Jump to content

SSL made easy


MikeB111

Recommended Posts

43 minutes ago, cayars said:

That's only for dynamic domains and not user registered domains correct?

https://www.noip.com/support/knowledgebase/purchase-enhanced-dynamic-dns-plus-managed-dns/

 

looks like you would have to go with plus managed dns payed (29.99$ a year ).  so yeah think only with dynamic its free

Edited by bandit8623
  • Thanks 1
Link to comment
Share on other sites

  • 1 month later...

This SSL setup has served me well when I was using a Windows Home Server. When I moved to the Synology NAS, I use Let's Encrypt SSL Cert, Synology's Reverse Proxy and their Web Station app. 

I didn't think Caddy worked with Synology NAS.

Does anyone in this group have a working configuration for Synology DSM 7+ that works using a Domain/URL for remote access that you could share with me?

Your input would be greatly appreciated.

Edited by JulesC
Link to comment
Share on other sites

  • 4 months later...
iPhoneMaxPro

Hello thanks for sharing this amazing information, I tried to configure everything and I would like to ask if it is possible to change the default ports of caddy (443-80) because I already have a server on those ports active

Edited by iPhoneMaxPro
Link to comment
Share on other sites

pwhodges

You can change the ports in Caddy, but you will need to configure the automatic SSL to use a different technique from the default.

Paul

Link to comment
Share on other sites

You really don't want to do that.  One of the benefits of running a reverse proxy is being to use the same ports (ie. 80 & 443) for multiple programs/services you have running. The proxy can differentiate where to send the data internally based on the subdomain you set up such as www.domain.com, emby.domain.com, portal.domain.com, etc...

Carlo

  • Agree 1
Link to comment
Share on other sites

bandit8623
1 hour ago, noemi_karole said:

Hey thanks for sharing , but there are ways much simpler and easier, 

there is always the easier way.  the question that needs to be asked is it free? :)  Share this knowledge of easier ways

Link to comment
Share on other sites

redaktorn
19 hours ago, noemi_karole said:

Hey thanks for sharing , but there are ways much simpler and easier, 

Yes Please - I would also be interested in the "much simpler and easier" way.

Today I use a reverse proxy (Caddy) in Linux Mint. It works well but takes some learning to set up.
Unfortunately Caddy mess up and stop to work if I upgrade to the latest Linux Mint version. So I am looking for another solution. 

Link to comment
Share on other sites

seanbuff
1 hour ago, redaktorn said:

Unfortunately Caddy mess up and stop to work if I upgrade to the latest Linux Mint version. So I am looking for another solution.

If you keep your basic Caddy config inside your Caddyfile, then it should be very easy to restore after an upgrade or even move to another machine with Caddy installed.

Link to comment
Share on other sites

redaktorn
21 hours ago, seanbuff said:

If you keep your basic Caddy config inside your Caddyfile, then it should be very easy to restore after an upgrade or even move to another machine with Caddy installed.

Yes, I know that. My problem is that I have not had time to investigate it deeper. An upgrade of Linux Mint moves Caddys archive and files to new locations. It is probably not so complicated but I just not had the time yet. And another solution could be interesting also.

Link to comment
Share on other sites

Thank you for the guide but certain parts don't seem to match up with what's in front of me. 

  1. For pointing the purchased Google domain to my HTPC, I go to 'website' and then 'forwarding' and simply enter the static IP for my HTPC?
  2. ZeroSSL - you copy "_acme-challenge.yourdomain.net" into the 'Host name' box in 'Custom records'? TXT for type. Leave TTL as 3600. And then paste the long alphanumeric string in the CMD window into "Data"? 
  3. I save the record and then click enter in the ZeroSSL CMD box

But I'm then greeted with the below: 

2023/04/14 12:04:39 Processing the 'dns' verification for 'yourdomain.net'
2023/04/14 12:04:39 Domain verification results for 'yourdomain.net': error. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.yourdomain.net - check that a DNS record exists for this domain
2023/04/14 12:04:39 You can now delete '_acme-challenge.yourdomain.net' DNS record
2023/04/14 12:04:39 All verifications failed

And there is no certificate file in the folder. Instead - account.key, dommain.csr and domain.key 

Link to comment
Share on other sites

pwhodges

The domain verification is saying the domain name is not set up.  You can check that directly by doing an nslookup (command line tool, or you can use this website: https://www.nslookup.io/ )?

I don't know what Google's DNS interface looks like, but you are needing to set up an A record.  In my experience "website" + "forwarding" suggests that the name is pointing to Google's server, not yours, and web traffic is then forwarded from there, which is not the same thing, and won't work for this purpose.

Paul

Link to comment
Share on other sites

Q-Droid

For the TXT record entry the "host name" is usually not FQDN but only the name portion. The validation tool  already knows the domain and concatenates the two. 

Link to comment
Share on other sites

Thank you both for the prompt responses and help. I've made progress I think. 

For the pointing the newly purchased domain to my HTPC, I deleted the forwarding rule in the Google Domains settings. And instead created a new A custom record calling it "emby.yourdomain.net" and put my IP in the Data field. Sorted.

Did the certificate part again and it worked this time. Removed the double counting 'yourdomain.net' part of it as Q-Droid mentioned. 

Did the last few bits in the Emby server settings and my remote WAN address has now changed - https://yourdomain.net:8920. However it doesn't work and trying nslookup shows no A or TXT records. Assume this is just a case of waiting for it to sync? 

And I'm still find to use 8920 as I saw another similar guide say not to use this (nor 8096) and opt for 443 instead? 

The Emby app works for me accessing my server (on data and not home WiFi), it asked something about a certificate which I accepted. 

Edited by xibinim
Link to comment
Share on other sites

Neminem

Jep it can take a coble of hours for the dns to resolve through all dns servers.

Sometimes longer. 

Link to comment
Share on other sites

pwhodges

Also, it's not clear to me from what you've written whether you are consistent in using "emby.yourdomain.net" vs "yourdomain.net".  It may be that you need to edit the "External domain" entry in the network settings to include the initial "emby."  Everything must match the version you've made the certificate for.

Paul

Edited by pwhodges
Link to comment
Share on other sites

Teknician

Did you add a custom A record in domains, pointing to your web address and your WAN IP?

Mines been doing great for a couple years now. 

Hostname = yourdomain.com

Type = A

TTL = 5 Minutes

Data = Your IP

 

Link to comment
Share on other sites

38 minutes ago, pwhodges said:

Also, it's not clear to me from what you've written whether you are consistent in using "emby.yourdomain.net" vs "yourdomain.net".  It may be that you need to edit the "External domain" entry in the network settings to include the initial "emby."  Everything must match the version you've made the certificate for.

Paul

Think you're right. I didn't have "emby" before my domain name in the external domain section of Emby settings. Adding it then made the WAN address work but it still comes up with a "this isn't a secure connection" and HTTPS is crossed out. This is how I have my settings.

 

2.png

1.png

Edited by xibinim
  • Thanks 1
Link to comment
Share on other sites

pwhodges

Hmm.  I presume you mean that even though the security isn't working, you are now seeing a working (insecure) connection to Emby.

I've never tried putting a certificate into Emby itself - I use a reverse proxy for that (which also gets and updates the certificate completely automatically).  But the Emby server log file might contain a clue to why it's not working.

Paul

Link to comment
Share on other sites

13 minutes ago, pwhodges said:

Hmm.  I presume you mean that even though the security isn't working, you are now seeing a working (insecure) connection to Emby.

I've never tried putting a certificate into Emby itself - I use a reverse proxy for that (which also gets and updates the certificate completely automatically).  But the Emby server log file might contain a clue to why it's not working.

Paul

Thanks, I'll prepare a log. Will it require a lot of effort to strip of personal information? 

Edit - a quick scan, all I can see that's worth replacing is my name (username for this PC). 

Edited by xibinim
Link to comment
Share on other sites

Teknician

If your _acme-challenge does not include "emby.", then that shouldn't be added to your server, but just the actual domain. 

_acme-challenge.MYDOMAIN.COM

 

Screenshot_20230414_141801_Emby.jpg

Screenshot_20230414_141501_Emby.jpg

Link to comment
Share on other sites

Q-Droid

Check to see what CN the cert was issued for - <your domain> or emby.<your domain>. Without wildcard or SANs your site DNS name needs to match the cert CN. If both <your domain> and emby.<your domain> resolve to the same address then try both in a browser then plug the one that works into the emby network settings or get a new cert issued to the name you want to use. Or add wildcard/SANs.

Restart your emby server then check the fresh log. If you're having problems with the cert/pfx file it will show on startup, not after log rotation. Should be close to top of the log.

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...