bear with me, i’m new-ish to this stuff… i am interested in learning and have been reading up on http/https/webservers/security/etc… i’ve setup a webserver and a local dns server (bind) to resolve an address locally. then setup a no-ip ddns account to access the webserve from the outside world. i figured since it is now “outside” https would be a good idea and that’s how i ended up here.
i am able to access the site externally via my no-ip ddns address and the only port i have forwarded to the server’s ip on my router is 80 at the moment, not sure how to determine IPv4 vs IPv6
i get the impression that https is useless (or not possible) when resolving internally?
i appreciate the responses! i’m sure i’ll get this figured out with a bit of help
Https has its uses internally, as it would prevent other devices on your network from eavesdropping on communications over the encrypted connection. However, setting TLS up internally often involves running your own local CA. Not technically required, but usually far simpler than trying to maintain ‘real’ certs on internal domains.
What are you actually putting in for local.domain? Is it the public ddns domain?
One way to check if you have IPv6 records set up (f’you probably don’t and that’s probably not the case here, but it’s educational) is the command dig domain.no-ip.com AAAA, obviously replacing that with your real domain. It will return any IPv6 DNS records for that domain.
Either way, this is all tangential to the issue of certbot not doing anything. How did you go about installing Certbot initially?
nslookup returns a server and an address as well as a non-authoritative answer with a name and an address
i intended on forwarding that port once i had the certs up, do i need to do that beforehand?
yes, that makes sense. i dont know how it differs when it is a local dns server resolving a local ip. my plan was to list both addresses on the cert so that locally i could use https as well as when connecting externally. perhaps that isnt the best idea?
i installed certbot with apt-get and jessie backdoor
You won't be able to issue a Let's Encrypt certificate for an internal name. It must be a publicly accessible name with a valid TLD (.com, .org, .wtf (yes it's real now), etc.) This setup gets a bit tricky and complicated, let's focus on one objective at a time.
Something very odd is going on. It’s as though something is preventing it from executing. Try sudo python and see if you get a terminal prompt for a python interpreter. (Use quit() to get out of this prompt.)
So this might end up being tedious, but I’m trying to eliminate one issue at a time. Try these:
Make a file called test.py, in it place the following:
Close it and run sudo python test.py and tell me if ‘hello world!’ displays.
Next up, try sudo su to get a root shell and run certbot from there. This is starting to sound like some security issue, but I’m more knowledgeable about centos/red hat than Debian an the security side.
Finally, what happens if you Ren certbot without sudo?