OK done that
So how do I get an external IP do I need to set up DMZ ?
No need for DMZ.
You can browse to http://ifconfig.co/ to quickly see your external IP.
Use that IP in your global DNS zone for kodi.pjrawlings.co.uk.
Then we can start testing the cert process.
[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it 
]
1 Like
Sorry to be a dummy I have found my external IP address (wont this change regulalrly ?) but have no idea where to put this value. Where is this DNS zone for kodi.pjrawlings.co.uk specified ?
2 Likes
When the IP address changes, two things happen:
- you will no longer be able to renew the cert via HTTP
[so that DNS entry will have to be updated automatically or prior to each renewal with the current IP] - you are at risk of allowing whomever does get your old IP being able to issue a cert for that name
[this is a very small change and there is little incentive for anyone to do so]
Right where you left it - LOL
When you registered the name, did they provide you with any access to make DNS changes?
1 Like
I presume you mean this area screen shot attached. If so which line should I change to the IP address or what line should I add ?
https://drive.google.com/file/d/1-GedIGvaDB-Z8CftbqP5v6KC_BxC3KgG/view?usp=sharing
1 Like
Modify this entry to show your Internet IP:
1 Like
Changed as requested and port 80 open on my router . There is something more I should mention I think.
The IP Address 192.168.1.4 is handled by another router I have on my network and is sent out via VPN.
This router does not have firewall active so no ports are blocked.
So I picked up the IP Address of Kodi machine and its 185.192.70.117 , so this is not an IP from my ISP I am guessing this must be from my VPN Provider. So I now see this error ahen trying to run certbot
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kodi.pjrawlings.co.uk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. kodi.pjrawlings.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kodi.pjrawlings.co.uk/.well-known/acme-challenge/z3LOkwoTEULEfEoST3Tv-zTdYlTzYohqmMBaAGI0yj8: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: kodi.pjrawlings.co.uk
Type: connection
Detail: Fetching
http://kodi.pjrawlings.co.uk/.well-known/acme-challenge/z3LOkwoTEULEfEoST3Tv-zTdYlTzYohqmMBaAGI0yj8:
Timeout during connect (likely firewall problem)To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I will also try with my second machine that doesnt use VPN and see if this works.
I am wondering if I need to check with my VPN folks if they allow port 80 ?
Is there a way if I can check if port 80 is open on a sepcific IP address ?
1 Like
This is the closest thing I could find:
1 Like
@plug_it_in one reason that you're having so much trouble here is that most of the tools and documentation for Let's Encrypt are aimed at people who are hosting a server in a data center, where it's meant to be available to the general public. Even the Let's Encrypt service is optimized for this case because the certificates it issues are publicly trusted (once issued, they would typically be accepted by anyone's device without any further agreement or configuration).
Most people who are hosting at home and using Let's Encrypt are using something called a dynamic DNS hostname
https://www.cloudflare.com/learning/dns/glossary/dynamic-dns/
where they have software on their PCs that periodically connects to the DNS server to say "hey, I'm over here!" so that the DNS server will update the name automatically to point to the most recently issued dynamic address. That helps people in the outside world continue to be able to locate that home network connection even as its address changes over time.
For some people using appliances like a network-attached storage (NAS) unit, the dynamic DNS domain name might be provided by the device manufacturer (and the device might have built-in software to help it update the dynamic DNS records automatically).
It seems that you're not in any of these categories: you have a publicly-registered domain name, but it's not pointed at a dynamic DNS provider, and so it's not regularly updated to point to new locations if your Internet service provider changes your address. Also, you don't normally have anyone connect to your devices from the public Internet, which means you haven't previously configured your domain's DNS records to point to your home (from the outside world's perspective) at all, probably because you haven't had any reason to.
I think @rg305 is on exactly the right track in helping you update your configuration to get a Let's Encrypt certificate and that you'll eventually succeed, but one thing you might also want to think about: do you need a Let's Encrypt certificate in your configuration? Is it the best solution for what you're trying to do (access an internal service from within your own home network)?
The reason that the Let's Encrypt validation process is so rigorous is that Let's Encrypt certificates are going to be publicly trusted (so before giving you a certificate that will be valid to convince anyone in the world that you operate kodi.pjrawlings.co.uk, Let's Encrypt wants to make very certain that you do, in fact, operate the machine under that name!). However, within your own network, you could potentially use another solution, like a self-signed certificate. This wouldn't be accepted by other people's devices, but you suggested that you have no expectation that other people's devices will ever connect to this machine at all, so that might be OK! An advantage of a self-signed certificate, in return, is that you don't have to convince Let's Encrypt (or anybody) that you're the real owner of this name. You can just make it yourself and install it privately on your own devices, with no coordination or interaction with anyone else.
That might be easier in your setup, also recalling that Let's Encrypt certificates are only valid for 90 days (by which time the validation process must be repeated in order to get a replacement certificate).
3 Likes
I get all the points here but I want to stop annoying pop ups about using https for servers I have on my home network. And we have come so far.
So Rather large update although I am still in the same position with my kodi box (192.168.1.4) . Port forwarding here is not an issue as this routers firewall is diabled.
But I thought I would go through setup of my second server for 3d printing called octopi. This was provided as an image (and I found it has the Tornado Web server).
So nothing in certbot talks about this just nginx and apache so thinking as you can only have one forwarding rule per port, and tornado uses 80 on this server, I set up an apache server on my raspberry pi with the Tornado server on it. I then set this to listen on port 8080. Put port forward rule in the Router for port 8080.
Then the ifconfig.co reported an IPv6 address only so on my DNS IONOS control panel I set up an AAAA record for this for the octopi.pjrawlings.co.uk (not sure if this was necessary but made some sense)
Then used certbot manual process first time and checked certificate all working (changing things like haproxy.cfg). All worked
Then fired up certbot --apache and it asked for my domain name . typed that in and it renewed the certificate. Also added an SSL conf record by itself.
Cannot say how satisfying this was.
So now back to my VPN connected device 192.168.1.4. I think I will try the same solution and install the apache server if the forward rule on my router that ships the traffic to vpn doesnt work.
1 Like
Boohoo the apache route is a non starter . So now to see if port 80 is open via VPN
1 Like
I have spoken with Expressvpn and they told me I can use these ports
-tcp 443
-Udp 1195
-udp 1198
-udp 10088 to udp 10098
-udp 10188 to udp 10198
-tcp 10288 to tcp 10298
So how to I get certbot to use port 443?
1 Like
Please read the basics:
If you want to use http validation, port 80 / http is required.
It's not Certbot (the ACME-client), it's Letsencrypt that must use the ACME-protocol. That protocol requires port 80 to validate a domain via http validation.
If this isn't possible, switch to dns validation.
3 Likes
Just for completeness in what Juergen has mentioned, it is OK for Let's Encrypt if port 80 is forwarded to port 443 (or another port), but the communication must start with port 80 if you're using http-01 challenges. I don't know if that makes a difference in your scenario.
Our recommendation is that all servers meant for general web use should offer both HTTP on port 80 and HTTPS on port 443. They should also send redirects for all port 80 requests, and possibly an HSTS header (on port 443 requests).
Unfortunately, you might not have control over whether port 80 is blocked for your site. Some (mostly residential) ISPs block port 80 for various reasons. If your ISP does this but you’d still like to get certificates from Let’s Encrypt, you have two options: You can use DNS-01 challenges or you can use one of the clients that supports TLS-ALPN-01 challenges (on port 443).
2 Likes
OK how do I switch to dns validation?. I thought I could not do this because my ip is on an internal network. Or did I miss something.
2 Likes
The beauty of dns-01 challenges is that they verify your control of your DNS zone via validating TXT records, making your IP address (via your A record) irrelevant.
I see that your domain name is registered through 1&1 Ionos. They don't seem to support DNS updates via API.
So... back to where we were 29 days ago...
Manually adding a TXT record to your DNS with a host name of _acme-challenge.kodi.pjrawlings.co.uk. and a value of "some big string given by certbot":
sudo certbot certonly --manual --preferred-challenges dns -d "kodi.pjrawlings.co.uk" --keep
Next stop! Automation!
2 Likes
Think Im going to cry I never thought this would be so diffcult.
2 Likes
BUT Huge thanks to all the help and assistance I got over this problem you guys are the best.
4 Likes
You are very welcome. 
Nothing in life is free. The cost can almost always be eventually measured in lost sanity. Hence why the symbol is $. (I have no idea if the last sentence has any truth, but it's certainly a good reminder.)
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.