mcm1957
commented
1 year ago @raintonr Please could you check / answer this issue?
Open Diginix opened 1 year ago
mcm1957
commented
1 year ago @raintonr Please could you check / answer this issue?
raintonr
commented
1 year ago No, because I don't speak German.
mcm1957
commented
1 year ago @raintonr OK, then I will google translate it for you. As ssl / lets Encrypt support now enforces this adapter support seems to be important to avoid disappointed users.
_For me, port 80 in the Fritzbox is released for another device in the home network. The plenticore adapter also uses the port 24/7. Both currently prevent the use of acme with LE Cert. Previously this was unimportant, but now LE support has been removed in the web adapter from v6 and acme has been forced.
I also described part of it here #17 How can I use web v6 with LE Cert via acme if I can only update the LE Cert manually? The problem of the port being occupied by other adapters also seems to only be solved in the future:
WORK IN PROGRESS (bluefox) Corrected detection of instances on the same port_
@Diginix Please try to communicate in english. If you are missing functionality with web adapter, please open a issue there so that it can be fixed / added there.
Bitte wenn möglich hier in eglisch schreiben. I Bereich web Adapter ist deutsch auch OK.
raintonr
commented
1 year ago GitHub app (which I'm using as am actually on holiday right now) doesn't have built in translate.
ACME adapter does not force the use of port 80. But, SSL providers that support ACME seem to insist on it.
If you want to use your public port 80 for something else seems you need a name based reverse proxy to forward requests to the correct place in your network.
As port 80 is insecure don't suppose that is recommended so you should keep port 80 there just to service ACME challenges.
raintonr
commented
1 year ago The other way is to use DNS based challenge. I have personally tested Namecheap and CloudFront DNS and both work.
mcm1957
commented
1 year ago Thanks for answering. Have nice holidays.
Diginix
commented
1 year ago @raintonr I have completely translated my text in first post.
raintonr
commented
1 year ago Think my answer of using DNS challenge or a name based reverse proxy covers it then. Are you happy with that and to close this?
Diginix
commented
1 year ago DNS challenge is not support for myfritz.net and this the service I use for my public hostname. AVM FritzBox is a really common router in Germany. For me it would be enough if I can renewal the acme cert every 90 days manually. I don't want to setup reverse proxy etc.
I guess this steps would work for me:
But as long as not all adapter supports acme, I have to stay on web adapter v5 which renewal the old style LE cert file based on hard disc.
raintonr
commented
1 year ago Manual steps are not ideal.
Is there a Fritzbox adapter that can modify the port forwarding on command from IoB? If so, we can look at adding pre/post challenge hooks to do that automatically?
raintonr
commented
1 year ago BTW, I can't see if you have mentioned what hostname you are trying to create a certificate for and why.
There could be other solutions if you explain the full use case.
Diginix
commented
1 year ago Manual steps are not ideal.
Is there a Fritzbox adapter that can modify the port forwarding on command from IoB? If so, we can look at adding pre/post challenge hooks to do that automatically?
Not ideal, but ok for me compared to the effort with another hostname from a service that provide DNS challenge or reverse proxy etc. I'm using the current concept since years. FritzBox provides hashed not guessable subdomains on their domain myfritz.net. You can setup it in the router with some clicks. There is no way to automate port rules.
raintonr
commented
1 year ago Ok.
So what you really want is: when renewing a certificate: temporarily shutdown any web adapter that might be running on the port configured for challenge server, start the challenge server, perform the certificate renew, start the previously stopped web adapter.
Is that correct?
Diginix
commented
1 year ago Yes, but not only stopping web adapter. There some more adapter besides web, e.g. plenticore. So all adapter the prevents a renewal hast to be temporary stopped and after successfully renewal restarted. And it needs a manually trigger for the renewal if the port isn't public open for iobroker (usually). Although completely automated should be the goal. There are some scenarios that needs maybe a manually solution. But this works already if my mentioned steps are right.
- temporary open port 80 for iobroker
- new: stop blocking adapter temporay
- start acme instance for renewal
- stop acme
- new: restart blocking adapter again
- close port 80 and open it again for the other network device
raintonr
commented
1 year ago Yes, but not only stopping web adapter.
Of course. Any adapter with the required port open would be targeted.
...it needs a manually trigger for the renewal if the port isn't public open for iobroker (usually).
Now hang on... if you are staying there is a scenario where port 80 isn't always open on a public IP (either directly or via some kind of forwarding or proxy) then how is that an issue?
Either there is an adapter always listening, which would need stop/start, or there isn't in which case... no worries.
Bei mir ist Port 80 in der Fritzbox für ein anderes Gerät im Heimnetz freigegeben. Außerdem nutzt der plenticore Adapter 24/7 den Port. Beides verhindert aktuell die Verwendung von acme mit LE Cert. Bisher war das unwichtig, aber nun wurde im web Adapter ab v6 der LE Support entfernt und acme erzwungen.
Hier hatte ich ein Teil dazu auch beschrieben #17 Wie kann ich web v6 mit LE Cert über acme nutzen wenn ich das LE Cert nur manuell aktualisieren kann? Das Problem des belegten Ports durch andere Adapter scheint ebenfalls erst zukünftig gelöst zu werden:
English In my network port 80 is in use for a different hardware device and has completely nothing to do with iobroker. Further more the planticore adapter uses port 80 for communication with the photovoltaik inverter. Both prevents currently the usage of acme with LE cert. Due to the web adapter v6 forces acme it is a problem. Currently I have to stay on web v5, even for simplea-api adapter. Because this doesn't support acme and only with web v5 I can renewal my LE cert.
How can I use web v6 with LE cert over acme if I can renewal it only manually? The issue with used port 80 by other adapter seems to be solved first in future: