[SOLVED] I had to open ports 80 and 443 (maybe 1 was enough, idk) while renewing certs ! Now its time to learn how to do it without opening ports (:
Hey guys, I have nginx proxy manager running in docker container on my home server. I don’t have any ports open (other than wireguard) and I was using custom local domain .tride to access my services. Everything works fine, I can use https://portainer.tride, https://homeassistant.tride, etc.
I want to get rid of warnings about the risk that I have to accept to continue. Not a big deal for Firefox on desktop, but its kinda annoying on Android. Also I think it stops me from using some services that require SSL certs (like floccus). I tried to create a LetsEncrypt certificate using DNS challenge and DuckDNS in NPM. I also tried to download certs and import to Android, CA cert is added successfully, but didn’t work.
Now I bought example.com domain from porkbun.com and trying to set it up:
- Created CNAME on porkbun - *.example.com pointing to my example.duckdns.org
- Created cert using same procedure (DNS challenge and DuckDNS in NPM) with hosts *.example.com and example.com
- Created Local DNS records in PiHole
Now I get strange behavior, sometimes I can open portainer.example.com with no problem, no warning, perfect. Then sometimes it doesn’t load at all and it says “Server Not Found”. Some services open normally, but like bookstack.example.com opens broken page and if I click anywhere it redirects me to my old bookstack.tride (still exists in NPM and PiHole) and asking to accept the risk.
I’m trying to use services from local network or wireguard only, at least for now.
I am also using the same domain for my e-mail at mailbox.org if that matters. Not sure what I’m doing wrong, but I’m sure there is something. I’m happy to listen any suggestion, and sorry for being noob <3
Nice, congrats on getting it working and learning new stuff in the process!
As for why you have to open port 80: I don’t know if this is (still) how certbot works, but back before certbot was a thing, you setup an SSL certificate by adding an HTML tag to your site’s header. That way, when the certificate issuer loaded your site from their end they could see that you did indeed have access to that site (otherwise you wouldn’t be able to add the requisite tag). Once the verification was complete, you could remove the tag. I assume certbot is automating a process similar to this (maybe at the proxy level even), and that’s why you have to open port 80 - so that certbot’s issuer can “see” your site from their connection and verify that you do indeed have access and therefore ownership of it.
To renew your cert, I don’t know if you will need to re-open the ports or not, but I would not be surprised if you did need to. You should be able to run certbot with a dry run flag that will do everything except actually implement a new certificate. You could try doing that with the ports closed and see if it succeeds or fails. If it fails, you probably need the ports open. If it succeeds, you probably don’t need them open. Either way, you’ll find out in November when the automatic renew takes place. Worse case scenario, you get a security warning when you go to the site on your LAN indicating that the cert is expired. You’d then open the ports, renew, and close them again.
As for the risk of having the ports opened for a couple minutes, I think that would be negligible unless you’re hosting something that is inherently insecure. Someone would have to know your public ip and hit it at just the right time to see your site on the open ports. Then they would have to do whatever attacks they want to within the amount of time it takes for you to renew the cert. If you’re hosting something that doesn’t use a secure login page and could be used as a jump box to other devices in your network - that’s probably no bueno. But if you’re running something that’s secured your risk shouldn’t be too bad. Bonus points if you setup your gateway to block outbound connections from your server except for ports 80 and 443, but that’s assuming your server doesn’t need to use other ports of course. It all depends what you’re hosting there, hopefully that makes sense.
Edit: This forum post indicates that access is required for certificate renewal, meaning you would indeed need to open the ports to renew. There is also another style of ownership verification mentioned in that thread which would not require you to open the ports, because it uses DNS to check for ownership. This would essentially require you to add a DNS text record to prove that you own the site’s domain. I am less familiar with this process, but it may be an option for you if you are willing to research it.
Thanks again. It make sense, but I will try to set it up with dns challenge since I prefer not opening ports. I’m happy it works for now and I also have some good material to read in free time. cheers