dietpi-letsencrypt and SAN certs Topic is solved

Having issues with your DietPi installation, or, found a bug? Post it here.
Post Reply
spiritofjerry
Posts: 4
Joined: Mon Jul 06, 2020 3:49 am

dietpi-letsencrypt and SAN certs

Post by spiritofjerry »

Hello!

I'm really, really impressed with the amount of work and tools that are packed into this distro! I was easily able to get a Samba share, PiHole, NoIP, and a Nextcloud server going. Additionally, I added UFW to firewall out the nasties from my services, and after installing Certbot from the dietpi software repo, ran the dietpi-letsencrypt to get my certificate for my Nextcloud server. The final missing piece is getting a SAN cert such that my local IP address is no longer flagged as insecure with an invalid certificate. I did not see an option to add the Subject Alternative Name in the dietpi-letsencrypt such that my local IP is also filtered through SSL. As is, my NoIP URL is covered, but accessing the LAN for PiHole and Nextcloud gives me the "Your connection is not secure" warning. Any ideas on how to get this last piece working?

Thanks!
User avatar
Joulinar
Posts: 2559
Joined: Sat Nov 16, 2019 12:49 am

Re: dietpi-letsencrypt and SAN certs

Post by Joulinar »

Hi,

many thanks for your request. It's not possible to create certificates for local lan addresses using letsencrypt because letsencrypt is trying to resolve your local name within the web to verify that you have a valid domain. As this is not the case for local access, letsencrypt will not issue a certificate. This is nothing related to DietPi, it's a feature of letsencrypt.

https://community.letsencrypt.org/t/cer ... tworks/174

I would recommend to use your NoIP DDNS as well to access systems within your local network. As you are using PiHole, you can easily setup a local DNS record to force PiHole to resolve your DDNS with your local IP and not with your external global one. Within Pihole, this option is called Local DNS Records
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
spiritofjerry
Posts: 4
Joined: Mon Jul 06, 2020 3:49 am

Re: dietpi-letsencrypt and SAN certs

Post by spiritofjerry »

OK, I think I understand what you are suggesting. Just for some more background, I did select the option to hide the pihole admin console from port 80 outside of LAN, to keep my pihole admin page from being available to the public. This option is available during the pihole install, and is very useful.

I went ahead and added a record for my DDNS domain to the Local DNS Records as you suggested, like so:

my.domain.org -> 192.168.x.x (router address)

Theoretically, I should be hitting the router now when I type my DDNS domain into the browser from within my LAN, correct? Well, I still get the 403 error I would normally get if I were accessing my services outside of my LAN (which I believe is due to the logic baked into the lighttpd for blocking pihole admin outside of LAN). I restarted the DNS resolver, and flushed my DNS cache on my machine, still getting a 403. Am I missing something, or is this not possible?
User avatar
Joulinar
Posts: 2559
Joined: Sat Nov 16, 2019 12:49 am

Re: dietpi-letsencrypt and SAN certs

Post by Joulinar »

Are you using your DDNS to access the RPi only?? Or are there other devices your are trying to reach with same DDNS?? if it's just the RPI, set the DDNS name inside PiHole to your RPi. This way you will be redirected to your RPi directly, without going to your router first
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
spiritofjerry
Posts: 4
Joined: Mon Jul 06, 2020 3:49 am

Re: dietpi-letsencrypt and SAN certs

Post by spiritofjerry »

Aha! So, it appears my network adapter was not flusing the DNS cache properly, which was the true problem. Also, your suggestion to connect to the Rock64 directly was perfect, since I am not using that domain for anything else (yet). Thanks again! All is working super well!
User avatar
Joulinar
Posts: 2559
Joined: Sat Nov 16, 2019 12:49 am

Re: dietpi-letsencrypt and SAN certs

Post by Joulinar »

yep cleaning local DNS cache could help 8)

And btw using you Router as DNS entry would not work as well. Because you would land on your Router Admin Panel I guess. Usually the Router is forwarding traffic from extern to intern. But not from intern to intern. ;) Therefore forwarding traffic to your board directly, should be the only working option if I'm not mistaken.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
spiritofjerry
Posts: 4
Joined: Mon Jul 06, 2020 3:49 am

Re: dietpi-letsencrypt and SAN certs

Post by spiritofjerry »

I do believe you’re correct! Thanks again for your help.
Post Reply