OS: Ubuntu 20.04
Hi everyone, I’ve been tinkering with it the whole day today, and I was wondering if anyone might be able to direct me on how to get a https working well. I sadly can’t use let’s encrypt as 80 and 443 is both blocked by my isp, so that’s down the drain.
After a good mulling for 4 hours, I finally decided to try to use a self signed certificate but in the end, I am now facing this following problem every time I try to log in from outside the network.
Secure Connection Failed
An error occurred during a connection to xxx.xxx.xxx.xxx.xxx. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
The guide I followed to setting up the self-signed certificate is here: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-in-ubuntu-16-04
If anyone could help me out, I’d seriously appreciate it!
I’ve decided to just buy a domain and do it the DNS way with lets encrypt. Matter is closed.
Yea but 80/443 blocked by ISP – are alternative ports open?
Yes, I had both 443 and 80 ported to something else with the WAN Port. Sadly, Let’s Encrypt did not like this, so I couldn’t do the easiest challenge.
Therefore, if I wanted any way of security, buying a domain and doing the txt DNS challenge was the only way. As I’m not sure why, but self-signing just did not want to work for me.
Btw, you can get a .tk domain for free…
Why? Can you explain it? Perhaps you better solve this problem.
It is ugly (for you and other users) to use Nextcloud not with https:// on port 443.
There is mostly no sense to use a port unequal the standard port 443.
Nobody would use a different mailing port.
Seems like his internet provider tries to block him from running a webserver, in that case not much he can do on that matter
Ok. Then change the provider.
that’s one thing I for sure ain’t doing. I’m on a 500Mbps network with my current provider and it’s also the only provider who provides a decent speed. Everyone else only provides ADSL .
Also in regards to the ports, what I have is a different WAN port, but it’s linked to the correct port in LAN. I.e. WAN is 1234 and LAN would then be 443.
I’ve basically solved the problem by getting the SSL certificate via the DNS challenge, then manually configuring Apache2 to use the certificate/chain and key. I’ve also configured it so that only Https:// is used to access Apache2 with the http to Https redirect.
To get around the port ugliness of typing something horrendously long, I then use a sub-domain to point to the webpage, i.e. Https://example.com:1234/nextcloud is the original link which is shortened to cloud.example.com.
You didn’t waste money – it’s OK – its good to have a domain name. Think of it as an investment. Who is the DNS provider?
I went ahead and used GoDaddy for my domain provider in this case. It wasn’t too bad as I got a domain I wanted for 12 for 2 years.
Yea that’s a good deal. You made the right choice. Does GoDaddy do DNS challenge for LE? I didn’t know that. I bought my domain names from noip.com originally but needed far better control of my DNS records than what noip.com provided. I eventually moved all my DNS records to Cloudflare for free and they are managing the DNS. I still have to renew my domain name every 5 years from noip as they as still my registrar, but they don’t provide my DNS services anymore.
Thats a full domain provider:
You can register a domain name for free and do whatever you need with it, only limitation is that you have to renew every year and that there must be a webpage reachable, which the nextcloud login page actually is.
This is actally a promo thing for the republic of tokelau, which is a small island state and is actually managed by a dutch company for them.
Ah, no they don’t do it automatically for me. I’ll have to refresh it every two months or so I guess by doing the certbot command again and inputting a new dns txt. Unless the code stays the same, then I can probably just automate for once a month with a script.
I’m quite the newbie when it comes to all this networking business, so not too sure what you mean by moving your DNS records to cloudflare. So, from what I’m guessing here, the domain itself is held by noip but you can have someone else who has a more refined system deal with the records for you? Is cloudflare much better? Might consider it if I get a bit more intensive with my server usage and needing multiple redirects.
Your provider that you purchased your domain name from acts as both a registrar and DNS provider. Registrars register you domain name with ICANN. Usually you have to renew your domain name yearly, biannually or every 5-10 years – depends on how you purchased your name and under what terms.
DNS providers hold and manage DNS records to provide name resolution. For me – I moved from noip to cloudflare since I wanted to be able to do DNS challenge for renewal of LE certs since LE certs need to be renewed every 60-90 days (which is pretty frequent). I wanted a more automated way to do things rather than using a manual or webserver method. Also with CF its really easy to alter DNS records and add entries for mail servers such as dmarc records and such. I’m not sure you wanted to do this, however if you don’t want to run your own mail server you can use services such as mailgun which can act like a forwarder. Even when using services like mailgun you still need to add entries into your DNS records to make the process work correctly. I couldn’t come close to being able to do this with noip. CF is more “fully featured” and seems to be well supported with lets encrypt. It’s also free for everything I need since I’m running home servers. If you wanted fancy metrics and failover and other services, they offer those services for a price, however for basic needs it works really well.
That’s only for using the Cerbot client. There are plenty of other Let’s Encrypt clients (e.g. ACME.sh) that don’t require ports 80 and 443. You’ve jumped to conclusions and missed the benefits of the open platform Let’s Encrypt uses.
You need a domain for a Certificate Authority to create a certificate against regardless of whether you use webroot or DNS verification. Only Self Signed certificates can be issued against IP addresses. There are also plenty of free domains you can obtain if you do a simple web search.
Your wording indicates you’re pretty sure of how things work, even though you obviously don’t understand any of this. You’re missing the forest for the trees.
“Matter is closed.”
Thanks so much for explaining it in so much detail, that does indeed seem quite helpful and I might move over to them, especially if they can automate the renewal! Do you know if DNS renewals are also automated, or is this just for http based renewals?
I’ll also look into the other things you’ve mentioned, though I might back away from running a mail server for now. From what I’ve heard, it’s best not to dabble into that if you don’t fully understand how everything is set up as if something goes wrong, it can be quite bad. Maybe in the future, I’ll give it a shot
Thanks for mentioned ACME.sh, it seems quite useful and I like how they have a GoDaddy integration for DNS renewals!
Also, I was requesting for assistance from everyone here at first, as I clearly did not know how to go about setting up the ssl certificate and the guide I was following only described how to go about it with the HTTP-01 challenge.
Are you also saying that it is possible to do a renewal without using the DNS-01 challenge with other LE clients? I.e. I didn’t need to make a txt record in my DNS? The reason I needed assistance was because I used no-ip at first, which did not allow for txt record manipulation with their free service. This is why I had moved to the self-signed certificate option. I also did not know there were free domains, which someone in this thread had kindly already clarified for me and I have taken this on board for the future.
In regards as to why I said matter is closed, it is because I had resolved the main issue that this thread was made for, which was to create a https address working. I didn’t know how to close the thread, so as to not waste anyone else’s time I said the matter is closed so people can focus on other people’s threads who might need more urgent assistance.
I’m not too sure what caused you to get all ruffled, but I was simply asking for advice.
There is an alternative way to solve the problem of residential ISP’s blocking ports, and also residential ISP’s typically issuing dynamic IP addresses. Here is the solution I used.
Create the smallest (read: cheapest) instance on your favourite cloud provider. I personally prefer Digital Ocean. Their smallest instance is only $5 per month. Running CentOS on the instance, I install OpenVPN, acting as a server. On my NextCloud running on my hardware at home, I have installed OpenVPN client. It connects to the OpenVPN server running on the cloud instance. Residential ISP’s don’t block any outgoing ports, so there’s no problem with the NextCloud machine at home, establishing the VPN tunnel outbound on port 1194 to the cloud instance. It’s a simple point-to-point VPN tunnel so the config is simple and easy.
Using standard linux iptables on the cloud instance, I have the instance doing port forwarding and IP masquerading, such that when you hit the static IP of the cloud instance on 80 or 443, the request gets forwarded back across the VPN tunnel to my NextCloud at home. When the NextCloud responds, the response goes out across the VPN tunnel, and out via the cloud instance’s static IP. So for any clients connecting, it appears as if the NextCloud is running directly on the cloud instance.
The advanages of this setup are:
- Cost, it’s only $5/month additional.
- Gives my NextCloud a static IP.
- Bypasses the residential ISP’s inbound port blocking, so you can use this to run your own mail server or anything else commonly blocked by a residential ISP.
- All my data is still hosted on my equipment in my home.
- My ISP has no idea what I’m up to, as they only see a single outbound VPN tunnel, they don’t see any inbound connections.
Clearly this is a little more complicated (although really not that much) than what the OP is looking for, but I wanted to share my solution as it works well for me, and it addresses the same set of problems. Yes, I am also using Let’s Encrypt. Hope this helps.