Websites can't be accessed anymore in local network

Help
1

I'm running severals PWA on my raspberry which is connected to my wifi.

Thus I'm using changeIP to do DynDNS.

It worked well for the past 2 years but recently (about 2 or 3 monthes ?) I'm not able to access all my websites through my local network. But everything works well outside.

I'm not sure it's link to let's Encrypt it's mayb link to a new Behaviour of Chrome / Mozilla.

I usually run the configuration with sudo ./certbot-auto --apache

and here is my apache server conf :

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName *.youdontcare.com 
    DocumentRoot /var/www/html/<folder_name>/ 

    <Directory />
            Options FollowSymLinks
            AllowOverride None
            Require all granted
    </Directory>

    <Directory /var/www/html/<folder_name>/>
            Options FollowSymLinks
            AllowOverride None
            Require all granted
    </Directory>

    ErrorLog /var/log/apache2/error.log
    LogLevel warn

    CustomLog /var/log/apache2/access.log combined

RewriteEngine on 
RewriteCond %{SERVER_NAME} =*.youdontcare.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

My domain is: *.youdontcare.com
I ran this command: sudo ./certbot-auto --apache
My web server is (include version): Apache/2.4.25 (Raspbian)
The operating system my web server runs on is (include version): Raspbian GNU/Linux 9 (stretch)
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no ?
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

Which says it is deprecated :
CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning

Maybe it's link to that ?

2

I'm not 100% clear on what your problem is/are.

Going strictly from the topic title, I would have to ask:

  • What are all the (or any) names that fail from inside you local network?
  • What are their IP addresses returned by your DNS?
    [are they showing external IP numbers or internal IP numbers]

Going with the "deprecated" comment:

  • Why are you still using OpenSSL 1.0.1 ?
    [can you upgrade?]
3

Every names are failing inside my local network

A good test I didn't think of is to ping from my PC and it resolve to 109.221.149.92 which I'm afraid is external...

Concerning the OpenSSL 1.0.1 I didn't changed anything ... Which is maybe the problem ... I can maybe update this ( I'll search how )

Furthemore I can add that the problem is that when I'm going to : http://*.youdontcare.com it doesn't redirects me to an httpS traffic

And going directly through httpS send a chrome error : NET::ERR_CERT_AUTHORITY_INVALID the connection isn't private

4

Look on the wall - the clock and calendar have changed plenty since 1.0.1 was released.
Not doing anything can become the problem [given enough time passing]

As for the IP 109.221.149.92, that is the Internet IP returned to all of us outside your internal network.
If you don't understand how that is a problem... then we have a problem.
Although this isn't a site for basic network design, nor education, I will give you this much: If your router doesn't support Hairpining, you will need to use Split-DNS [a.k.a. Split-Brain|Split-horizon] to provide direct access to the internal systems via their internal IPs or simply hard-code the IPs in each of your local devices HOSTS file.

5

HTTP access seems "broken":

curl -Iki http://spacecheap.youdontcare.com/
HTTP/1.1 403 Forbidden
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Type: text/html; charset="utf-8"
Content-Length: 2941
Connection: Close

as it is currently: FORBIDDEN

Sorry, it is not allowed by my firewall:

image
image712×222 7.83 KB

Seems like you have some major issues!

6

Well well I know that the domain youdontcare.com is related to malicious... I don't know if it's just because IT IS DynDNS, or because some malicious sites used to use this DynDNS...

And I have been blocked a lot of time on differents website ( here too : Akismet banned my post at the first time ) I should buy a domain some day !

1 Like
7

Although I know that my network design isn't the most sturdy, I'm just pointing the fact that it used to work without all that Hairpinning or split-DNS thing ...

I'm sorry that I thought it was an Let's encrypt problem and sorry to bother you with my "non-education"

8

You might be able to switch to a different DDNS provider (or just another DDNS domain) to overcome the Malicious website categorization [not 100% sure - I don't work for the firewall company that I use].

As for the lack of education: We are all born not knowing anything at all.
There is absolutely no shame in that.
I'm merely trying to point you in the right direction [not here].

9

I don't know how your site worked before.
I don't know anything about any changes you may have made over time.
I barely know anything about how it is configured now.
But, again, this is not a forum about configuring networks :frowning:

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.