-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Strato Let'e Encrypt DNS challenge #1154
Comments
Unfortunately the current version of NPM only supports DNS-challenge providers which have a certbot dns plugin. The link you posted is only a manual auth hook certbot integration, which is not supported. And it seems there currently is no actual certbot dns plugin. |
For others with the same problem: Not a certbot dns plugin, but I've got it managed to get a wildcart cert with the workaround mentioned here:
Up until here you should have SSL working for the domain, but not the subdomains.
Now the cert setup in step 2. contains an wildcard-alias an can be assigned to the wildcard subdomain from step 1. I hope this help some. |
Thanks for your how to. Thanks a lot. |
When the SSL certificate is created in step 2, NPP automatically creates a job that regularly renews the certificate. |
Hi, some things i have noticed. (All files mentioned come from here: https://github.com/Buxdehuda/strato-certbot)
Okay, after this, your workaround works, but i get this error message, even so the certificate generation works: After issuing point 8. of the workaround i get this output. [...] Hook 'deploy-hook' reported error code 1 Successfully received certificate. Any ideas? |
I modified the code from the aforementioned repository to provide a regular certbot dns authentication plugin, which can be directly integrated into NPM (see here). If you would like to give it a try, follow these instructions. .
.
.
//####################################################//
strato: {
display_name: 'Strato',
package_name: 'certbot-dns-strato',
version_requirement: '~=0.1.1',
dependencies: '',
credentials: `dns_strato_username = user
dns_strato_password = pass
# uncomment if domain name contains special characters
# insert domain display name as seen on your account page here
# dns_strato_domain_display_name = my-punicode-url.de`,
full_plugin_name: 'dns-strato',
},
.
.
. I was successful using option 2 mentioned in the linked comment. version: '3'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: always
ports:
- '80:80'
- '1080:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
# map custom code into the container to support strato dns
- ./custom-npm/global/certbot-dns-plugins.js:/app/global/certbot-dns-plugins.js:ro
- ./custom-npm/frontend/dist:/app/frontend:ro
networks:
default:
external: true
name: nginx-proxy-manager Note that the code is still in an experimental stage. |
Nice work. :) Where do i need to place the files from your repository? |
Thank you :-) You don't need to touch my repository -- it is just a place for the plugin to live. The code is uploaded to PyPi so it is available from anywhere where there is python pip installed. Thus npm can grab it by itself. You just need to introduce this plugin to npm by inserting the given configuration snippet posted above and then building the npm frontend from this repository. Once that's done, you can use the build directory and mount it into your docker container at the specific location where the prebuilt frontend was living (you basically shadow it with the new version). Then you're good to go. In fact I have this setup up and running since my post without any issues :-) So what you need to do:
(-: Hope this helps |
Thank you. :) You Pull requests got answered: #2929 (comment) I've tested the docker image, works like a charm! Thank you so much for your work! |
Hi guys, i postet this also in the Pull Request but dont know if anyone sees this there: i read this and wanted to try it out but i think i dont get it... also my strato is locked with 2fa sorry but i dont understand the things under user and pass... this is the example: and now how to fill it? the last two i dont understand... i testet with: dns_strato_username = NUMBERS pls help or point me a good example from someone who got it to work. it would be easier then the normal challenge then there are at time internal errors -,- (new request worked...) thank you so much... EDIT: have to put ' infront of # to avoid funky things... |
In the topmost field of the basic certificate settings it should say I guess you already tried both variants, rights? If that's the case, I might have spotted an error with TFA. Since I did not configure it yet (shame on me), this didn't come to light.
Please try as I explained, if you did not already do so and report back. Then I will proceed to making the adjustments in code. |
Do you have something new for me @FlixMa ? |
I am sorry, I didn’t have time to do it as I am currently on vacation. I’ll be back in September. |
I tried the same @Yoshi315161, but im getting the same error. Is there something i can look for in the debug log? ////Update I checked some more, what i think happens, is that the url you use in your 'certbotstratoapi.py' is for strato.DE Is it an option to add the API url to the settings? |
Hey all, sorry for the late reply. I did not know, that strato was serving their page in other countries than Germany. So this actually might be cause for troubles with some users. In the recent commit I added the option to fully customise the API endpoint:
You will probably only set the I have just published a new version of the certbot strato dns challenge pypi package: from certbot_dns_strato.dns_strato import _StratoApi
# change the placeholders and api host to match the one you are logging in to (e.g. '.nl' for the Netherlands).
strato = _StratoApi('your_domain_display_name', custom_api_host='www.strato.nl')
strato.login('my_username', 'my_password')
strato.set_domain_name('your_domain_name')
strato.get_package_id()
strato.get_txt_records()
strato.set_amce_record('hello', 'world')
strato.push_txt_records() The result should look like this: I hope the NPM auto-updates the package soon, so you'll be able to use the additional options from inside NPM. Also please let me know, if this fixes the problem for you, @Yoshi315161. Cheers |
Hey @FlixMa, now i have a wildcard with DNS Challange :D (and TOPT) my config is the same like the picture above the only difference is that i deletet the last three lines. |
Hey @Yoshi315161, vacation was alright; thanks for asking. Glad to hear you got it working. Then the issue might actually have been that the 2FA detection was not only broken for other countries, but also for strato.de. That is actually very likely as it was based on user-facing string matching, which of course might change more frequently than an API. I did. change that behaviour to be based on whether you provide 2FA credentials or not, to make it compatible with other languages. Do you mind sharing how you updated the pip package inside your NPM docker container? This way others can profit as well :) Have a nice weekend! |
Ofcourse I can. After that I tested again in NPM and it worked. You too :) |
Hi, when I run: frontend-build file does not exist Any suggestion |
The script has been moved to a subfolder: I am not sure if it will work, though. There might have been other breaking changes since spring 2023. But may I ask, why you want to use those steps? The plugin should already show up without any additional changes since #2929 got merged. So you probably don’t need to build it for yourself :) |
I have updated to the latest version 2.10.4 and I have already seen it |
When I try to create an SSL certificate it gives an error:
I have also updated to version 0.2.0 from Portainer |
Unfortunately I haven't seen this error before. You can try to have a look into the debug log. There might be useful information inside. If you are unsure if this has to do with the strato plugin itself, you might want to post a new issue. |
It's already solved. In case it helps anyone :) |
I added a more descriptive configuration template to simplify onboarding for new users. See pull request #3212 for more information. |
Joining here as the steps provided didnt fix the issue :( |
Thanks a lot. Updated NPM to v2.11.1 and updated the |
I tried it once again but it didn't work my Config is:
Propagation Seconds = 70 The log gives the following output
As you can see my cID above is 0 when I login into my account the cID is 1. Maybe this is my problem. |
This helped in my case, thanks for the steps! |
Trying to setup a new LXC on proxmox but cannot get it to run. Requesting single subdomain certificates is working fine, but DNS challenge with strato isn't. Already updated 2FA is NOT activated & no '#' inside my password. NPM: v2.11.1 also tried with 2.10 Credentials File Content
dns_strato_username = "XXXXX"
dns_strato_password = "XXXXXXXXXXXX"
#uncomment if youre using two factor authentication:
#dns_strato_totp_devicename = 2fa_device
#dns_strato_totp_secret = 2fa_secret
#
#uncomment if domain name contains special characters
#insert domain display name as seen on your account page here
#dns_strato_domain_display_name = my-punicode-url.de
#
#if youre not using strato.de or another special endpoint you can customise it below
#you will probably only need to adjust the host, but you can also change the complete endpoint url
#dns_strato_custom_api_scheme = https
#dns_strato_custom_api_host = www.strato.de
#dns_strato_custom_api_port = 443
#dns_strato_custom_api_path = "/apps/CustomerService" Error in NPM
CommandError: Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
at /app/lib/utils.js:16:13
at ChildProcess.exithandler (node:child_process:410:5)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1100:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5) letsencrypt.log
2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-3', '--agree-tos', '--email', 'webmaster@XXXXX.de', '--domains', 'XXXXX.de', '--authenticator', 'dns-strato', '--dns-strato-credentials', '/etc/letsencrypt/credentials/credentials-3']
2024-03-01 14:41:04,687:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-duckdns,PluginEntryPoint#dns-porkbun,PluginEntryPoint#dns-strato,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-03-01 14:41:04,693:DEBUG:certbot._internal.log:Root logging level set at 30
2024-03-01 14:41:04,694:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-strato and installer None
2024-03-01 14:41:04,694:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-strato
Description: Obtain certificates using a DNS TXT record (if you are using Strato for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-strato = certbot_dns_strato.dns_strato:Authenticator
Initialized: <certbot_dns_strato.dns_strato.Authenticator object at 0x798b0eb23f90>
Prep: True
2024-03-01 14:41:04,695:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_strato.dns_strato.Authenticator object at 0x798b0eb23f90> and installer None
2024-03-01 14:41:04,695:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-strato, Installer None
2024-03-01 14:41:04,727:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1596796947', new_authzr_uri=None, terms_of_service=None), 6f0a8cb6b0a20a11d5dc2f93ddbfba38, Meta(creation_dt=datetime.datetime(2024, 3, 1, 13, 37, 36, tzinfo=<UTC>), creation_host='npm.localdomain', register_to_eff=None))>
2024-03-01 14:41:04,727:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-03-01 14:41:05,165:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Content-Type: application/json
Content-Length: 752
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"6_Pvodmp9nQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-03-01 14:41:05,166:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for XXXXX.de
2024-03-01 14:41:05,178:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0002_key-certbot.pem
2024-03-01 14:41:05,188:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0002_csr-certbot.pem
2024-03-01 14:41:05,192:DEBUG:acme.client:Requesting fresh nonce
2024-03-01 14:41:05,192:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-03-01 14:41:05,333:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: iCRP5AvKBZQQDNabOqaNZb8VQSj0sAOmXtGuOTI0WpwW76p--LY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2024-03-01 14:41:05,334:DEBUG:acme.client:Storing nonce: iCRP5AvKBZQQDNabOqaNZb8VQSj0sAOmXtGuOTI0WpwW76p--LY
2024-03-01 14:41:05,335:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "XXXXX.de"\n }\n ]\n}'
2024-03-01 14:41:05,343:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5Njc5Njk0NyIsICJub25jZSI6ICJpQ1JQNUF2S0JaUVFETmFiT3FhTlpiOFZRU2owc0FPbVh0R3VPVEkwV3B3Vzc2cC0tTFkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "ftcKQsGnUrRi7tg2DMXnzw3azVcCRJgvHldRbp_WLmI2ov_Z5ys5xcJF5gouD5vbNls1j7c_lklzTW4XqVTONZ1N9DQIfmsxjfN4G-s78GDLIr3xVu9TzaMtWjodZd1cb9jfQbORsBskeU27iVDZDmP91vvIPP4yVIUJC1T5rF6qIaZQVeqm99Kbk5SG_5P_USdvq--z9J72QLoWRXuHvA-kyonnWjECCL9vwhZIGl9ihQkjxTmzWrsBw5TZSac1TJE_bFYnHzbWtgnxfgwWisRatRTJgtqt8x9ByyN6O5TrP2TQ7UJD7xrsT4N8wWiMzjpxudIC56DtAMxS6oNoyQ",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndvbGV3aWVuc2tpLmRlIgogICAgfQogIF0KfQ"
}
2024-03-01 14:41:05,736:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 1596796947
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1596796947/248728721787
Replay-Nonce: iCRP5AvKuHwnj8SJuFgqR7PK3u2C4C33ZccsWzxV0T5YEalgkpg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2024-03-08T13:37:36Z",
"identifiers": [
{
"type": "dns",
"value": "XXXXX.de"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/321228332677"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1596796947/248728721787"
}
2024-03-01 14:41:05,737:DEBUG:acme.client:Storing nonce: iCRP5AvKuHwnj8SJuFgqR7PK3u2C4C33ZccsWzxV0T5YEalgkpg
2024-03-01 14:41:05,738:DEBUG:acme.client:JWS payload:
b''
2024-03-01 14:41:05,741:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/321228332677:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5Njc5Njk0NyIsICJub25jZSI6ICJpQ1JQNUF2S3VId25qOFNKdUZncVI3UEszdTJDNEMzM1pjY3NXenhWMFQ1WUVhbGdrcGciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzMyMTIyODMzMjY3NyJ9",
"signature": "HApgjJKW2K4bNfizVUGjacGbefTRQaWLGRMKN3pfH4IRsDbiHjI_mg48rUqv85Fh5A2O4vBdoDirSdZie7G3d6yEn0CtEaYvJQidtN7jq8Hs_w-mSJJKpx_lS-NzaRcReEVIHgeiYVrqGHIiPM5bnoEMs5YAKHJdayoZBRcmUNxmV3PgzsX0ywHDor5zdYIt5-XuYxERNrCnBlbc2bn0Cnuc9Zhmo_OHuZ1vR-FPuFv5h0iHiHrr4R4v6WgpooRdGM_FRa6Bj077z3_B-MgGKKFXxzFbqdED_15xRHXgjPzZHKnZy1ankVPSovvcZuWvcq1Xo8bKpKABxgb6oT0Mgw",
"payload": ""
}
2024-03-01 14:41:05,893:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 01 Mar 2024 13:41:05 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1596796947
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: iCRP5AvKDvj1FvscYFwwsTlUU1kHvR7yRVh3muiUBT0T4JBLoVQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "XXXXX.de"
},
"status": "pending",
"expires": "2024-03-08T13:37:36Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321228332677/H8KNtg",
"token": "grWJn6XTE8BdkTUAselPoSFhquwisYXDt7PsU_XetV4"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321228332677/I5rWVg",
"token": "grWJn6XTE8BdkTUAselPoSFhquwisYXDt7PsU_XetV4"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/321228332677/Hl0VMg",
"token": "grWJn6XTE8BdkTUAselPoSFhquwisYXDt7PsU_XetV4"
}
]
}
2024-03-01 14:41:05,894:DEBUG:acme.client:Storing nonce: iCRP5AvKDvj1FvscYFwwsTlUU1kHvR7yRVh3muiUBT0T4JBLoVQ
2024-03-01 14:41:05,895:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-03-01 14:41:05,896:INFO:certbot._internal.auth_handler:dns-01 challenge for XXXXX.de Had it running in docker on unraid successful but want to move the critical applications to my proxmox cluster. EDIT: I just saw, on my existing NPM on Unraid, also v2.11.1 I run into problems too, when renewing the domain (XXXXX.de) which I´ve tried with the new NPM container. When trying with one of my other domains (YYYYY.com), I can renew without problems. I´ve checked both config files, they are the same. So I have no idea why it's not working for that one domain. |
Try to use your package password and your domain. Go to your strato account and set your package password. Then check, if you can login to your strato account with your domain name (e.g. example.com) as user and for your password use your package password. If that works, enter those credentials into the Credential File:
|
And I had assumed that it was just a bug in the older version. It was all the more annoying to discover that it doesn't work with the newer version either. It finally got it to work thanks to your instructions. Thanks a lot! |
This finally worked for me! Thank you very much!!! 😁 |
Hey, again me. Looks like I was able to request a cert for my domain now. but it seems not to be a wildcard. There is no "*" in front of the domain, and we also receive the message from Firefox, that the domain name (subdomain) is missing in the cert. EDIT: Also, whats interesting, now my default strato credentials are working again for this domain... |
You added your domain to nginx like domain.com and also *.domain.com? Then you should receive a wildcard cert. |
No, I´ve just added "domain.de" to the textbox, like I did in the past. When additionally adding "*.domain.de" I run into an issue. EDIT: Anyway, now I´m running into the cert limit. ._. |
I am just a noob myself in that area of expertise ;-). But I think, you have to add *.domain.de for receiving a second level subdomain wildcard certificate. |
I think I never did this in the past, but it's possible, it got automatically added. Not sure to be honest. |
Hi, I just found this thread and it has helped me greatly in managing to create a cert for my domain on strato. One small (big) problem though. Even though the cert shows up, and I can use it for my reverse proxy, i get an "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" error when I'm trying to connect to the domain. Why woud that be if I have used the config below? *.example.se dns_strato_username = username I have tried the full subdomain instead of the wildcard and as display name aswell, but nothing works. The Cert is created with no problems, but I get the version or mismatch error in chrome every time. In firefox the error is "SSL_ERROR_NO_CYPHER_OVERLAP" instead. If i create a cert for duckdns.org for example, there is no problems at all. Can anyone elaborate on what I need to do? EDIT: I solved it myselv by adding the domain to Cloudflare and bypassing Strato DNS completely. |
After updating to 0.2.1 I could renew the wildcard certificate for one of my two domains. For the other I still get the same error as before. Any hints how to solve this? Using the https://github.com/Buxdehuda/strato-certbot certbot I can at least receive the fitting certificate, so there it seems to be fixed :) |
I can confirm that renewal after manually updating to 0.2.1 works. But why is that version not updated in the official docker container? |
For me it still only works for the first of my domains. |
Sadly, neither can I renew my wildcard cert nor can I request a new one with any combination of the settings from above. I tried with updating the python package as well. I still get an "internal error" without any indication to the error itself. |
I could successfully create my wildcard certificate, but still can't reach the subdomains when I select it for the proxy host. Btw it says the domains have to already be created. Does that mean that the wildcard certificate will only be created for the subdomains already added in the Strato account? |
You need to register your subdomains manually at strato. NGINX can't register Subdomains for you. You need to register your subdomains and set the ip where they should point to. Or you could set a CNAME to point to the same IP as your DYNDNS Domain. The Wildcard certificate is valid for all subdomains. No matter if they existed before or after the certificate generation. |
@nevyen I would like it to use the same IP as the DynDNS domain. How do I do this with the CNAME? Shouldn't this be automatically set up? I have DynDNS deactivated for the subdomain and I realized that the IP differs from the main domain. I would assume they are the same. I am still being greeted with the Strato landing page on the subdomain, so the proxy doesn't seem to work. The certificate for my main domain also is not trusted by Firefox today and it points to my router's WebUI. Yesterday this still worked. Really hard to set this up. DuckDNS was so straight-forward. |
@jclsn for each subdomain you must set the CNAME to the domain you registered in your routers dyndns. Referr to https://www.strato.de/faq/domains/wie-kann-ich-bei-strato-meine-dns-eintraege-verwalten/#cname |
@jclsn Its not about your proxy not working, but rather a wrong configuration in your strato package. Each subdomain can point to a different server, thus strato allowing you to assign different IPs to each subdomain. If you just need them to all point to the same server (e.g. your npm instance) than you can either set up your router to supply dyndns for all your subdomains or just use CNAME records in your primary domain. CNAME stands for canonical name and are basically the DNS way of saying „this is an alias for that“. |
The link you sent me is an A-record, where I should enter an IP, although I don't understand how this would work with DynDNS. Afaik the IP changes from time to time.
I looked at changing the CNAME, but it doesn't accept maindomain.de. Calling the Strato support now. I just wonder why the proxy for the main domain is not working anymore. This is probably a configuration issue with NPM. My DuckDNS proxies are still active and working though.
|
So I added maindomain.de. as CNAME and now the FritzBox is complaining about DNS Rebind protection. The Strato customer support didn't know how to help me :D Guess they only have qualified support for corporate customers.
|
I just realized it works correctly from outside my network. Just tried it with my phone. As soon as I connect to the wifi thoug, the maindomain.de is showing me the router's web ui and the subdomains gives me the rebind protection warning.
|
I gave up with Strato DNS plugin. I kept my domain with Strato but moved the DNS Records off to a free Account on Cloudflare. Now the certs incl. wildcard working without any issues also renewing them is not a problem anymore. |
Ha, I made it! Seems like you can't use the DynDNS in the FritzBox. Using ddclient works much better! So here is what I did:
|
When requesting wildcard certificates for my .de domain, i´m still running into issues. The cert request just aborts, with no visible error message. This problem only comes up for .de domains, found my .com and .eu domains from same strato account are working fine. Any idea, what could block me here? Using Nginx Proxy Manager v2.11.1, certbot-dns-strato v0.2.1 Full log of issue
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-52', '--agree-tos', '--email', 'webmaster@domain.de', '--domains', 'domain.de', '--authenticator', 'dns-strato', '--dns-strato-credentials', '/etc/letsencrypt/credentials/credentials-52']
2024-05-02 16:18:38,612:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-duckdns,PluginEntryPoint#dns-porkbun,PluginEntryPoint#dns-strato,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-05-02 16:18:38,619:DEBUG:certbot._internal.log:Root logging level set at 30
2024-05-02 16:18:38,619:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-strato and installer None
2024-05-02 16:18:38,620:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-strato
Description: Obtain certificates using a DNS TXT record (if you are using Strato for DNS).
Interfaces: Authenticator, Plugin
Entry point: dns-strato = certbot_dns_strato.dns_strato:Authenticator
Initialized: <certbot_dns_strato.dns_strato.Authenticator object at 0x7e703bb94090>
Prep: True
2024-05-02 16:18:38,620:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_strato.dns_strato.Authenticator object at 0x7e703bb94090> and installer None
2024-05-02 16:18:38,620:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-strato, Installer None
2024-05-02 16:18:38,658:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1598501227', new_authzr_uri=None, terms_of_service=None), 307c450e4e4c8df29a05c7f1e282d970, Meta(creation_dt=datetime.datetime(2024, 3, 2, 14, 50, 24, tzinfo=<UTC>), creation_host='reverse-proxy.localdomain', register_to_eff=None))>
2024-05-02 16:18:38,658:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-05-02 16:18:39,085:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 747
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"OCi65trDFA8": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2024-05-02 16:18:39,086:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for domain.de
2024-05-02 16:18:39,097:DEBUG:certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0064_key-certbot.pem
2024-05-02 16:18:39,107:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0064_csr-certbot.pem
2024-05-02 16:18:39,110:DEBUG:acme.client:Requesting fresh nonce
2024-05-02 16:18:39,111:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2024-05-02 16:18:39,251:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDIUYo_tvD0qKgcSxmqX1tK9R_NX45BGoQ8WT4UCWOsn-U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2024-05-02 16:18:39,252:DEBUG:acme.client:Storing nonce: O0afatDIUYo_tvD0qKgcSxmqX1tK9R_NX45BGoQ8WT4UCWOsn-U
2024-05-02 16:18:39,252:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "domain.de"\n }\n ]\n}'
2024-05-02 16:18:39,260:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5ODUwMTIyNyIsICJub25jZSI6ICJPMGFmYXRESVVZb190dkQwcUtnY1N4bXFYMXRLOVJfTlg0NUJHb1E4V1Q0VUNXT3NuLVUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
"signature": "TNaLqp0iX0oneAfzg9KFPB5WFMIwk-983BR1hw2ProTI74Str79_tfoXWjx40wIBPFiIG5eQkohC93KrX6iPNFIo9se4OlTJwpYxolUYDehXtyY6yULfpOMXQBcDUxkUARB0cW5ERoyRVz16CHi8oiCxOkYGRwB3St_EOPCYPKNAxAiRSjT-hb4ONIe_9iSRcgeDBGfqwrp104cRnNJB9qVPVOCpqtoM9WzX5pF9TIY6pKI-uX47FPQR9fcZ3_lbFm53a5Iz9Byt7_Bav1wKvZmZf_noK3u66AAHMjSg05bb3hqS2FoJqR1TB0Kc4YIPF_BSX_3CA-ronONwE4dfhA",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIndvbGV3aWVuc2tpLmRlIgogICAgfQogIF0KfQ"
}
2024-05-02 16:18:39,414:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 340
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/1598501227/265980151337
Replay-Nonce: Y_7AIQuUkd3e3_rcDcX4pgPvzO4_O7YtbF9-GNnBAG3kkijVcoA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2024-05-09T14:10:50Z",
"identifiers": [
{
"type": "dns",
"value": "domain.de"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/345790981617"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1598501227/265980151337"
}
2024-05-02 16:18:39,415:DEBUG:acme.client:Storing nonce: Y_7AIQuUkd3e3_rcDcX4pgPvzO4_O7YtbF9-GNnBAG3kkijVcoA
2024-05-02 16:18:39,415:DEBUG:acme.client:JWS payload:
b''
2024-05-02 16:18:39,417:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/345790981617:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU5ODUwMTIyNyIsICJub25jZSI6ICJZXzdBSVF1VWtkM2UzX3JjRGNYNHBnUHZ6TzRfTzdZdGJGOS1HTm5CQUcza2tpalZjb0EiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzM0NTc5MDk4MTYxNyJ9",
"signature": "PNZq4tTE50GX_sy3ClPHI4W9tjzlHLWdvZEpCcHHVUfNxTFCGFPXQNLV-XApHrRlhytrTU6GhuVR7l378zqCOV2z4r5nXQe75t0ZqEeHJ-HE70PGhV6uD3bdpNhKdGSpZ4jmEV50oWUpWEL_AG-WjJx4E_5KV5BC3Xlno-0i9OYRlQqTmi4eki2_8NQAmJMfZliUoqiukSLyuLk126OJqGVdhiiF7Q2G4i36e1VH9VbyadoLbtfv3OAn87dJjpFJM_TBVb2X9HsA_0NnUIFp8YTYOimmRRA4--PZdlFfND0KSR4TdPlDeQoiKnlAJ-fVeA7eXyvybYqYJwyONpUWZw",
"payload": ""
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "domain.de"
},
"status": "pending",
"expires": "2024-05-09T14:10:50Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/e0m2DA",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/coLV5g",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/2sm9nQ",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
}
]
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Storing nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
2024-05-02 16:18:39,554:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-05-02 16:18:39,555:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.de EDIT: .de-challenges
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 14:18:39 GMT
Content-Type: application/json
Content-Length: 798
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "domain.de"
},
"status": "pending",
"expires": "2024-05-09T14:10:50Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/e0m2DA",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/coLV5g",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345790981617/2sm9nQ",
"token": "-4gozKMezPVXlBOFkulRMXBDmxXUlwEYdnkEjx8gSak"
}
]
}
2024-05-02 16:18:39,553:DEBUG:acme.client:Storing nonce: O0afatDI0RLN73rcITo_-Hrn3IjJ_80RKuQsTqncpUMtaf7q9jk
2024-05-02 16:18:39,554:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-05-02 16:18:39,555:INFO:certbot._internal.auth_handler:dns-01 challenge for domain.de .com challenges
HTTP 200
Server: nginx
Date: Thu, 02 May 2024 15:07:11 GMT
Content-Type: application/json
Content-Length: 572
Connection: keep-alive
Boulder-Requester: 1598501227
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: O0afatDIdLAdBXwvNoaYXhbL05VSQ_hxdNdTa93qwsZcu146X04
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "domain.com"
},
"status": "valid",
"expires": "2024-06-01T14:08:39Z",
"challenges": [
{
"type": "dns-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/345789827577/3hjyKg",
"token": "YIgmMMYgKo7si214ERMxND-lVFb80uxq2TIMyoeHJ4k",
"validationRecord": [
{
"hostname": "domain.com",
"resolverAddrs": [
"10.1.12.85:30182"
]
}
],
"validated": "2024-05-02T14:08:39Z"
}
]
} |
What provider would you like to see added to NPM?
Strato
Have you checked if a certbot plugin exists?
I found this here:
https://github.com/Buxdehuda/strato-certbot
The text was updated successfully, but these errors were encountered: