SSL access to services hosted on windows 10, with dynu.com ddns


#1

Hello all, my first post here so apologies for lame queries;) See details below and my question at the end:

My domain is: kon.mywire.org

I ran this command:
bash-3.2# acme.sh --issue --dns dns_dynu -d kon.mywire.org

It produced this output:
Domains not changed.
Skip, Next renewal time is: sat 16 mar 03:46:35 2019 UTC
Add ‘–force’ to force to renew.

My web server is (include version):
none?

The operating system my web server runs on is (include version):
Windows 10

My hosting provider, if applicable, is:
dynu,com

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

So, I followed to the letter this tutorial https://community.letsencrypt.org/t/failed-authorization-procedure-the-server-could-not-connect-to-the-client-to-verify-the-domain/60656/4

I got successfully generated key and certs files.
When I run the command
bash-3.2# acme.sh --issue --dns dns_dynu -d kon.mywire.org
it returns (what I think) is positive response saying that domains not changed and next cert can be only generated a month from now. So it seems to me so far so good;)

Now, apologies for a really lame question but where do I go from here?:wink:

So the setup I have is on my home laptop (windows 10) i run a number of services which I wanted to access outside of my network. Http access works perfectly with no issues. I want to upgrade it to https!:wink:
Is the fact that I was able to generate certs and key mean that Im all set up?
Do I need to anything else on dynu.com panel?
Do I need to do anything else on the source windows 10 machine (port forwarding)?
I’m a complete noob with ssl terminology so please explain it to me like I’m 4 yr old;)
I also have other domains under my dynu account. If I would be able to get https on the above domain, how do I generate new certs for other domains?
Thanks in advance!:wink:


#2

Try listing the certs you have obtained:
acme.sh --list

If any are listed, then you have the private key and public cert for that name.
You can then look for a directory containing that name on your drive (somewhere).
There you will find all the files needed to use that cert.


#3

Depending on how your provided http access will determine how you will proceed to enable https on that connection.
It is difficult to be more specific when there is little known about your “setup”.

You are ready to encrypt, but encryption is not automaticly enabled by acme.sh program - it only gets/renews the certs you need to encrypt with.

I am not familiar with this but most likely not. It should only be providing DNS services.
(converting names to IP addresses)

Probably in the exact same way that you got this cert.
[being very positive about that - I’m certain you got your first cert!]
Or perhaps, depending on your setup and needs, in a even more beneficial way and automated.
[this depends greatly on the service/program that will use the cert - Which is, as yet, unknown: maybe IIS, Apache, NGINX, …]

[edit] I was right, you did get a cert!: https://crt.sh/?q=kon.mywire.org


#4

Blockquote
Depending on how your provided http access will determine how you will proceed to enable https on that connection.
It is difficult to be more specific when there is little known about your “setup”.
Blockquote

I described my setup above, there’s not much to add, really. There’s no apache, iis, etc. Only a laptop running windows 10 with some services which generate WebUIs. For example: deluge webui.

Blockquote
If any are listed, then you have the private key and public cert for that name.
You can then look for a directory containing that name on your drive (somewhere).
There you will find all the files needed to use that cert.
Blockquote

This is the thing. I don’t have a clue on HOW actually USE them certs;) I was under impression I would be able to channel all traffic from my machine through ddns domain on ssl, but if I get this right it doesn’t quite work like that. I feel, each individual service needs to support ssl, and only then potentially I could replace standard ssl keys/certs (that comes with that app) with newly generated. Nevertheless that would needed to be set up individually per each service, and not per whole ‘domain’ traffic. Am I getting this right?


#5

You seem to be closer to the right track.
Services are secured using encryption.
One of the simplest and most common method is for them to use publicly signed certificates.
But, yes, each service would need to be altered/modified to include encryption and use the certificate you were issued.

I’m not sure I understand this “view”.
What traffic would you be channeling/serving from your machine?
If remote desktop, then that program would need to be modified to use the cert.
If web services, then your web server would need to be modified to use the cert.
If email services, then your email server would need to be modified to use the cert.
Get the picture?

I don’t think there is any one single place that can encrypt all the things that can be done from a machine.
That would be nice thou… maybe someday in the future someone will create a commonplace for such. :slight_smile:

[edit] Generally speaking: If you have a working service(s) that runs on http, then it may be able to run on https. If so, then you need simply read on how to enable https for that specific program/service.


#6

Now I got the hang of it. Many thanks rg305 for clearing things up!:wink:


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.