cloudron ssl behind fritz!box

andreasb

Dear all

one of my cloudrons is behind a fritzbox in a personal (sub-) domain. Although dyndns is set and working correctly, the cloudron isn't accessible:

• connection through ip from inside (192.168.x.y) is possible, but the cloudron obviously has no apps installed in this domain.
• connection through the domain name fails, because the fritzbox cert presented is self signed and does not include the domain name. Then, I found the (Let's Encrypt?) certificates for the cloudron platform in /home/yellowtent/platformdata/nginx/cert, intending to manually upload it to the fritzbox. This didn't work. The reason, I assume, is that fritzbox is expecting RSA private keys and does not accept EC keys. Am I missing out anything?

How can I make available the cloudron domain certificate to the fritzbox?
Any other ideas?

Best
Andreas

girish

Isn't fritzbox just a router? I have no idea what functionality it has and why (or what functionality) it is accepting RSA keys ?

How can I make available the cloudron domain certificate to the fritzbox?

If it's just a router, this should not be needed at all.

nebulon

I also use Cloudron behind a fritzbox and if you put Cloudron as the exposed host then it will work as expected. If you use an automated DNS backend in Cloudron you can then enable the dyndns feature of Cloudron itself and it would manage it for you. https://docs.cloudron.io/networking/#dynamic-dns

Cloudron also manages its firewall, so you should be safe with the exposed host option.

girish

@nebulon so Fritzbox is just a router right ? It doesn't need any keys to be uploaded into it, yes/no ?

nebulon

@girish its a modem and router basically. There are no api keys of sorts.

subven

@andreasb said in cloudron ssl behind fritz!box:

in a personal (sub-) domain.

Who's in charge of said domain and which DNS do you use? Is it just a local domain within your network or a "regular" domain from a registrar.

@nebulon said in cloudron ssl behind fritz!box:

if you put Cloudron as the exposed host then it will work as expected. If you use an automated DNS backend in Cloudron you can then enable the dyndns feature of Cloudron itself and it would manage it for you

Thats what I thought too so the whole fritzbox expecting key/cert~ thing did not make sense to me.

andreasb

@nebulon (and @girish, @subven): fritzbox is a dsl modem that can be accessed from "outside". as @nebulon mentioned, machines from the internal network can be exposed (which is what I did). if the machine is accessed through https however, the first certificate presented seems to be that of the modem, which by standard is a self-signed one, and not accepted by browsers. It however is possible to manually upload other certs to the modem (see this doc). I don't use any DNS provider, a custom setup, the domain is registered and forwarding works properly through dynv6.com. looking at the nginx certs within /yellowtent/platformdata, their timestamp seems to be update each day - and I assume that this is a sign that cert renewal from the cloudron works, right?

andreasb

@nebulon and one more question: when accessing the cloudron using the internal ip (https://192.168.xxx.yyy), it says "you are seeing this page ... no apps configured for this domain." This is normal, isn't it? the certificate presented here is the self signed one (default.cert). I thought this as well is expected behaviour and does not mean that Let's Encrypt cert renewal doesn't work. Is that right?

subven

@andreasb said in cloudron ssl behind fritz!box:

I don't use any DNS provider, a custom setup, the domain is registered and forwarding works properly through dynv6.com

Cloudron does not work without a domain you own or at least can controle. The internal LAN IP you setup Cloudron with does not play a role later. Just get a cheap domain otherwise this wont work.

@andreasb said in cloudron ssl behind fritz!box:

when accessing the cloudron using the internal ip (https://192.168.xxx.yyy), it says "you are seeing this page ... no apps configured for this domain." This is normal, isn't it?

The behaviour you see is because you did not proper setup Cloudron in the first place. After the initial setup, Cloudron is reachable at my.thedomainyouconfigured.com.

@andreasb said in cloudron ssl behind fritz!box:

fritzbox is a dsl modem that can be accessed from "outside". as @nebulon mentioned, machines from the internal network can be exposed (which is what I did). if the machine is accessed through https however, the first certificate presented seems to be that of the modem, which by standard is a self-signed one, and not accepted by browsers.

As a german, I know what a FritzBox is I think you're still at the wrong path since the exposed host exactly does what it should and the webserver of the Fritzbox does not interfer there.

There is enough information within this thread to fix your problem.

andreasb

@subven

@subven said in cloudron ssl behind fritz!box:

As a german, I know what a FritzBox is I think you're still at the wrong path since the exposed host exactly does what it should and the webserver of the Fritzbox does not interfer there.
There is enough information within this thread to fix your problem.

1. there were others asking, please excuse if I am wasting your valuable time with text that you deem not appropriate
2. is it visible/ does it matter you're German?
3. apparently, the webserver of the Fritzbox does interfere, as the fritzbox certificate is presented when accessing the page through a browser. This precisely does not make much sense to me either, but I don't understand how and why this happens.

@subven said in cloudron ssl behind fritz!box:

Cloudron does not work without a domain you own or at least can controle.

As said before, the domain is registered and I do control the DNS

nebulon

I am running the same setup here and the exposed host option is the easiest thing to use here. If you have set your Cloudron instance as exposed host (and make sure only one host is exposed) then the fritzbox webinterface should not interfere. If it does maybe you have to check on your fritzbox settings and maybe reset some.

Also just to be sure, the exposed host is reachable via your public IP.

So the first thing is to make sure you can SSH into your ubuntu server / Cloudron using the public IP. If that works, then we are a big step forwards.

subven

@andreasb said in cloudron ssl behind fritz!box:

As said before, the domain is registered and I do control the DNS

You said you do not use a DNS provider

The problem is within your FritzBox configuration thats why you get an webserver answer from the box and not Cloudron. Did you turned on the remote maintenance function or linked the box to a myfritz account? Does your Cloudron use DCHP with a reservated address (mandatory for exposed hosts to work).

Check if ports you want to use are already in use. You can do so by trying to open them up manually (errors out if port is already in use). Last, check TCP-Port for FritzBox services itself:

andreasb

@nebulon yes, had read that in another thread before, and still it doesn't work in my case - no idea why not.

• The cloudron is the one and only exposed host on the fritzbox
• the dyndns-service seems to work properly: the ip there is regularly updated, and the ip is correct.
• connection through SSH using the external IP as well works.

Only when trying to access the cloudron UI through "my.xxx.yyy", all browsers I tested (firefox, edge, opera, brave) throw "insecure connection", and the certificate presented is the self-signed one of the fritzbox.

I had been wondering if naming plays a role. @nebulon, you did not by chance change the fritzbox's name from the default "fritz.box" to sth else?

andreasb

@subven said in cloudron ssl behind fritz!box:

You said you do not use a DNS provider

not one of the "automated" ones like Cloudflare but Cloudron's "custom" way. but of course, the domain is registered

@subven

• no, I'm not using myfritz,
• I tested both configurations regarding the remote maintenance function, make fritzbox accessible from outside and not - this did not change anything.
• yes, the cloudron is on a fixed IP
  

nebulon

I am out of ideas then, if you still see the SSL cert from the fritzbox itself, it seems your fritzbox still has some setting which interferes here. Unless you find a way to really expose the Cloudron server, not sure how to help further.

robi

@andreasb said in cloudron ssl behind fritz!box:

Only when trying to access the cloudron UI through "my.xxx.yyy", all browsers I tested (firefox, edge, opera, brave) throw "insecure connection", and the certificate presented is the self-signed one of the fritzbox.

That's because your fritzbox is answering on port 443 instead of passing it on to Cloudron.

Disable web/management access to the fritzbox from the internet side (or change the port), so that 443 is available to be forwarded to the internal Cloudron IP.