this post was submitted on 25 Feb 2024
27 points (90.9% liked)

Selfhosted

40746 readers
347 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
27
submitted 10 months ago* (last edited 10 months ago) by dontwakethetrees to c/selfhosted
 

Hey everyone, asking here since I've been trying (and failing) at the numerous guides online. The end goal is so that I can have proper Let's Encrypt certs for my self hosted servers to include VaultWarden (which will not work with self-signed or http) as well as have easy urls for myself and family to use.

So I am trying to setup my Porkbun domain with my Opnsense nginx plugin in order to resolve the address (such as navidrome.example.com to my local server's navidrome instance @ 192.168.1.99:4533). I attempted this guide here as well as trying to configure a separate nginx on the server itself. I haven't had much luck with these guides either.

Any address outside of router.example.com results in a connection failure. Including when I tried to route everything like navi.router.example.com. This is with and without wildcards in the A Record entries on Porkbun's DNS control panel. I've tried *.example.com, *.router.example.com, navidrome.example.com, navidrome.router.example.com.

Sorry if this seems like a simple problem or if I am missing a massive step, I am complete newbie at self-hosting/networking.

edit: Finally got it working with the simple urls resolving to the proper self-hosted services and with proper CA certs. Thank y'all for the help and advice!!

all 12 comments
sorted by: hot top controversial new old
[–] breakingcups 3 points 10 months ago (1 children)

You're not entirely clear on whether you want these services accessible from the internet or just internally. If the latter, change ACME settings to use DNS challenges instead of HTTP. If the former, recheck your dns records, maybe post them here (censored if you wish).

[–] dontwakethetrees 1 points 10 months ago

Looking to use internally, been using DNS challenge. Going to check up on it this morning.

[–] [email protected] 2 points 10 months ago (1 children)

First off - you don’t explicitly say so I just want to double check - you’re not using example.com as the actually domain correct?

If not the next thing to do would be to check out what DNS is doing. You can use the dig command to see what IP address is being returned for the domains you’re trying to hit.

dig +trace may be useful as well.

[–] dontwakethetrees 1 points 10 months ago (2 children)

Nope, just substituted out my domain for the post.

Ran dig +trace and my domain and it returned a 100.x.x.x#53 public domain address.

[–] [email protected] 1 points 10 months ago (1 children)

Is that expected? Otherwise check to make sure DNS settings for the domain are correct (eg ns records dig NS example.com IIRC).

[–] dontwakethetrees 1 points 10 months ago (1 children)

So following dig ns domain in terminal vs web app on my phone (shared by another commenter and I had checked lemmy on mobile): my computer was resolving with a couple of different odd results including my public ipv6 address. On mobile it resolved properly.

Checked my DNS and my computer’s dns had my public ip in the listing. So now after removing that, the domain resolves to the wildcard (which dumps at my opnsense router and throws the dns rebind error). So I’m assuming that should be it?

Now I should only have to resolve configuring nginx properly.

Thank you for suggesting the dig command!

[–] [email protected] 1 points 10 months ago

Excellent! Nice work.

I don’t know what dns rebind is but once DNS A records are pointed to the right place then it’s just a matter of setting up the rest of your stuff.

[–] c10l 1 points 10 months ago

Not sure if this is helpful in any way, but it might give you some clue.

100./8 addresses are reserved for CG-NAT.

This is probably the IPv4 address your modem/router is receiving from the ISP.

https://en.wikipedia.org/wiki/Carrier-grade_NAT

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
NAT Network Address Translation
nginx Popular HTTP server

5 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

[Thread #541 for this sub, first seen 25th Feb 2024, 04:15] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 1 points 10 months ago

Let's Encrypt certs for my self hosted servers to include VaultWarden (which will not work with self-signed or http) as well as have easy urls for myself and family to use.

Im not expert, but Im using VaultWarden with self signed certs. Note that I didnt open it to public and I didnt buy a domain. I just made up a domain name and Im using wireguard to get access (together with NPM and pihole)

[–] [email protected] 0 points 10 months ago

You've got two parts here, name resolution and certs. Make sure name resolution works first.

I don't know if Porkbun is different, but in namecheap, I created a wildcard record. Let's say I have the domain example.com, and my server is server.example.com, and it hosts a bunch of docker containers like jellyfin and radarr, at jellyfin.example.com and radarr.example.com. So I created a wildcard A record with name * and value 192.168.1.20. This means when I try any domain under example.com that doesn't have a more specific record, I get that IP back.

You can test name resolution from your own PC with dig (Linux) or nslookup (Windows). Be mindful of which server you're using for lookups when you do this. To check the perspective of a client outside my network, I like https://digwebinterface.com/. And always remember that it takes time for DNS changes to propagate.

After that I just used acme plugins for Proxmox and traefik to get let's encrypt certs individually and automatically, but you could also get a wildcard cert for *.example.com by any method, from any provider, and install it yourself.