file.

#18

@_az Thanks for the reply.

I’m confused about the password callback and ctx.set_options. Also, the cert constant should be the fullchain.cer file in my case, right? And I’m assuming I don’t need anything that mentions DH. And that’s the server_certificate.hpp file. What’s the certificate used in the root_certificates.hpp file?

And since this is a hand-made server basically, how do I automate the cert renewal for it?

#19

I can’t advise you on using Boost - there’s other forums and mailing lists for that.

The usual thing to do in production environments is to use a reverse proxy to handle SSL for you. That way, you do not need to worry about the implementation details of SSL and just use regular TCP/HTTP/whatever.

Common choices are nginx, Apache, etc … though they are largely oriented around Linux.

Caddy has releases for Windows which actually handles acquiring (and renewing), using the certificates for you … you just tell it to proxy to your application.

1 Like
closed #20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.