Okay, so I have been thinking that I should be encrypting. I have three devices that I access from outside of my own network over Web interfaces:
a QNAP TS-231 NAS
a Home Assistant server running on a Raspberry Pi
a Remote Potato server running on my WMC DVR. (Yes, people still use WMC. )
I am not married to the idea of encrypting (3), but I would like to get (1) and (2).
Now, I’ve found tutorials, but they all assume you aren’t working from a domain and have you setting up through a DDNS service like Dyn or something, and they all assume you are doing one certificate for one machine and that’s it. Except I do have my own domain, which I have going to these machines through web forwards on my DNS service (ZoneEdit). So nas.mydomain.com redirects to mydomain.com:1234, and dvr.mydomain.com redirects to mydomain.com:9080, and so forth.
Last night I got my NAS set up through StartSSL after much trial and error, and then discovered that apparently the Internet (and especially Mozilla) hates StartSSL. So here I am at LE.
I kinda want to do this through LE to learn how to do it, and because it annoys me to see the warning that self-signing would produce.
So my primary question is: since everything ultimately goes through mydomain.com, do I even need multiple certificates or do I get one and install the same one on all of my devices? My secondary question is: what’s the best way to go about this?
That ZoneEdit "forwards"/"redirects" could be problematic. Could you explain more about that? If I understand correctly, your subdomains actually don't "point" to your own IP address, but to an IP of ZoneEdit, which hosts some kind of iframe like page, with the source pointing to yourdomain:1234?
You can add up to 100 FQDNs to one certificate.
As you've got a server (your Raspberry Pi would be excellent I recon, but perhaps the NAS too), I would advice to run your own reverse proxy: you point all your subdomains to the same IP address and all will terminate on your Raspberry Pi's reverse proxy (there are many reverse proxy software available, such as Apache or nginx, but that might be overkill. HAProxy is perhaps a mor elegant choice, but I don't have any experience with it. Howtos exist to install it on a Raspberry Pi.)
A reverse proxy will decide to which server it must connect based on the hostname provided by the client. Apache and nginx certainly can do that, HAProxy would be able too, but I didn't find any guide for that in the few minutes I googled
So my ZoneEdit record is updated regularly with my own IP address through DDNS on my router (which is running DD-WRT). ZoneEdit is just handling my DNS. Then, when, say, someone types in “http://wmc.hiwaycorp.com”, ZoneEdit catches that and says “ah, you actually want http://hiwaycorp.com:9876/” and changes it to that, and that’s what they see in their browser. (There are apparently ways for ZoneEdit to do that in a “stealth” way with frames so it doesn’t actually change the URL for the end-user, but that’s for http, that doesn’t work with https (for obvious reasons) so there’s no point in setting that up, and that’s fine, especially if it means the connection is secure…)
So basically hiwaycorp.com points to my router, and then my router sends the data to whatever device is appropriate based on the port asked for.
So that said: since the router is the point of contact that everything goes through: maybe THAT’S where I can install the LE stuff and then since everything sits behind that (and is just on different ports as far as the outside world is concerned) then they don’t need it? Does that make any sense?
Well, you see, that here is the problem. You say ZoneEdit is just handling your DNS. But then you explain it is redirecting a request to a whole new URI, including a port. That is not something DNS can do (well, actually, it can, using SRV records, but that is not something regular browsers understand/use). Such a redirect most likely works with HTTP location headers. And therefore: not DNS.
hiwaycorp.com, sure. But wmc.hiwaycorp.com doesn't, it probably points to a ZoneEdit host. (Actually, that specific FQDN doesn't resolve to anything )
Fine. I was asked how it works, that's how it works from an end-user standpoint; and that's why I explained that was what it was doing. I don't get why that's a "problem", though.
You just have to be careful with details like this because the verification that you really control the domain will make an automated connection to your site, over HTTP or HTTPS, and look at details of the response. If the response is coming from ZoneEdit and not from your own computer, it's possible that the certificate authority won't accept it as the expected (requested) response that confirms your control over the domain.
There's probably a way to make this all work out for you, but we may have to discuss the details a little further. (However, if ZoneEdit initially answers the inbound connections, it could be a problem for trying to add HTTPS because ZoneEdit itself might not be willing to use your new certs, or maybe even to speak HTTPS to people.)
Well, again, my NAS is currently operating under StartSSL certificates (but the FQDN had to be “hiwaycorp.com”, not “nas.hiwaycorp.com” or what have you, probably because of the URL redirection thing), so it can be done…what happens is when someone goes to “http://nas.hiwaycorp.com”, it gets redirected to “https://hiwaycorp.com:port” and indicates that it’s secure, and I’m fine with that. The question is mainly whether the same set of certificates I generate for the NAS is what I would put on the RPi as well. (And also, how to generate them for the NAS, since the Certbot page seems to want to know what flavor of Linux I’m using, and I don’t know; it’s whatever’s on the NAS.)
(Thinking about it, it might be vice-versa; if it’s the same set, generate for the RPi and then put those on the NAS as well, since for the NAS it’s a cut/paste operation in the UI.)
As all the devices use the same hostname (hiwaycorp.com), you can use a single certificate for all devices.
Do note that two of the three possible challenges (http-01 and tls-sni-01) need access to port 80 resp. 443 to validate your domain. The alternative would be the dns-01 challenge, but as I didn’t find an API for ZoneEdit, chances are poor to get that automated.
Okay, that’s good! So I get the certs done on one, they should be set to go on the other. And I think I might have a tutorial to do up the RPi, so that should get me all the way home.
Can you point me to some information on the challenges? Do they happen every time someone tries to access the site, or just for the initial validation? (When I did StartSSL there was a single domain validation, and then once that was done I was able to start generating certificates.)
This is a slight oversimplification, but the challenges happen every time a certificate is issued. Let’s Encrypt certificates are valid for 90 days, so the challenges will have to reperformed at least that often for certificate renewal.