SSL Certbot in a domain with 301 redirect and nginx

Question

I have one server at home working with a dynamic domain (mydomain.ddns.net) through my OpenWRT router. Now I want to host a web and I have bought a domain (www.mynewdomain.com) in GoDaddy and I have set up a 301 Redirect with masking (so people keep seeing www.mynewdomain.com instead of mydomain.ddns.net).

The problem is that when I run the 'sudo certbot --nginx' command, it can verify mydomain.ddns.net but not www.mynewdomain.com because 'The client lacks sufficient authorization :: Invalid response from www.mynewdomain.com/.well-known/acme-challenge...'

I have been searching and trying different stuff, most of them related to this piece of code:

location ~ /.well-known {
    default_type "text/plain";
    root /var/www/html;
}

But it is not working. Probably because these solutions are not taking into account that I'm under a mask 301 redirect. Could someone help me? Thanks in advance.

wti · Accepted Answer · 2019-03-14T01:27:31.223

1

There are some things that are not explained in the formulation of the situation, so I will attempt to explain how it should be and then you feel free to ask further or tell me more details, so I can explain.

At Godaddy you have also a server with nginx? if so, for the domain www.mynewdomain.com the best is to obtain the cert there where the domain is pointed at. Let's encrypt can not issue a certificate for a server different from where the domain is pointed to without doing some "special changes on DNS or HTTP content". This is for security reasons. If you need to generate a certificate on server A for server B, then you need to use manual mode. The cons with doing manual process is that well all has to be done by you.
If you do not have a server in Godaddy, then explain and I will come back to you if i happen to know about it. To henerate the ssl for godaddy from home you can do the following:

certbot -d mynewdomain.com --manual --preferred-challenges dns certonly

Then it will gove you an output like this

Please deploy a DNS TXT record under the name
_acme-challenge.mynewdomain.com with the following value:

IzH_mRZS7DsUxW1UdWjVWihMetUoLEROLHnGzHnTJ34

Before continuing, verify the record is deployed.

Then on the DNS create the record:

_acme-challenge.mynewdomain.com 300 IN TXT "IzH_mRZS7DsUxW1UdWjVWihMetUoLEROLHnGzHnTJ34"

This will generate allow you to generate the cert files. Which should be uploaded to Godaddy's appliance. If the godaddy applicance does not support SSL termination, then you need a different solution.

Another problem is how to pass requests to the mydomain.ddns.net server. If you do pass the requests over http, there are no problems, but people can attack you with man in the middle more or less easily. So if security is paramount, do not use this method unless you have some form of VPN from home to the Godaddy server. If you want to pass https to the backend (mydomain.ddns.net), then you have another issue to solve because you have already unpacked https on the www.mynewdomain.com. What you need here is "Upstream SSL" you can check this docs.

What i just wrote does no explain in concrete details with configs, etc, because I need more details about the situation and what you really want. I hope This helps, but if this is not what you wanted, please explain in more details about the setup you have. What the different enpoints are, current configs, how do you want to set it up (where has to be ssl and where not), etc.

edited Mar 14 '19 at 01:27

answered Mar 13 '19 at 09:22

wti

158
8

At first, thank you for your time and help. I don't have a ngingx at GoDaddy, just the possibility to point to an IP or to another domain with a 301 redirection. With a masking, when you enter in 'mynewdomain.com' yo are redirected to 'mydomain.ddns.net' but you keep 'mynewdomain.com' in you address bar. So when certbot is trying to reach 'mynewdomain.com/whatever' what he is doing, really is access to 'mydomain.ddns.net' and thats where the problems come, I think. Could you tell me what are those "special changes on DNS" maybe? Thanks again! – Sergiodiaz53 Mar 13 '19 at 13:07
1

Can you add ssl cert to Godaddy (I don't know)? So the unpacking of SSL happens there. Because even if you obtain the crt, on the home server, you will not be able to use it. Now, the [link I provided](https://letsencrypt.readthedocs.io/en/latest/using.html#manual) explains how to get the certificate on the server for a different machine. The command is something like this `certbot -d mynewdomain.com --manual --preferred-challenges dns certonly` and it will tell you what record to add on the DNS, something like this `_acm(...)e.my(...).com 300 IN TXT "IzH_m(...)RZS7"` (No space for full text). – wti Mar 14 '19 at 01:12
1

Then once you obtain the certificate files you can put it on Godaddy's appliance. This is why I was asking the question if it supports SSL termination. If it does not support SSL termination, then you need something different. Feel free to ask further. – wti Mar 14 '19 at 01:19
hi wti! thanks for your help! I think I'm a little bit closer. with your method (--manual) and adding the dns TXT I'm able to create the cert but when I enter through www.mynewdomain.net its still saying invalid. Do I need to do something specific for the www part? – Sergiodiaz53 Mar 14 '19 at 17:27
DNS problem: NXDOMAIN looking up TXT for _acme-challenge.www.mynewdomain.net and I have done the same than for the non-www domain. – Sergiodiaz53 Mar 14 '19 at 18:27
1

Saw a short video; what Godaddy does is NOT great; [here is the docs](https://www.godaddy.com/help/manually-forwarding-or-masking-your-domain-or-subdomain-422). Now, [Here is an article that explains some the cons of using this](https://www.easyredir.com/blog/why-you-should-not-use-url-masking-forwarding-cloaking/). In the link Godaddy says " Caution: Our masking uses iframes to put the destination site onto a page for the domain. Many hosting providers do not allow this and the site ends up appearing as a blank white page." This is BAD, VERY BAD for your website's raking, speed and more. – wti Mar 15 '19 at 02:15
1

If you still want to got with this setup the following might work; 1- Make sure nginx has two different `vhosts` that receive the requests . One for your `mydomain.ddns.net` and one for `www.mynewdomain.net`. IMPORTANT: These two should have the certificate for each domains separately. You can test this with `curl` from local machine and remote. Something like `curl -I -L -k -H "Host: www.mynewdomain.net" https://ip_of_home_nginx` and same for the `ddns.net` domain, once both are working. 2- Do the godaddy redirect and test everything together. I can't be sure it will eork nor advise it. – wti Mar 15 '19 at 02:22
Thanks for your help wti! I think we are finally just doing a redirect without masking because that last you tell me its not working and this thing is consuming us so much time. Thanks for all your help, man! – Sergiodiaz53 Mar 15 '19 at 08:18

SSL Certbot in a domain with 301 redirect and nginx

1 Answers1