I am trying to install a certificate using certbot from LetsEncrypt on a Raspberry Pi. I have installed Apache2 and created a webserver at http://subdomain.mydomain.com on the Raspberry Pi. The certbot command obtains a certificate and writes it to http://subdomain.mydomain.com/.well-known/acme-challenge/<etc.>
Background Info: I am doing this because I need a local server to address IoT devices and my Ajax calls are failing because I am not allowed to mix http with https. The IoT devices are incapable of a hosting a webserver with SSL - they use a simple http:/192.168.1.xx/<string> format
I don't want to create a DNS entry at my registrar/ISP because I am trying to create a scalable solution and creating hundreds (perhaps thousands if we do well) of subdomain entries there is impractical. Creating my own DNS server is a possibility, but I would rather just do it all on the Pi - my bash installation script will take care of everything (once I get it to work!).
I tried first to create an entry into the local hosts (/etc/hosts) file which looks like this:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.1.1 SubDomain
192.168.1.111 subdomain.mydomain.com
This works for commands like ping, but not for nslookup or dig and definitely not for certbot. The certbot command finds my main server - DNS is configured with a * to go to my Public IP for all unknown subdomains:
A * xx.xx.xx.xx //My public IP address
So then I installed dnsmasq (See: When using proxy_pass, can /etc/hosts be used to resolve domain names instead of "resolver"?) and followed the configuration options shown here: How to Setup a Raspberry Pi DNS Server
However, that doesn't work either. certbot still looks at my main (external DNS) and finds my Public (wildcard) IP. Here's a summary of the changes made in /etc/dnsmasq.conf
domain-needed ## enabled
bogus-priv ## enabled
no-resolv ## enabled
server=8.8.8.8 ## added (#server=/localnet/192.168.0.1 left as is)
server=8.8.4.4 ## added
cache-size=1500 ##increased from 150
How can I force certbot to find and use my local/private IP 192.168.1.111? Any alternative solutions using scripts/redirection?
Create a wildcard certificate using Let's Encrypt DNS validation. You will then have to renew the certificate manually. Otherwise, your server must be on the public Internet with correct DNS settings.
I finally solved my problem but I abandoned LetsEncrypt entirely. The answer was not in DNS, but in approaching it from a completely different angle. This was pretty much 95% of the solution.
Important! This only works if you have control over the browser. We do, since it is for our kiosk application which runs in a browser.
Step 1: Become your own CA
Step 2: Sign your SSL certificate as a CA
Step 3: Import the signed CA (.pem file) into the browser (under Authorities)
Step 4: Point your Apache conf file to the local SSL (the process generates .key and .crt files for this as well).
Related
I'm actually facing an issue which came up when using the proxy in Angular CLI.
But it's not related directly to Angular nor to node.js... it seems to have it's roots some levels deeper (namely on operating system level)
##Short version:
When I have a domain to IP mapping in my hosts file /etc/hosts and proxy it using node-http-proxy which is the underlying layer of the angular-cli proxy feature there's a delay of 5000ms before the request gets resolved and the response is provided.
Proxying is mandatory for backend communication to avoid cross origin errors in development because angular apps are served via port 4200.
##Longer version:
Operating System: OSX Catalina 10.15.4
Based on a deeper analysis it's not caused by Angular CLI and even not node.js.
It seems there's something going "wrong" with the system as I can reproduce the behavior in my terminal as well using the arp command
There's a mapping in the /etc/hosts file which looks like below:
127.0.0.1 service.company.local
When running then the command: arp service.company.local it won't resolve of course as this domain isn't known for DNS servers.
It finishes with the output: arp: service.company.local: Unknown host
Also when the computer is disconnected from internet/network (wifi of) the arp still takes 5000ms before it finishes with the Unknown host message, whereas it directly returns Unknown host for existing domains (then without delay).
The problem is pretty frustrating as it heavily slows down local development of an Angular app which is doing some cascading requests take so extremely long that a fluent work isn't possible.
Screenshot from Chrome Dev Tools:
Is there some known solution to get around this issue without moving away from the domain to ip mapping within the hosts file?
Addition (content of the hosts file)
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
127.0.0.1 service.company.local
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section
I'm very thankful for any hints.
I'm working on a Linux VM on Azure which was set up by someone else (so I don't know all the details). I'm trying to connect it to a domain name.
The server has a "Hello World" program, so when I go to "example.com" I should be seeing "Hello World". Currently I'm just getting
Safari can't open the page "http://example.com" because Safari can't find the server "my domain.com"
I thought I'd start with making sure that the IP address connects to the server (which it did at one point. So I enter the IP address of the server (let's say it's "12.345.678.901") in the browser, and it can't connect... I get the error
Can't open the page "12.345.678.901" because the server where this page is located isn't responding
There's an Inbound port rule to allow connections for port 8080, so I tried "12.345.678.901:8080" but this time got
Can't open the page "12.345.678.901:8080" because Safari can't connect to the server
I don't know what to try next. Presumably something needs to be enabled on the server to allow the browser to connect?
The other inbound port rules are ssh on port 22 (TCP) and then what I assume are the standard Azure ones (I can't edit or delete them anyway).
To view your Linux VM inside the browser, you need to install a web server. Easiest to install and get working straight away is nginx.
First thing you need to do is SSH(port 22) into your VM using the username and IP address of the machine:
ssh username#ipaddress
Which will prompt you to enter a passphrase to gain access to the VM.
This also assumes your SSH public key exists inside ~/.ssh/authorized_keys on the VM. If you don't have this setup then you need to get the owner of the VM to copy your public key into this file. Otherwise you won't be able to connect and get a Permission denied (publickey) error.
Assuming the above works, you can install the nginx webserver with the following two commands:
sudo apt-get -y update
sudo apt-get -y install nginx
Then once this web server is installed, add an HTTP inbound port 80 rule inside the network settings. For security reasons, having your web server listen on this port is probably unsecure long term. Its just easier to get working when you choose this port to begin with, because its the default.
You can see what the default listening port by viewing the server configuration host file with cat /etc/nginx/sites-available/default:
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
Which shows the default port of 80. You can change this default port to 8080, then run sudo service nginx restart to restart the server and apply the changes. Additionally, you can have a look at this How to make Nginx Server Listen on Multiple Ports tutorial, which goes into more depth on how to configure listening ports for nginx webservers.
You should then be able to view your VM from a browser window(blurred out my IP address for security reasons):
You can also have a look at this Quickstart: Create a Linux virtual machine in the Azure portal tutorial for a step by step on how to get this setup in Azure.
You should first check to see if you have an entry for http://example.com. The reason could be that you do not have a DNS Entry and when you are trying to connect to it via the browser. Since you tried connecting to it via IP and it still did not work, I would suggest you check your Webserver configurations to make sure it is correctly listening for port 8080. Also, ensure that your webserver is also turned on as well. You can tail the webserver log and try to hit it via the IP like you did earlier and see if you see any errors in the logs. It would at least tell you if your request you are making on your browser is actually getting to the webserver.
following problem:
My webpage example.eu works perfect with SSL connection certified by certbot with apache on ubuntu VPS. If I now enter www.example.eu Firefox says "Your connection is not secure" and "The certificate is only valid for example.eu". The domain is hosted with a different service-provider than the VPS.
First attempt was to direct A-records of the subdomain www.example.eu to the same IP (VPS) as example.eu. Same problem.
Next attempt was to create a CNAME-record for www.example.eu that directs to example.eu. Same problem.
Now I am out of ideas. What can I do?
Thanks in advance and best regards from Germany, Joachim
Ok, I got it now. Problem was with apache/certbot on the VPS:
I checked the virtual host:
sudo nano /etc/apache2/sites-available/example.eu.conf
it showed
ServerName example.eu
ServerAlias www.example.eu
So no issue here. But certbot seemed to be only configured for example.eu.
ls /etc/letsencrypt/live
So I had to
sudo certbot --apache -d www.example.eu
and configure the A-record of the www subdomain to point to the IP of the VPS and: works :)
Hi i am trying to name based virtual hosts for my localhost.I was using wamp with name based virtualhost before but now im working on ubuntu.I thought webmin can be easy but when i create first virtual host all requests redirecting first virtual host even localhost,second virtualhost and phpmyadmin.
So how can i set webmin for reach each of them separately.
hosts config
127.0.0.1 www.adres1.com #working fine
127.0.0.1 adres1.com #working fine
127.0.0.1 www.adres2.com
127.0.0.1 adres2.com
Its because you are using a local server and your all domain will by default search 127.0.0.1 or your IP. So untill you declair them as CNAME in your zone file or do a entry in host file, they all will work as alias of a single domain. Thanks... :)
I am building a website and would not like to reconfigure the website from pointing to http://127.0.0.1 to http://www.example.com. Furthermore, the certificate that I am using is of course made with the proper domain name of www.example.com but my test environment makes calls to 127.0.0.1 which makes the security not work properly.
What I currently want to do is configure my development environment to assign the domain name www.example.com to 127.0.0.1 so that all http://www.example.com/xyz is routed to http://127.0.0.1:8000/xyz and https://www.example.com/xyz is routed to https://127.0.0.1:8080/xyz.
I am not using Apache. I am currently using node.js as my web server and my development environment is in Mac OS X Lion.
If you edit your etc/hosts file you can assign an arbitrary host name to be set to 127.0.0.1.
Open up /etc/hosts in your favorite text editor and add this line:
127.0.0.1 www.example.com
Unsure of how to avoid specifying the port in the HTTP requests you make to example.com, but if you must avoid specifying that at the request level, you could run nodejs as root to make it listen on port 80.
Edit: After editing /etc/hosts, you may already have the DNS request for that domain cached. You can clear the cached entry by running this on the command line.
dscacheutil -flushcache