[SOLVED] I had to open ports 80 and 443 (maybe 1 was enough, idk) while renewing certs ! Now its time to learn how to do it without opening ports (:
Hey guys, I have nginx proxy manager running in docker container on my home server. I don’t have any ports open (other than wireguard) and I was using custom local domain .tride to access my services. Everything works fine, I can use https://portainer.tride, https://homeassistant.tride, etc.
I want to get rid of warnings about the risk that I have to accept to continue. Not a big deal for Firefox on desktop, but its kinda annoying on Android. Also I think it stops me from using some services that require SSL certs (like floccus). I tried to create a LetsEncrypt certificate using DNS challenge and DuckDNS in NPM. I also tried to download certs and import to Android, CA cert is added successfully, but didn’t work.
Now I bought example.com domain from porkbun.com and trying to set it up:
- Created CNAME on porkbun - *.example.com pointing to my example.duckdns.org
- Created cert using same procedure (DNS challenge and DuckDNS in NPM) with hosts *.example.com and example.com
- Created Local DNS records in PiHole
Now I get strange behavior, sometimes I can open portainer.example.com with no problem, no warning, perfect. Then sometimes it doesn’t load at all and it says “Server Not Found”. Some services open normally, but like bookstack.example.com opens broken page and if I click anywhere it redirects me to my old bookstack.tride (still exists in NPM and PiHole) and asking to accept the risk.
I’m trying to use services from local network or wireguard only, at least for now.
I am also using the same domain for my e-mail at mailbox.org if that matters. Not sure what I’m doing wrong, but I’m sure there is something. I’m happy to listen any suggestion, and sorry for being noob <3
Maybe you could also try to generate your one SSL certificate and add it to your Android/Linux/Windows devices as root certificate 🤷🏼♂️.
That’s only a possibility, of you’re willing to do this to every single device that should be able to connect to your services
I am willing to do that for every single device I use, but how can I do that? I have 3 options to install (android 12): CA certificate, VPN & app user certificate and Wi-Fi certificate
I can download cert from NPM, I get 4 files, but only one can be installed (at least the way I tried)
This is what I do only because cryptography it’s a big weakness of mine so I wanted to work through it to understand it. I ended up setting up a raspberry pi with Debian and went at it with guidance from a YouTube video. Notice I said guidance, to get started. From there, I built my own CA server and issue certs to my services, upload the certs to NPM and apply them to the services I need.
Documented every step of the way and made templates out of config files.
It’s not the sexiest solution BUT I have a way better handle on cryptography than I did before.
Thanks! This sounds like approach I would prefer, but tbh I’m overwhelmed with information and I’m happy my setup is working for now. I will defo look into local CA server when I get more familiar with everything.
Don’t shy away from it based on how difficult you THINK it is. It’s really not that complicated once the concept and the different parts of what makes that lock icon appear on your browser are explained in detail. I was in your exact position, paralyzed by the thought of tackling such a topic. If you have the time, have a look at the video I linked. Everything is explained really well (although it is a bit dry and long at the beginning but it’s worth it). After that, if you have questions, dm me (if that’s a thing in Lemmy).
I would say I would give you my templates/instructions if you’d like but that would do you more harm than good.
Thank you my friend, so kind of you. I will watch that video for sure and let you know if I have more questions
Here is an alternative Piped link(s): https://piped.video/nOSl4dmywe8?si=XxBLwPNlq-wt2swR
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source, check me out at GitHub.
Actually, had no idea this existed. Good bot