IP-address that shows up when used myip.datasystems24: 83.12x.x.xx.
Freedombox is behind NAT (checked at the Dynamic DNS ‘status’ page).
(* Temporarely activated DMZ, gave it time to adjust settings accordingly, nothing happened that solved the issues I describe as follows, so I put it right back to the settings like I describe above).
Requested a domain name at Gnudip system24. Let’s say it’s example.freedombox.rocks.
I tried to obtain a Let’s Encrypt certificate. It gives an error:
Failed to obtain certificate for domain example.freedombox.rocks: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for example.freedombox.rocks Using the webroot path /var/www/html for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. example.freedombox.rocks (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://example.freedombox.rocks/.well-known/acme-challenge/PscyzUwtVe7Ir9G35Jh89O8sMJ_XAhv-FVta_cksyj8: Timeout during connect (likely firewall problem).
Also, on the Name Services page in Freedombox, the HTTP, HTTPS and SSH services are not shown, unlike the introduction text states in the Name Services app in freedombox and the Let’s Encrypt screencast via Debian manual pages show:
" For each type of name, it is shown whether the HTTP, HTTPS, and SSH services are enabled or disabled for incoming connections through the given name."
Instead, there are the colums Type, Domain Name and Services and the option to ’ Configure’ them. I have watched the Let’s Encrypt screencast from the Debian pages and the page that’s shown in the video differs from what I see. The colored (pending) labels HTTPS, HTTPS and SSH are missing. So I cannot see the status of the services. Not sure this is an error, but it differs from what I expected to see.
Indeed, I can access example.freedombox.rocks from an outside IP.
I’ve had access to the ISP modem and tried several settings there: set a static IP, port forwarding (80 and 443), set the NAT to ‘open’ instead of ’ secure’ and tried DMZ. All seperate AND combined. Gave the freedombox time to absorb the settings each time. Will try, however, to contact the ISP after all and ask about 443.
In the meantime, the main issue remains: I cannot obtain a certificate from Let’s Encrypt.
The error I keep receiving in the Let’s Encrypt menu comes down to “likely a firewall problem”. That lead me to the Cockpit app and learn more about the box and its logs, but when I want to login, my freedombox credentials are rejected.
From my posts it is obvious, I’m a noob and purchased the box when I read it was ‘Plug and Play’ (accepting a learning curve), but feel very uncomfortable (and will not be) using a freedombox with private stuff on it while it remains or seems insecure because of the lack of a proper https certificate.
I hope that your suggestion will lead to something good.
If something else comes to mind or anyone else is willing to provide suggestions, that would be very much appreciated.
Router’s interface gives a 192.1xx.xxxx WAN IP-address
Sounds like “CGNAT” trouble with your ISP. You would then need to arrange for getting a public IP with this or another ISP, or use some form of proxy (the pagekite app, or a SSH tunnel, vpn, …?).
Have you tried setting up pagekite yet? I had to set up pagekite in order for my FB (freedombox) to be accessible from the Internet, because of CG NAT. I used the pagekite.me domain to set up my certificates, although I have forgotten how I worked through that at this later point in time. Sorry about that friend, its a bust for most self hosted stuff these days. Please know that we are here to help you with this.
Thank you for your replies, much appreciated. My freedombox succesfully obtained a Let’s Encrypt certificate. Through setting up Pagekite after all. I am gladfull you supported me.
I recommend setting up Pagekite to other novice users that might run into a similair situation, i.e. not being able to obtain a Let’s Encrypt certificate due to CG NAT/Firewall etc limitations.
IF you use a pagekite.me domain name:
Use the default Pagekite server pagekite.net in /plinth/sys/pagekite (‘Configuration’ -> ’ Server domain’) on your freedombox. Not pagekite.me. I ran into an error when trying to reach my pagekite.me domain via my browser.
Do, however, use …pagekite.me in the ‘Kite name’ field on the same ‘Configuration’ page.
As far as I understand, indeed the freedombox cannot detect a CG NAT. I will seek a solution at the ISP-level in the nearby future.