0

I am a little confused and am looking for some guidance. I am running the latest Nginx on a home machine running Unbuntu 20.04 version 2. I have pfsense as my router/firewall running on a different machine. I have setup a DDNS ([my_name].ddns.net) entry to point to my ever changing WAN IP address.

I have 4 domains (various ways to spell my name).

I was able to create a Let's Encrypt certificate using certbot for the [my_name].ddns.net URL using:

sudo /snap/bin/certbot run --cert-name [my_name].ddns.net

It tells me that the plumbing is right. I confirmed that the certificate was generated, that nginx was modified and most importantly the URL comes up securely when referenced using HTTPS.

I am now trying to create another certificate for one of the 4 main domains:

sudo /snap/bin/certbot run --cert-name [my_name].com -d [my_name].com

This command is trying, but is failing validation. I am hosting this URL at mydomain.com and have it configured for a standard forward to [my_name].ddns.net. The only thing I can figure is that the updated settings at mydomain.com haven't propagated yet.

Should I be able to do what I am trying to do (i.e. create a second certificate hosted on the same webserver as the DDNS domain serving up the same website with HTTPS through a standard forward)?

Ideally, I would love to get these 4 domains to stealth forward to [my_name].ddns.net so the user doesn't ever see the DDNS URL, but still gets the "secure" message from the browser.

Is this possible or am I missing something?

Thanks a bunch.

Garet Jax
  • 115
  • 5
  • What do you mean by " a standard forward"? HTTP 3xx redirect? Meta refresh? DNS CNAME? – Ryan Bolger Mar 09 '21 at 17:01
  • @Ryan - Not really sure. MyDomain.com doesn't specify. They have a "Standard" Forward and a "Stealth" Forward. I expect it is a DNS CNAME because changes don't appear immediately. – Garet Jax Mar 09 '21 at 17:04
  • Is "they" your registrar for the domain who is also hosting the DNS zone for it? If so, do you mind saying which? The "standard forward" does sound like a normal CNAME record...but I'm not sure what a "stealth" forward would be unless it's like an "alias" record that some providers have that you manage like a CNAME (pointing to another name) but ultimately creates an A record (pointing to the current IP for that name). Also, I could probably figure it out if you post the actual domain or maybe a screenshot from the web UI. – Ryan Bolger Mar 09 '21 at 17:47
  • @Ryan - I feel like we're playing who's on first :-) The domain registrar is "mydomain.com". I just asked them how they are handling the redirect and they said through back end scripting. I am a little skeptical, but am waiting on confirmation from them. PS - thanks for taking the time. – Garet Jax Mar 09 '21 at 18:00
  • lol, I thought that was just an example. My bad. – Ryan Bolger Mar 09 '21 at 18:02

1 Answers1

2

Bottom line, yes. You can create as many certificates as you want for any valid name that points to your machine via normal DNS records (CNAME, A, AAAA). Some DNS providers and domain registrars have a feature (sometimes called an ALIAS record) that lets you put a virtual CNAME record on the domain apex because CNAME records can't normally exist on the domain apex. Their nameservers will dynamically respond with an A record for the current IP address the alias name points to.

The Let's Encrypt validation servers will always make a standard port 80 HTTP request to http://<name-in-cert>/.well-known/acme-challenge/<token> and expect to receive the appropriate key authorization value in the body of the response. They will follow HTTP 3xx redirects, but I don't think they will follow meta refresh tags. The token and key authorization values will be different for each name and each renewal which is why it's important to try and automate this process.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Thanks. I confirmed the "mydomain.com" was not using a CNAME record to do the forwarding so I added one myself. This allowed the certbot to validate things. Onto the next problem. Thanks for the help. – Garet Jax Mar 09 '21 at 22:01