ssl is not working with domain

CptCharis

Well-Known Member
Joined
Feb 27, 2018
Messages
563
Reaction score
465
Credits
982
Hello everybody.
I create a SSL Certificate with OpenSSl for a site that I run from a home Ubuntu server. I'm facing up the below issue.

Typing http://local_IP_/site working
Typing https://local_IP/site working
Typing http://my_dyndns.org working
Typing https://my_dyndns.org NOT Fu*ing working.

What I'm missing?
 


My first thought is...

does the domain match what you entered in the cert?

There is a section for "common name" (your servers hostname).
That has to match. Also the IP and domain name have to match.
 
My first thought is...

does the domain match what you entered in the cert?

There is a section for "common name" (your servers hostname).
That has to match. Also the IP and domain name have to match.

I thought the same and just re-built the certificate in order to replace the old one and I added my dns address but same results.

I'm thinking that certificate is not working with dyndns and needs a domain name.
 
Here are my 2 cents.

When a browser is pointed at https://any_domain.tld, the browser is going to need to see a certificate from any_domain.tld It looks to me like you get that, and that would be why you re-built the certificate in order to replace the old one and I added the dns address.

I am guessing your certificate is self-signed.

I thought the same and just re-built the certificate in order to replace the old one and I added my dns address but same results.
The certificate has to be for my_dyndns.org

I think that means pretty much the same as "I'm thinking that certificate is not working with dyndns and needs a domain name." Can you make a cert for your my_dyndns.org?

My Home Web Server
This probably will not help, but it might spark an idea.

I have a home-based web server. Instead of using dynamic dns services, I just use the ip of the router installed by xfinity at my house. I don't think there is any guarantee of the ip always being the same, but it has not changed since I got it three years ago. My external ip is like 95.195.xxx.xxx

That means the server is reachable (almost, as explained below) with
http://my_external_ip
https://my_external_ip

That does not quite work, because the router has a firewall that by default blocks inbound http requests. To make it work, the firewall on the router can be put into port forwarding mode. Port fowarding on this router needs an internal ip as the target for forwarding. The internal ip for the web server is like 10.0.0.xxx. 99.999% of the time, I have port forwarding off, because i do not want calls to my home-based web server coming in from the public internet.

I need that server to run https for some of the work I do. i don't want to see the "danger danger danger" warnings that come up with self-signed certificates and I could not figure out how to make self signed certificates trusted in all my browsers... sooooo

I have a registered domain running on internal ip. The public dns records for the domain cannot point directly to my internal ip. The public dns records point to my external ip. To make the certificate, I have to enable port forwarding, so the certificate authority can verify the domain is running at my external ip. Once i get the certficate, I shut down port forwarding. Even though the cert was verified for my external ip, it runs without a problem when accessed with the internal ip
 
Last edited:
Thank you very much @carlarogers.
Even your way is a little bit complicated and tricky I think is a good idea to use the external ip of the router n same ways .
 
Hello!

Since you're configuring this in an home network, if you have a small amount of devices that access this https site on your local server, I would be my own CA and make my browsers to trust my certificate.


This will make your solution less reliant on external resources and more long term.
 
Thank you @in1t5

I use my own CA ssl as per your link, thank you very much.
But still is working only with IP (within my network).
It is not working with my dyndns domain (outside my network)
I think I really need a real domain and not a dyndns
 

Members online


Latest posts

Top