Need help setting up local SSL certificates? (lemmy.dbzer0.com)

submitted 8 months ago by dataprolet@lemmy.dbzer0.com to c/selfhosted@lemmy.world

13 comments fedilink hide all child comments

I followed this guide: https://notthebe.ee/blog/easy-ssl-in-homelab-dns01/

But my Nginx Proxy Manager is running on a VPS that is connected to my local network through a WireGuard tunnel. Could that be an issue? I don't know why it's not working?

My NPM is also accessible to the local IP of my homeserver on which WireGuard is running.

top 13 comments

sorted by: hot top controversial new old

[-] citizen@sh.itjust.works 5 points 8 months ago* (last edited 8 months ago)

Can you elaborate more on what is not working? What are you testing to conclude it’s not working?

From my understanding you’re running VPS server. You have tunnel setup to connect to the server. You’re trying to setup N.P.M. with let’s encrypt certs validating via DNS.

To continue troubleshooting you should eliminate all network paths and test from the VPS (ssh to the system). Once you have NPM setup you should be able to test certificate locally connecting to NPM exposed port.

Assuming you exposed port 443

openssl s_client -connect 127.0.0.1:443 -showcerts

If you can validate that NPM is serving endpoint with the correct certificate you can move on to troubleshooting your network path.

[-] dataprolet@lemmy.dbzer0.com 1 points 8 months ago

So I've followed the tutorial, added a wildcard certificate and tried to add a proxy host using the DuckDNS domain to point to NPM itself. When I open the mydomain.duckdns.org I get an error that I can't connect to the site.

Besides that NPM is working and I easily set up my actual domain and it's resolving to devices in my home network. For example cloud.myactualdomain.com is resolving to my Nextcloud running on a Raspi with a local IP with a valid SSL certificate. So NPM and the WireGuard tunnel are generally working as intended.

On which system should I try the openssl command and what's the port?

[-] citizen@sh.itjust.works 2 points 8 months ago* (last edited 8 months ago)

It’s not clear what’s the purpose of NPM in your case. Do you want to serve internal network or expose to Internet. If it’s the latter, you need to see what interface you exposed NPM port on (have to be your public network - VPS IP), your firewall needs to allow incoming connections on that port. Most likely you will be using port 443 and maybe 80 for redirect (checkbox in NPM always use TLS). Use IP address first to eliminate DNS issues. Once IP is valid test DNS with nslookup/dig to see if it resolves to your IP.

OpenSSL command needs to be executed from VPS to eliminate network issues and just validate certificate setup. The IP and port would depend on what port you exposed. 127.0.0.1 should work from that context. Once you see certificate you can execute openssl command from your local and use WireGuard tunnel IP to connect to service. This is for internal network.

[-] dataprolet@lemmy.dbzer0.com 1 points 8 months ago* (last edited 8 months ago)

NPM should serve as both, but only issuing SSL certificates for my local network is the issue. Have you taken a look at the tutorial I've linked in the original post?

And what do you mean with the port I've exposed? Exposed where? NPM uses port 81.

[-] citizen@sh.itjust.works 3 points 8 months ago

Yeah I looked at tutorial. Port 81 is only for management (NPM admin gui). Then you have your traffic ports for proxy services. Those would be 80 and 443 normally. You would need to expose those ports to the Internet if you want to access NPM/proxy your service. Port 81 shouldn’t be exposed on your public interface make sure it isn’t or at least have firewall rule to allow only local network (ideally management network/vlan)

[-] dataprolet@lemmy.dbzer0.com 1 points 8 months ago

Ah I see. As I've said the proxy is working for my domain and is available from the internet. So that shouldn't be an issue..

This is the output of the openssl command:

spoiler

# openssl s_client -connect 127.0.0.1:443 -showcerts

CONNECTED(00000003)
80DB1D0BDC7F0000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1586:SSL alert number 112
***
no peer certificate available
***
No client certificate CA names sent
***
SSL handshake has read 7 bytes and written 297 bytes
Verification: OK
***
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
***

spoiler

# openssl s_client -connect 127.0.0.1:80 -showcerts

CONNECTED(00000003)
809B89C5DB7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
***
no peer certificate available
***
No client certificate CA names sent
***
SSL handshake has read 5 bytes and written 297 bytes
Verification: OK
***
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
***

[-] Tywele@lemmy.dbzer0.com 1 points 8 months ago* (last edited 8 months ago)

I think I had the same problem not so long ago. Every proxy host was working except NPM itself. My problem was that I just entered the wrong IP for the proxy host. I had to enter localhost or 127.0.0.1 to get it to work and everything else was like the tutorial you linked (I followed the same one)

Since you want NPM to proxy to itself but using the SSL certificate and the domain you set in the proxy host.

[-] dataprolet@lemmy.dbzer0.com 1 points 8 months ago

Thanks but no local proxy host is working.

[-] dataprolet@lemmy.dbzer0.com 1 points 8 months ago

I should have added that I am also using Pi-hole and Unbound. This seems to be the issue. I now added the following to my unbound.conf but it's still not working unfortunately. Where domain.duckdns.org is my domain by DuckDNS and the IP points to the Nginx Proxy Manager.

local-zone: "domain.duckdns.org." static
local-data: "domain.duckdns.org. IN A 192.168.178.123"

[-] SheeEttin@lemmy.world 3 points 8 months ago

What exactly is not working? What is it doing/not doing, compared to what you are expecting it to do?

[-] dataprolet@lemmy.dbzer0.com -1 points 8 months ago

See this answer.

[-] Decronym@lemmy.decronym.xyz 0 points 8 months ago* (last edited 8 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters	More Letters
DNS	Domain Name Service/System
IP	Internet Protocol
SSL	Secure Sockets Layer, for transparent encryption
TLS	Transport Layer Security, supersedes SSL
VPS	Virtual Private Server (opposed to shared hosting)

5 acronyms in this thread; the most compressed thread commented on today has 9 acronyms.

[Thread #311 for this sub, first seen 29th Nov 2023, 17:15] [FAQ] [Full list] [Contact] [Source code]

[-] tagginator@utter.online -2 points 8 months ago

New Lemmy Post: Need help setting up local SSL certificates? (https://lemmy.world/post/8919302)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md

this post was submitted on 29 Nov 2023

9 points (80.0% liked)

Selfhosted

38633 readers

159 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

HybridSarcasm@lemmy.world

HybridSarcasm@lemmy.hybridsarcasm.xyz