Hey guys, I have nginx proxy manager running in docker container on my home server. I don’t have any ports open (other than wireguard) and I was using custom local domain .tride to access my services. Everything works fine, I can use https://portainer.tride, https://homeassistant.tride, etc.
I want to get rid of warnings about the risk that I have to accept to continue. Not a big deal for Firefox on desktop, but its kinda annoying on Android. Also I think it stops me from using some services that require SSL certs (like floccus). I tried to create a LetsEncrypt certificate using DNS challenge and DuckDNS in NPM. I also tried to download certs and import to Android, CA cert is added successfully, but didn’t work.
Now I bought example.com domain from porkbun.com and trying to set it up:
- Created CNAME on porkbun - *.example.com pointing to my example.duckdns.org
- Created cert using same procedure (DNS challenge and DuckDNS in NPM) with hosts *.example.com and example.com
- Created Local DNS records in PiHole
Now I get strange behavior, sometimes I can open portainer.example.com with no problem, no warning, perfect. Then sometimes it doesn’t load at all and it says “Server Not Found”. Some services open normally, but like bookstack.example.com opens broken page and if I click anywhere it redirects me to my old bookstack.tride (still exists in NPM and PiHole) and asking to accept the risk.
I’m trying to use services from local network or wireguard only, at least for now.
I am also using the same domain for my e-mail at mailbox.org if that matters. Not sure what I’m doing wrong, but I’m sure there is something. I’m happy to listen any suggestion, and sorry for being noob <3
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol PiHole Network-wide ad-blocker (DNS sinkhole) SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network nginx Popular HTTP server
6 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #79 for this sub, first seen 24th Aug 2023, 13:25] [FAQ] [Full list] [Contact] [Source code]
I use nginx proxy manager with dns challenge to get a *.example.com cert that I then use to host services internally. I just checked, it supports dns challenge for porkbun, you may want to give it a try again. Also, you shouldn’t really need to forward dns to duckdns. You can have public dns records point to an internal ip.
This is what I do, I have example.com (dns registered with cloudflare but should work the same with porkbun) I then create an a record for portainer.example.com to 192.168.0.5.
Internally my nginxproxymanager is running at 192.168.0.5 and portainer is running at https://192.168.0.6:9443
Then in nginxproxymanager I create a dns challenge (you’ll have to look up some videos on how to do this, it’s not very difficult it usually just takes a api key and secret key) then I create a new proxy host for portainer.example.com pointing to https://192.168.0.6:9443 and you select the *.example.com as your ssl cert for the proxy host
Now internally go to https://portainer.example.com and it should work.
Maybe you could also try to generate your one SSL certificate and add it to your Android/Linux/Windows devices as root certificate 🤷🏼♂️.
That’s only a possibility, of you’re willing to do this to every single device that should be able to connect to your services
I am willing to do that for every single device I use, but how can I do that? I have 3 options to install (android 12): CA certificate, VPN & app user certificate and Wi-Fi certificate
I can download cert from NPM, I get 4 files, but only one can be installed (at least the way I tried)
For your local PiHole DNS, where are your records for your domain pointing? I believe you should have an A record for
*.example.comthat points to the IP of your NPM server and then an MX which points to the IP of your mail server. If this is already the case then you can ignore this.Also, if you are using DHCP do not have it assign your public domain to any of your hosts because that could screw up name resolution as well.
Thanks all for many useful tips. Sorry, I had some crap going on today so I need to postpone this for tomorrow. Didn’t want to be rude by not replaying to your comments. Cya tomorrow <3
I’m not sure about anything you’re running but I would look into certbot.
Either using the basic web plugin or DNS plugin. Nginx would be simpler, you’d just have to open your web ports on certificate generation to pass the challenge.
I know some proxy tools have let’s encrypt support, such as traefik.
Thanks! I’m lost a bit honestly, but your comment sounds useful. Do I just open port 443 before I generate certificate and then close the port right after? That would make sense, but not sure is that the way. I’m not getting any error when doing the same with closed ports. Is there a way to check if cert passed the challenge?
I was reading about certbot, but all guides are for CLI. I use NPM with GUI and I’m just confused how these 2 talk to each other. I have to point SSL to each host I make in NPM afaik.
I don’t mind trying traefik if thats a suggestion, but prefer not if possible since I’ll probably need to remove NPM first.
Ports 80 and 443.
The cli is easy and you could just Cron (scheduled task) a bunch of commands to open the firewall, renew cert and close the firewall. It’s how I do it for some internal systems.
