Fqdn vs LetsEncrypt domain name

sba · September 20, 2020, 9:58pm

Problem Description

I would like to access my freedombox as https://freedombox.mydomain.org with a LetsEncrypt certificate.

I’m not sure what the correct setup is.

On plinth/sys/config/, I used “freedombox” as hostname and “freedombox.mydomain.org” as domain name.

The LetsEncrypt part works correctly, the certificate has “freedombox.mydomain.org” as common name.

However, then from the freedombox, I don’t get the expected fully qualified domain name:

I get

$ hostname -f
freedombox.freedombox.mydomain.org

Where I expected “freedombox.mydomain.org”.

Information

FreedomBox version: (from Help -> About page)
You are running Debian GNU/Linux 10 (buster) and FreedomBox version 20.14. FreedomBox is up to date.
Thank you!

fioddor · September 26, 2020, 3:39pm

I guess your domain name should be mydomain.org.
freedombox.mydomain.org is a service (freedombox) served in your domain.

sba · September 28, 2020, 3:27pm

Hello fioddor

I guess your domain name should be mydomain.org.
freedombox.mydomain.org is a service (freedombox) served in your domain.

This does not seem to match the documentation:

Domain Name: Domain name is the global name by which other devices on the Internet can reach your FreedomBox. The value set here is used by the Chat Server (XMPP), Matrix Synapse, Certificates (Let’s Encrypt), and Monkeysphere.

sba · September 28, 2020, 6:09pm

but then from this web page

the domain name is defined as the part of the fqdn after the first dot, so in my case, I should fill “mydomain.org” as you suggest. The fqdn will then be “freedombox.ookpik.eu”

However the domain name is then published on the “domain_added” signal.
https://salsa.debian.org/freedombox-team/freedombox/-/blob/master/plinth/modules/config/init.py#L68

And then Letencrypt subscribes to this signal and will register “mydomain.org”
https://salsa.debian.org/freedombox-team/freedombox/-/blob/master/plinth/modules/letsencrypt/init.py#L148

Which is not what I expect, I expect a certificate for “freedombox.mydomain.org”.

njoseph · September 29, 2020, 4:39pm

There is nothing wrong with your setup. If you configured freedombox.mydomain.org as the domain name, then that’s what will be used by Let’s Encrypt, Matrix Synapse, Ejabberd and other apps.

The configured hostname has no impact on the domain name. The hostname is used in some cases you might be able to access you local FreedomBox as https://freedombox. This is enabled by systemd-networkd.

When you query for the FQDN using hostname-f, you get “${hostname}.${domainname}”. FreedomBox doesn’t automatically prepend the hostname to the domain name but treats them separately.

You can see the relevant code here.

sba · September 29, 2020, 5:20pm

Here is what I expect:

$ hostname
freedombox
$ hotname -f # resolvable by the dns.
freedombox.mydomain.org

A certificate whose CN is freedombox.mydomain.org.

My current setup in the config page is:

hostname: freedombox
domain name: freedombox.mydomain.org

I get
$ hostname
freedombox
$ hotname -f # NOT resolvable by the dns.
freedombox.freedombox.mydomain.org

A certificate whose CN is freedombox.mydomain.org.

There is nothing wrong with your setup.

there is someting wrong: the result of hostname -f is not resolvable.

When you query for the FQDN using hostname-f, you get “${hostname}.${domainname}”

Here is the hostname man page, which explains the same thing (if I got it correctly) but put the other way: ${domainname} is deduced from the fqdn written in /etc/hosts

   THE FQDN
   The FQDN (Fully Qualified Domain Name) of the system is the name that the resolver(3) returns for the host name, such as, ursula.example.com.  It is usually the hostname followed by the  DNS  domain
   name (the part after the first dot).  You can check the FQDN using hostname --fqdn or the domain name using dnsdomainname.

   You cannot change the FQDN with hostname or dnsdomainname.

   The recommended method of setting the FQDN is to make the hostname be an alias for the fully qualified name using /etc/hosts, DNS, or NIS. For example, if the hostname was "ursula", one might have a
   line in /etc/hosts which reads

          127.0.1.1    ursula.example.com ursula

   Technically: The FQDN is the name getaddrinfo(3) returns for the host name returned by gethostname(2).  The DNS domain name is the part after the first dot.

   Therefore it depends on the configuration of the resolver (usually in /etc/host.conf) how you can change it. Usually the hosts file is parsed before DNS or NIS, so it is most common  to  change  the
   FQDN in /etc/hosts.

FreedomBox doesn’t automatically prepend the hostname to the domain name but treats them separately.

Isn’t FreedomBox writting “127.0.0.1 ${hostname}.${domainname} ${hostname}” to /etc/hosts?
See code here:

Maybe it should instead write
“127.0.0.1 ${domainname} ${hostname}”

Thank you for your help!

njoseph · September 29, 2020, 5:34pm

freedombox.mydomain.org can be resolved by DNS.

However the FQDN freedombox.freedombox.mydomain.org is only resolvable locally on the machine, not via DNS. It is only mapped in the local /etc/hosts file. Correct or not, that’s the current setup.

hostname - freedombox (only local resolution)
domainname - freedombox.mydomain.org (can be resolved by DNS)
FQDN - freedombox.freedombox.mydomain.org (only local resolution)

BTW, we have a BIND server shipped with FreedomBox but it isn’t configured to resolve subdomains since we didn’t need them yet.

sunil · September 29, 2020, 6:25pm

Although there are no practical problems with the current setup, I think we are incorrectly setting up the FQDN in the /etc/hosts file. We should instead just it to ${domainname}.

sba · October 1, 2020, 7:25am

Thank you all for the clarifications.

I think we are incorrectly setting up the FQDN in the /etc/hosts file. We should instead just it to ${domainname}.

I agree. I’ll keep my current setup (with the unexpected FQDN) and report any pratical issue which would justify making the switch.

Thank you again.