Up until now I have been running LetsEncrypt with DuckDNS with no problems whatsoever. The problem now is that I have created another DDNS that points to the same home network (bascoserver.hopto.org). Running SSL diagnostics reveals that the certificate is OK except for the fact that the domain names don't match. The DDNS address on the certificate matches the one on the other DDNS.
So I have a couple of questions on how to resolve this issue:
Can I create and renew the LetsEncrypt certificates from diffrent computers without running into this problem?
I ask that because the first DDNS and SSL certificate are managed by hassio, so poking into that can be tricky.
The problem will be solved if I create both certificates at once? This means running: sudo certbot -d bascoserver.hopto.org -d caleino.duckdns.org
Then I would have to export the certificate to the necessary machines, but that's another issue.
Not exactly. I already tried installing the certificate with sudo certbot -d bascoserver.hopto.org
The certificate is created, but when I go to https://www.ssllabs.com/ It tells me that the certificate domain name doesn't match the domain. So the certificate name doesn't match bascoserver.hopto.org. It instead matches caleino.duckdns.org
Another question to add to @rip's: When you're done, do you want bascoserver.hopto.org to connect to one of your servers behind the firewall, and caleino.duckdns.org to connect to a different server behind the firewall? If so, you're going to have to assign an alternate port (e.g. :8443) to use with one of those hostnames. Also, that introduces some challenges in terms of which server is answering the challenges to get certificates.
You are spot on @jsha . It seems that both domains are serving the same content, and using the same IP (88.15.114.240) so it would be helpful to know more about @mbc99's vision of what the end result would look like. Lets get it right.
SNI solves the multiple names on a single IP problem.
Now who will be performing the SNI logic?
I have not yet seen a firewall capable of routing based on inbound URL/SNI destination.
So, all inbound requests will be set to one single internal IP.
That internal system will need to proxy those requests to their respective endpoints.
You could have everything in your network secured - it could be dozens of certs.
But you only have one external IP - you first need a broker, you need to use a "reverse proxy".
Server 1 (using @Rip naming scheme) is using (among others) port 443
Server 2 will be using (among others) port 3000
Server 1 and Server 2 won't have ports used in common
Moreover, Server 1 and Server 2 are on the same physical machine under Proxmox. So they are under the same interface (each VM called Server 1 and Server 2 have diffrent IP's)
It might sound strange that two DDNS are pointing to the same IP (now you know where I live :)). But I want to do it (under the probably false pretense) for security.
But the more I read the more I think it's stupid.
That's what I was afraid of.
So it's impossible to have two DDNS working correctly on the same public IP without having to use reverse proxy or similar?
Probably not worth the added effort, but worth mentioning.
You could assign one system to handle all the HTTP request.
So it would be fully responsible for all the certs and their renewals.
You would have to figure out how to synchronize the certs within all your internal systems.
Then you could access each system from the Internal over the same IP but to individually assigned ports.
So, for example:
port 8000 > DVR
port 8001 > Refrigerator
port 8002 > NVR
port 8003 > Toaster/Oven
LOL
OR
You could authenticate via DNS (not HTTP).
And remove the certificate manager system.
But then be left with the same non-overlapping port assignments.
So, you see, the most elegant method (that allows each device to use the default HTTPS port 443) would require using a reverse proxy.
That may sound insurmountable, but it is not.
Apache can do it easily.
Nginx can also do it easily (and better as far as I'm concerned).
So, if you can install either (or already have either installed) you can do this quite easily.
I like this idea. I have installed proxmox so creating another VM or container wouldn't be an issue. I could create a shared folder or a NFS mount to share those certificates.
Then I would be able to create a certificate for both domains, so: sudo certbot -d bascoserver.hopto.org -d caleino.duckdns.org
An share (via a local shared folder or a network folder) the certificate which would be the same for both domains, right?
Then I will probably give it a try, But I tried copying the certificate created from another VM into server 1 (which is HASSIO for HomeAssistant) and it didn't work.
But knowing it is possible I will give it another try.
But if I create a certificate for both DDNS, so: sudo certbot -d bascoserver.hopto.org -d caleino.duckdns.org
I will only one of each of the four files that cerbot creates and so all the VM's (no matter what DDNS they are using) will have the same files right?
Yes the one certificate will work for both names so it will work on both systems.
But you only need to use two of the files:
the private key
and the fullchain