azukaar
commented
3 months ago I will copy my Discord answer here and add more info:
Disabling CF Proxy is not a security concern, and your public IP is not as sensitive as you seem to think. They only reason why you might want to hide it, is if you are being personally targeted by someone (but then it wont be via your domain).
Demonstration : Here's an IP: 93.184.216.34 (yes I typed it randomly) Apparently it belongs to someone in Massachusetts A quick scan shows that actually this person has port 80 and 443 opened! Of course I could continue to dive but I think you get the point. Security by obstruction is not security. This server in Massachusetts (this is a nightmare to type) might be using CF proxy or even more complicated way to hide the IP, but that did nothing because I randomly typed this IP and got to a server. The only security that matters, is the security that will protect you if someone actually attempt something (like firewalls, and other protections of the sort). And most importantly, keeping access the most locked down possible (via Constellation, or via another VPN/Zero-trust mean). Even if you don't use Constellation to lock down your server, by default Cosmos will never reply to an IP request on anything, making the IP quite useless to know (example of security by design vs. security by obstruction).
now back to CF Proxy directly, someone might even argue that having all your data decrypted going through the US on servers that have been hacked more than once is a more pressing security issue than having your IP associated with your domain... Even without hack (see recent CF / Okta hack for example) you are still putting a lot of trust in CF by having all your decrypted network going throught their servers in the first place
Anyway just so you know you can have Let's Encrypt and CF Proxy work at the same time in Cosmos, with the DNS challenge and some specific settings in CF, but I do not remember exactly (may be set SSL to strict?). I will keep the notice that CF Proxy is recommended to be left off, because using a proxy such as this one actually reduces your own server's ability to protect itself (as in it disturbs some of Cosmos own's protection systems)
Additional points:
Whole point of DNS Challenge is to not expose any ports or IP's for this matter- no the point is only to not open portsEnter your domain you will see exposed information- WHOIS will happen whether or not you use CF Proxy.. you are legally obliged to attach an identity to a domain. You can pay a service to hide your info for privacy tho (nothing to do with CF Proxy)- The scripts you suggested will only work in DNS Challenge mode, if you use CF Proxy which also works with Cosmos
NO STAGING? WTFwhat do you even mean?? Of course there's no staging this is a prod environment. You can enable staging yourself, see the LEGO documentation that is linked in Cosmos itself
AND FINALLY, most important:
Domain name "subdomain.mydomainexample.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
This is your error which is not related to CF proxy, it is related to how you have setup your wildcard. Did you manually overwrite the wildcard value? Are you trying to wildcard multiple domains at once? If yes, wildcarding multiple domain on a single server is not (yet) supported, that is why you are having this issue. If that's not your issue, let me know, you probably have a problem with some URL in your proxy settings
What happened?
I want to bring up this Security concern from documentation suggesting to ( remove the orange cloud proxy ) Option and entering your HOME PUBLIC IP in for Let's Encrypt verification.
The problem with entering your public IP and disabling proxy from CloudFlare defeats the purpose of setting up Cosmos for security, and the Whole point of DNS Challenge is to not expose any ports or IP's for this matter
Documentation:
So if you Enter your domain you will see exposed information, see for yourself: https://securitytrails.com/ https://github.com/zidansec/CloudPeler https://viewdns.info/ https://completedns.com/
See youtuber example suggesting exposing IP ( great youtuber by the way) https://youtu.be/K1GOM7-J9pI?t=126
Suggested implementation script: GitHub ACME script docker compatible ( it's used by ProxMox ) and it works flawless https://github.com/acmesh-official/acme.sh https://pve.proxmox.com/wiki/Certificate_Management
What should have happened?
Can't get DNS Challenge to work behind my internal 2nd network ( internet ( home network ( 2nd private network) ) )
Relevant log output
Other details
Please provide STAGING OPTION for Let's Encrypt TESTING instead of flooding Let's Encrypt production with incorrect data and getting IP Banned
System details
Proxmox 8 Latest Docker PFSense ( using split DNS ) internal 192.168.x.x. IP to resolve to my internal DNS to myexampledomain.com Cloudflare DNS ( A Record to my local IP ) Local 192.168.x.x IP mapped to myexampledomain.com