Hi,
I have one port forwarding address which is xxx.ddns.net, is it possible to install Letsencrypt SSL for my mattermost domain? I wish to login to my mattermost app through https://xxx.ddns.net:8065 with trusted https (showing green color instead of red)
Hi @kongyc,
Yes, tons of people are using Let’s Encrypt certificates with .ddns.net names.
https://crt.sh/?Identity=%ddns.net&iCAID=16418
To get the certificate, you’ll need to be able to prove that you control the domain name by receiving inbound connections on port 443 or 80, or by adding DNS records related to your domain name. (In the former two cases, you don’t need to have an existing server that listens on port 443 or port 80, but you do need to be able to receive connections from the public Internet on one of those ports at the time that the certificate authority checks your control over the domain name, including at least every 90 days thereafter.)
Do you mean dynamic DNS?
See: Configuring TLS on Mattermost Server
The port used is up to you (and whatever system used to port forward).
So I think yes, it is possible.
Hi,
Thanks for the replies, seems like I need to install SSL using Letsencrypt for my ddns.net domain, but it seems like there is some issues while installing the letsencrypt SSL installation in my Mattermost server:
==========================================================
certbot certonly --standalone -d mattermost.3lc.my
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mattermost.3lc.my
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mattermost.3lc.my (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 74aa5259730ccbdf4b1cdaa230ef45ad.54d1658f609015cd22641778c4b4ea9c.acme.invalid from 121.121.83.236:443. Received 2 certificate(s), first certificate had names “hq-osx01.3lc.my”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: mattermost.3lc.my
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
74aa5259730ccbdf4b1cdaa230ef45ad.54d1658f609015cd22641778c4b4ea9c.acme.invalid
from 121.121.83.236:443. Received 2 certificate(s), first
certificate had names “hq-osx01.3lc.my”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
==========================================================
Is this error triggered because I already have a certificate assigned to my xxx.ddns.net which is hq-osx01.3lc.my?
For your information, I’ve the following A record set in my AWS route 53:
hq-osx01.3lc.my xxx.ddns.net
mattermost.3lc.my xxx.ddns.net
What should I do now? Is it possible to install seperate SSL cert for my mattermost for this case?
Sorry I’m not familiar with SSL and stuffs.
Thank you.
Best regards,
Kong
So, what happened there is by default Certbot tried a method named tls-sni-01 to prove control over the name by itself answering HTTPS connections on port 443. But when Let’s Encrypt called your name on that port they reached your existing server, not the Certbot, and of course the real server knew nothing about this proof of control stuff.
You could look at telling Certbot to use http-01 validation, where it places files on a web server basically to prove you control the server. Note that’s HTTP on port 80, not HTTPS, so if you don’t have port 80 open it might not be convenient. As a DDNS user you might also look into DNS proof, https://acme.sh/ is one option which I think speaks DDNS. But it might not help if the DNS names you want certificates for are from another provider.
That may depend on what is running on "hq-osx01.3lc.my" system and how much control you have over it.
In short, yes. But it won't be straight forward as your situation is more complex than it is simple.
So, what is running at "hq-osx01.3lc.my" system?
What O/S? What web service?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.