I have one port forwarding address which is xxx.ddns.net, is it possible to install Letsencrypt SSL for my mattermost domain? I wish to login to my mattermost app through https://xxx.ddns.net:8065 with trusted https (showing green color instead of red)
To get the certificate, you’ll need to be able to prove that you control the domain name by receiving inbound connections on port 443 or 80, or by adding DNS records related to your domain name. (In the former two cases, you don’t need to have an existing server that listens on port 443 or port 80, but you do need to be able to receive connections from the public Internet on one of those ports at the time that the certificate authority checks your control over the domain name, including at least every 90 days thereafter.)
Thanks for the replies, seems like I need to install SSL using Letsencrypt for my ddns.net domain, but it seems like there is some issues while installing the letsencrypt SSL installation in my Mattermost server:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mattermost.3lc.my
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mattermost.3lc.my (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 74aa5259730ccbdf4b1cdaa230ef45ad.54d1658f609015cd22641778c4b4ea9c.acme.invalid from 18.104.22.168:443. Received 2 certificate(s), first certificate had names “hq-osx01.3lc.my”
The following errors were reported by the server:
Detail: Incorrect validation certificate for tls-sni-01 challenge.
from 22.214.171.124:443. Received 2 certificate(s), first
certificate had names “hq-osx01.3lc.my”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
So, what happened there is by default Certbot tried a method named tls-sni-01 to prove control over the name by itself answering HTTPS connections on port 443. But when Let’s Encrypt called your name on that port they reached your existing server, not the Certbot, and of course the real server knew nothing about this proof of control stuff.
You could look at telling Certbot to use http-01 validation, where it places files on a web server basically to prove you control the server. Note that’s HTTP on port 80, not HTTPS, so if you don’t have port 80 open it might not be convenient. As a DDNS user you might also look into DNS proof, https://acme.sh/ is one option which I think speaks DDNS. But it might not help if the DNS names you want certificates for are from another provider.