Jump to content

SSL made easy

MikeB111

By MikeB111
in General/Windows

 Share

Recommended Posts

Carlo

Carlo 4547

Posted
Posted

That's only for dynamic domains and not user registered domains correct?

  • 1 month later...
JulesC

JulesC 50

Posted
Posted (edited)

This SSL setup has served me well when I was using a Windows Home Server. When I moved to the Synology NAS, I use Let's Encrypt SSL Cert, Synology's Reverse Proxy and their Web Station app. 

I didn't think Caddy worked with Synology NAS.

Does anyone in this group have a working configuration for Synology DSM 7+ that works using a Domain/URL for remote access that you could share with me?

Your input would be greatly appreciated.

Edited by JulesC
  • 4 months later...
iPhoneMaxPro

iPhoneMaxPro 16

Posted
Posted (edited)

Hello thanks for sharing this amazing information, I tried to configure everything and I would like to ask if it is possible to change the default ports of caddy (443-80) because I already have a server on those ports active

Edited by iPhoneMaxPro
pwhodges

pwhodges 1817

Posted
Posted

You can change the ports in Caddy, but you will need to configure the automatic SSL to use a different technique from the default.

Paul

Carlo

Carlo 4547

Posted
Posted

You really don't want to do that.  One of the benefits of running a reverse proxy is being to use the same ports (ie. 80 & 443) for multiple programs/services you have running. The proxy can differentiate where to send the data internally based on the subdomain you set up such as www.domain.com, emby.domain.com, portal.domain.com, etc...

Carlo

  • Agree 1
noemi_karole

noemi_karole 0

Posted
Posted

Hey thanks for sharing , but there are ways much simpler and easier, 

bandit8623

bandit8623 116

Posted
Posted
1 hour ago, noemi_karole said:

Hey thanks for sharing , but there are ways much simpler and easier, 

there is always the easier way.  the question that needs to be asked is it free? :)  Share this knowledge of easier ways

redaktorn

redaktorn 13

Posted
Posted
19 hours ago, noemi_karole said:

Hey thanks for sharing , but there are ways much simpler and easier, 

Yes Please - I would also be interested in the "much simpler and easier" way.

Today I use a reverse proxy (Caddy) in Linux Mint. It works well but takes some learning to set up.
Unfortunately Caddy mess up and stop to work if I upgrade to the latest Linux Mint version. So I am looking for another solution. 

seanbuff

seanbuff 1102

Posted
Posted
1 hour ago, redaktorn said:

Unfortunately Caddy mess up and stop to work if I upgrade to the latest Linux Mint version. So I am looking for another solution.

If you keep your basic Caddy config inside your Caddyfile, then it should be very easy to restore after an upgrade or even move to another machine with Caddy installed.

redaktorn

redaktorn 13

Posted
Posted
21 hours ago, seanbuff said:

If you keep your basic Caddy config inside your Caddyfile, then it should be very easy to restore after an upgrade or even move to another machine with Caddy installed.

Yes, I know that. My problem is that I have not had time to investigate it deeper. An upgrade of Linux Mint moves Caddys archive and files to new locations. It is probably not so complicated but I just not had the time yet. And another solution could be interesting also.

xibinim

xibinim 7

Posted
Posted

Thank you for the guide but certain parts don't seem to match up with what's in front of me. 

  1. For pointing the purchased Google domain to my HTPC, I go to 'website' and then 'forwarding' and simply enter the static IP for my HTPC?
  2. ZeroSSL - you copy "_acme-challenge.yourdomain.net" into the 'Host name' box in 'Custom records'? TXT for type. Leave TTL as 3600. And then paste the long alphanumeric string in the CMD window into "Data"? 
  3. I save the record and then click enter in the ZeroSSL CMD box

But I'm then greeted with the below: 

2023/04/14 12:04:39 Processing the 'dns' verification for 'yourdomain.net'
2023/04/14 12:04:39 Domain verification results for 'yourdomain.net': error. DNS problem: NXDOMAIN looking up TXT for _acme-challenge.yourdomain.net - check that a DNS record exists for this domain
2023/04/14 12:04:39 You can now delete '_acme-challenge.yourdomain.net' DNS record
2023/04/14 12:04:39 All verifications failed

And there is no certificate file in the folder. Instead - account.key, dommain.csr and domain.key 

pwhodges

pwhodges 1817

Posted
Posted

The domain verification is saying the domain name is not set up.  You can check that directly by doing an nslookup (command line tool, or you can use this website: https://www.nslookup.io/ )?

I don't know what Google's DNS interface looks like, but you are needing to set up an A record.  In my experience "website" + "forwarding" suggests that the name is pointing to Google's server, not yours, and web traffic is then forwarded from there, which is not the same thing, and won't work for this purpose.

Paul

Q-Droid

Q-Droid 856

Posted
Posted

For the TXT record entry the "host name" is usually not FQDN but only the name portion. The validation tool  already knows the domain and concatenates the two. 

xibinim

xibinim 7

Posted
Posted (edited)

Thank you both for the prompt responses and help. I've made progress I think. 

For the pointing the newly purchased domain to my HTPC, I deleted the forwarding rule in the Google Domains settings. And instead created a new A custom record calling it "emby.yourdomain.net" and put my IP in the Data field. Sorted.

Did the certificate part again and it worked this time. Removed the double counting 'yourdomain.net' part of it as Q-Droid mentioned. 

Did the last few bits in the Emby server settings and my remote WAN address has now changed - https://yourdomain.net:8920. However it doesn't work and trying nslookup shows no A or TXT records. Assume this is just a case of waiting for it to sync? 

And I'm still find to use 8920 as I saw another similar guide say not to use this (nor 8096) and opt for 443 instead? 

The Emby app works for me accessing my server (on data and not home WiFi), it asked something about a certificate which I accepted. 

Edited by xibinim
Neminem

Neminem 796

Posted
Posted

Jep it can take a coble of hours for the dns to resolve through all dns servers.

Sometimes longer. 

xibinim

xibinim 7

Posted
Posted

Sweet - thanks again :)

Should have done this a long time ago. 

pwhodges

pwhodges 1817

Posted
Posted (edited)

Also, it's not clear to me from what you've written whether you are consistent in using "emby.yourdomain.net" vs "yourdomain.net".  It may be that you need to edit the "External domain" entry in the network settings to include the initial "emby."  Everything must match the version you've made the certificate for.

Paul

Edited by pwhodges
Teknician

Teknician 4

Posted
Posted

Did you add a custom A record in domains, pointing to your web address and your WAN IP?

Mines been doing great for a couple years now. 

Hostname = yourdomain.com

Type = A

TTL = 5 Minutes

Data = Your IP

 

xibinim

xibinim 7

Posted
Posted (edited)
38 minutes ago, pwhodges said:

Also, it's not clear to me from what you've written whether you are consistent in using "emby.yourdomain.net" vs "yourdomain.net".  It may be that you need to edit the "External domain" entry in the network settings to include the initial "emby."  Everything must match the version you've made the certificate for.

Paul

Think you're right. I didn't have "emby" before my domain name in the external domain section of Emby settings. Adding it then made the WAN address work but it still comes up with a "this isn't a secure connection" and HTTPS is crossed out. This is how I have my settings.

 

2.png

1.png

Edited by xibinim
  • Thanks 1
pwhodges

pwhodges 1817

Posted
Posted

Hmm.  I presume you mean that even though the security isn't working, you are now seeing a working (insecure) connection to Emby.

I've never tried putting a certificate into Emby itself - I use a reverse proxy for that (which also gets and updates the certificate completely automatically).  But the Emby server log file might contain a clue to why it's not working.

Paul

xibinim

xibinim 7

Posted
Posted (edited)
13 minutes ago, pwhodges said:

Hmm.  I presume you mean that even though the security isn't working, you are now seeing a working (insecure) connection to Emby.

I've never tried putting a certificate into Emby itself - I use a reverse proxy for that (which also gets and updates the certificate completely automatically).  But the Emby server log file might contain a clue to why it's not working.

Paul

Thanks, I'll prepare a log. Will it require a lot of effort to strip of personal information? 

Edit - a quick scan, all I can see that's worth replacing is my name (username for this PC). 

Edited by xibinim
Teknician

Teknician 4

Posted
Posted

If your _acme-challenge does not include "emby.", then that shouldn't be added to your server, but just the actual domain. 

_acme-challenge.MYDOMAIN.COM

 

Screenshot_20230414_141801_Emby.jpg

Screenshot_20230414_141501_Emby.jpg

Q-Droid

Q-Droid 856

Posted
Posted

Check to see what CN the cert was issued for - <your domain> or emby.<your domain>. Without wildcard or SANs your site DNS name needs to match the cert CN. If both <your domain> and emby.<your domain> resolve to the same address then try both in a browser then plug the one that works into the emby network settings or get a new cert issued to the name you want to use. Or add wildcard/SANs.

Restart your emby server then check the fresh log. If you're having problems with the cert/pfx file it will show on startup, not after log rotation. Should be close to top of the log.

 

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...