[Noobie] - Certbot - SSL - DNS

Hello,

I want to use a old laptop to get a private chat, a simple cloud server to use with my wife and my children. I would like to share some files easily with random people (especially pictures because I’m a photographer…that’s all !)
I honestly don’t know what I’m doing following a documentation : https://www.howtoforge.com/tutorial/how-to-install-nextcloud-on-debian-10/

So, I’m in the section : Secure NextCloud with Let’s Encrypt Free SSL
I got this message :

[…]
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.example.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nextcloud.example. com (http-01): urn:ietf:params:acme:error:dns :: DNS problem : NXDOMAIN looking up A for nextcloud.example.com - check that a DNS record exists for this domain

IMPORTANT NOTES
The following errors were reported by the server:

Domain: nextcloud.example. com
Type: None
Detail: DNS problem: NXDOMAIN looking up A for nextcloud.example. com - check that a DNS record exists for this domain*

At this point, I don’t really know what I’m doing…so it’s difficult to say what I’m doing wrong.
(I put some spaces in the link because of the restriction of 4 links for a newbie in this forum)
Can you help me, please ? :slight_smile:

If you want to run nextcloud (or any other service) on a local machine like your laptop, and want it to be accessible via the internet, you need some DynDNS. Get that running first, next you set up the SSL certificates.
Google “letsencrypt dyndns” to find some hints.

1 Like

I’m going to hazard a guess that you don’t own example.com.

I would encourage you to buy a domain (for example through GoDaddy). It’s inexpensive and opens up a lot of options. But you can use a FQDN from a DDNS provider if that’s what you want.

You must have a domain name to do this. And consider it a semi-long-term choice because you won’t want to change it later without good reason.

1 Like

I don’t own example.com, you’re right…It looked strange to me, but, honestly, I know nothing about DNS, Cloud or things like that…

What’s a domain ? Why do I need one ? I can’t just install Nextcloud on my laptop and connect to it with, for example, a IP ? (In my mind, it’s that simple…be kind ! ^^).

And why if I don’t want Nextcloud to be accessible via the internet ? Is there a simple way to do that ?

If you don’t want to be your cloud accessible on the internet, you don’t need a domain and you can use your local IP. In this case you also do not need a Lets Encrypt certificate, so you can spare the certbot altogether. Just access your cloud via http, not https. This will get you started. Later you can decide to upgrade your configuration.

That’s a mistake. You should NEVER access your private data over an unencrypted network, even your own wireless. Better to use an invalid certificate and encrypt it.

You can… You’re missing out on an important aspect of security in doing so however. The certificate provides two core functions. One, it’s used to encrypt the connection. And two, it validates that the server you connected to is the correct one, not an impostor. A self-signed (invalid) certificate works for encryption but cannot verify the identity of the other system, as your web browser will tell you when you connect.

Some of Nextcloud’s features, such as Talk and Collabora, will have problems if you try to use them unencrypted.

A domain is basically a name. Example.com is a domain name. A collection of resource records can be associated with that name, such as the “A” record which lists the IP address that should be used for a name. Nextcloud, like most hosted services of any kind, are designed to be used with these names instead of directly with the IPs.

A lot of this is really up to you how you want to do it. I’m just telling you the “right” way that will produce the best results.

Thanks for your explanations. It’s very clear.
I’m getting it. I have to buy a “name” which identify my server easily on the Internet.
For example : tolvasky.com

Actually, it’s pretty expensive for the use I’m gonna do and Nextcloud seems to be overpowered for two recipes and the five pictures I want to share monthly.

I’m already lost with all this server things (apache, php, mariadb…) and if I have to do with domains, IP, subscription, explanations to my friends and family and probably some problems, I won’t enjoy my cloud.

You do not need to buy a domain. You can also use a dyndns-service.
You need dyndns for port-forwarding from extern to intern.
You can generate a lets encrypt certificate for dyndns names.

Not testet:
http://freeddns.noip.com
Example for freedns.noip.com
https://klimas.ddns.net/nextcloud
(do not use a subdir for nextcloud)
I use the german service https://ddnss.de

Your service to use: http://freeddns.noip.com
Your subdomain: https://tolvasky.ddns.net
Use port forwarding on your router
Certificate from Lets Encrypt

Hello.
I think I missunderstood someting.
I did as you sugestted @devnull

Bloco de Citação

Domain www.noip.com
Subdomain antoniocloud.ddns.net
Email actmacedo@gmail.com

And get this error:
dditional domain
Email

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for antoniocloud.ddns.net
http-01 challenge for www.noip.com
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.noip.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.noip.com/.well-known/acme-challenge/dWHsuDstxrRgvdFUrWxRZuG4gQ4sMzeg5abDKP4kZsg [8.23.224.107]: “\n<html lang=“en”>\n\n\n\n404 - Page Not Found - No-IP\n<meta name=“language” content”
IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.noip.com
Type: unauthorized
Detail: Invalid response from
http://www.noip.com/.well-known/acme-challenge/dWHsuDstxrRgvdFUrWxRZuG4gQ4sMzeg5abDKP4kZsg
[8.23.224.107]: "\n<html
lang=“en”>\n\n\n\n404 - Page Not Found

  • No-IP\n<meta name=“language” content"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

I can not use Ports 80 and 443 as my router provider don’t let me use that. So I foward ports 80 to 880 and 443 to 8443. Is there any problem?
My address to access my nextcloud outside is: antoniocloud.ddns.net:8443

www.noip.com is the domain of the provider where you get your ddns domain. You can’t and should not try to produce a certificate for that. If antoniocloud.ddns.net is the ddns domain you got that’s the one to work with.

It didn’t work.

[ letsencrypt ]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for antoniocloud.ddns.net
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. antoniocloud.ddns.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://antoniocloud.ddns.net/.well-known/acme-challenge/Os3mUgkRyxMUe9Kvkeh4Hoa690h0llHWICFr4Lcm71o: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: antoniocloud.ddns.net
Type: connection
Detail: Fetching
http://antoniocloud.ddns.net/.well-known/acme-challenge/Os3mUgkRyxMUe9Kvkeh4Hoa690h0llHWICFr4Lcm71o:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I think it’s because my internet provider do not allow access to port 443 outside my network.
I fowarded port 443 to 8443.
I think this is the reason.ncp

Hi,

It’s free because there are ads, that’s the point ?
What’s a dyndns-service ? It’s because my IP changes from time to time ?

Essentially, yes. But listen, setting up a nextcloud server is not trivial, even for experienced people. You lack some experience, and you are trying to solve all problems at the same time. That will not work.
Try to do it step by step:

  • set up your box for DYNDNS. There are various help pages on the internet.
  • start with a simple index.html page that shows “Hello World”
  • now make https work for this simple site, using your dyndns domain and Let’s Encrypt certificates
  • if this all works, expand the config to use nextcloud.

Each step requires some work, and you will learn some stuff that is useful for future projects. Only the last step is nextcloud related, so don’t expect us to do all the work for you.

It’s actually because of port 80. Certbot does the http verification over port 80. You can use DNS verification instead, but it will be more challenging and less automatic.

If you have www,no ip.com in your web server config, that’s an error. Use only the domain name you registered.

If you say so… I enjoy that part.

I pay $10/yr for my domain.

It sounds like maybe what you need is more like a blog?

Thank you very much for you answer. I have tried to use this instructions: https://docs.nextcloudpi.com/pt/how-to-get-certificate-with-letsencrypt-using-dns-to-verify-domain/
But I think I have to have access to DNS to put .txt file one it. That was what I understood anyway. Unfortunately, I don’t have access to it, since my DNS provider (noip.com) is a free service.

I think that solution won’t work for me, since I use nextcloud in my raspberry pi.
Thanks again.

Well, it’s not a .txt file, it’s a TXT resource record. That’s specifically for DNS verification. If you can’t use port 80 for HTTP verification, and you can’t make a TXT record for DNS verification, it sounds like your setup isn’t compatible with Let’s Encrypt.

You will have to change something so you can use one of the verification methods if you want a good setup.

You must allow port 443 and port 80 for Lets Encrypt.

That’s incredibly bad advice to tell someone who is only just learning about domains and certificates.

The vast majority of certificates do NOT validate that you’ve connected to the correct server. Domain Validated certificates merely secure a connection, nothing more. Only Extended Validation certificates verify you’ve connected to the correct server, and they cost a fortune. I doubt the OP is going to spend hundred or thousands on an EV certificate to verify they’re connecting to their old laptop.

If this is just for you and your family/friends, you can get a domain for free. Do a web search and you’ll find a few free options. I use dot.tk for my free domains (I have darksteve.tk, and cloud.darksteve.tk for my Nextcloud instance). The .tk domains are fine for personal use, and cost nothing. I’m using Let’s Encrypt to secure them. I renew my .tk domains once a year for free, and they even send me reminder emails a fortnight before the domain expires.

Stick with it! Seriously, after playing with this stuff for a little bit it’ll suddenly “click” and all make sense :slightly_smiling_face:

You don’t have to settle for that, you can use a free service that doesn’t rely on ads. There are multiple options out there.

Follow eehmke’s advice. Start at the beginning with a simple unencrypted landing page, then get encryption working, then get Nextcloud working. That’s pretty much what I did while I was learning all this stuff.

Don’t give up! It’ll be wonderfully rewarding once you get this stuff working :slight_smile: Just don’t bite off more than you can chew at once. I started off unencrypted, then I moved to using self-signed certificates (which often don’t work with mobile apps), then I upgraded to Let’s Encrypt certificates.

Good luck!

1 Like

Well normally I’d be content to let that slide without further comment, but I’m going to point out for community benefit this is a false statement. You have to prove you have control of the domain records to obtain the certificate, and that’s part of the authentication mechanism. The server must be in possession of the domain-validated certificate’s private key, which is verified by the encryption. The private key in turn shows that the server has been authorized to operate by the person who has control of the domain.

Extended Validation certificates validate your organization, not your server.