Where exactly do I do this, in my router or on the sub-domain?
In order to be able to access your Nextcloud externally via domain name and to obtain a Let’s Encrypt certificate, you need a registered public domain name from a domain registrar, wich I asume you have already. Most domain registrars offer some kind of web interface to manage the DNS records. In that interface you need to create an A record pointing to the public IP address of your internet connection, respective a CNAME record, pointing to the DynDNS name, if present.
How exactly you have to setup your internal DNS, depends on your router. But I would first take care of the public DNS and functioning port forwarding, so that you can obtain the Lets Encrypt certificates. After that, you can check whether you need seperate internal DNS entries at all, or if maybe the router takes care of it automatically via NAT reflection.
I have done port forwarding and I have set up the public DNS record pointing to my public ip that I got from (https://whatsmyip.com/). Now I try to secure it with letsencrypt but It says again:
Domain: cloud.prwtinc.com
Type: connection
Detail: Fetching
http://cloud.prwtinc.com/.well-known/acme-challenge/gnbKlu4mS-8yYSweeb0GN7kuP3Xz80OdQbwg5UJHG18:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I really don’t know what to do.
Maybe you can try to check if ports 80 and 443 are open by using a tool like https://portchecker.co/
On the tool it says that they are closed, but in my routers configuration, I have forwarded both ports.
So then this is the problem here.
Assuming that you’ve correctly configured the port forwardening in you router, it is either possible that there is a firewall running on your server that is blocking the connection attempts or your ISP blocks those ports.
Its not on my nextcloud server because I’ve already enabled ports 80 and 443, how can I check if my ISP blocks those ports, without contacting them, if its possible?
Assuming that you’ve correctly configured port forwardening in your router, your servers firewall and your dns settings to point to your public ip address, there is nothing left that could be the issue except your ISP that blocks those ports, IMO. Maybe somebody else has an idea how to test directly if the ISP blocks those ports but I don’t know any.
Ok, thanks anyway
1 Like
Do you really use the correct ip address. Test it from your internal network:
The IP that the page gives me is the same I’ve been using.
Can you show your port-forwarding configurations on your router (e.g. screenshots)?
If you have a seperate modem you could connect your server directly to the modem. Or you can connect it to the so-called “DMZ-Port” of your router, if it has such a feature. Or maybe you can post a screenshot here with your settings for port forwarding, so we can double check.
but I’m beginning to think that, that you are maybe behind a CGNAT. In that case it is impossible to forward any ports. https://en.wikipedia.org/wiki/Carrier-grade_NAT
Another possibility, wich would be slightly better, is that you have Dual Stack Lite. With DS-Lite there is normally only IPv4 behind CGNAT. Then you could at least do something via IPv6…
Looks fine to me… I’m running out of ideas…
How do I know if I am behind a CGNAT?
Find a status or info page in the web GUI of your router, that shows you the WAN address. If the WAN address, that your router shows you, is diffrent from the IP address that https://www.whatismyip.com shows you, you are definitely behind CGNAT.
1 Like
Is this what you are talking about? The IP that appears in there is NOT the same as the one in https://www.whatismyip.com.
That’s bad. In that case there is no easy way to achieve your goal. I would call the ISP, if there is a possibilty to get a public IP with your current plan. Or maybe there is a business plan, they can offer you, that doesn’t break the bank.