cloudron ssl behind fritz!box
-
Dear all
one of my cloudrons is behind a fritzbox in a personal (sub-) domain. Although dyndns is set and working correctly, the cloudron isn't accessible:
- connection through ip from inside (192.168.x.y) is possible, but the cloudron obviously has no apps installed in this domain.
- connection through the domain name fails, because the fritzbox cert presented is self signed and does not include the domain name. Then, I found the (Let's Encrypt?) certificates for the cloudron platform in /home/yellowtent/platformdata/nginx/cert, intending to manually upload it to the fritzbox. This didn't work. The reason, I assume, is that fritzbox is expecting RSA private keys and does not accept EC keys. Am I missing out anything?
How can I make available the cloudron domain certificate to the fritzbox?
Any other ideas?Best
Andreas -
Isn't fritzbox just a router? I have no idea what functionality it has and why (or what functionality) it is accepting RSA keys ?
How can I make available the cloudron domain certificate to the fritzbox?
If it's just a router, this should not be needed at all.
-
I also use Cloudron behind a fritzbox and if you put Cloudron as the exposed host then it will work as expected. If you use an automated DNS backend in Cloudron you can then enable the dyndns feature of Cloudron itself and it would manage it for you. https://docs.cloudron.io/networking/#dynamic-dns
Cloudron also manages its firewall, so you should be safe with the exposed host option.
-
-
@andreasb said in cloudron ssl behind fritz!box:
in a personal (sub-) domain.
Who's in charge of said domain and which DNS do you use? Is it just a local domain within your network or a "regular" domain from a registrar.
@nebulon said in cloudron ssl behind fritz!box:
if you put Cloudron as the exposed host then it will work as expected. If you use an automated DNS backend in Cloudron you can then enable the dyndns feature of Cloudron itself and it would manage it for you
Thats what I thought too so the whole fritzbox expecting key/cert~ thing did not make sense to me.
-
@nebulon (and @girish, @subven): fritzbox is a dsl modem that can be accessed from "outside". as @nebulon mentioned, machines from the internal network can be exposed (which is what I did). if the machine is accessed through https however, the first certificate presented seems to be that of the modem, which by standard is a self-signed one, and not accepted by browsers. It however is possible to manually upload other certs to the modem (see this doc). I don't use any DNS provider, a custom setup, the domain is registered and forwarding works properly through dynv6.com. looking at the nginx certs within /yellowtent/platformdata, their timestamp seems to be update each day - and I assume that this is a sign that cert renewal from the cloudron works, right?
-
@nebulon and one more question: when accessing the cloudron using the internal ip (https://192.168.xxx.yyy), it says "you are seeing this page ... no apps configured for this domain." This is normal, isn't it? the certificate presented here is the self signed one (default.cert). I thought this as well is expected behaviour and does not mean that Let's Encrypt cert renewal doesn't work. Is that right?
-
@andreasb said in cloudron ssl behind fritz!box:
I don't use any DNS provider, a custom setup, the domain is registered and forwarding works properly through dynv6.com
Cloudron does not work without a domain you own or at least can controle. The internal LAN IP you setup Cloudron with does not play a role later. Just get a cheap domain otherwise this wont work.
@andreasb said in cloudron ssl behind fritz!box:
when accessing the cloudron using the internal ip (https://192.168.xxx.yyy), it says "you are seeing this page ... no apps configured for this domain." This is normal, isn't it?
The behaviour you see is because you did not proper setup Cloudron in the first place. After the initial setup, Cloudron is reachable at my.thedomainyouconfigured.com.
@andreasb said in cloudron ssl behind fritz!box:
fritzbox is a dsl modem that can be accessed from "outside". as @nebulon mentioned, machines from the internal network can be exposed (which is what I did). if the machine is accessed through https however, the first certificate presented seems to be that of the modem, which by standard is a self-signed one, and not accepted by browsers.
As a german, I know what a FritzBox is
I think you're still at the wrong path since the exposed host exactly does what it should and the webserver of the Fritzbox does not interfer there.There is enough information within this thread to fix your problem.
-
@subven said in cloudron ssl behind fritz!box:
As a german, I know what a FritzBox is I think you're still at the wrong path since the exposed host exactly does what it should and the webserver of the Fritzbox does not interfer there.
There is enough information within this thread to fix your problem.- there were others asking, please excuse if I am wasting your valuable time with text that you deem not appropriate
- is it visible/ does it matter you're German?
- apparently, the webserver of the Fritzbox does interfere, as the fritzbox certificate is presented when accessing the page through a browser. This precisely does not make much sense to me either, but I don't understand how and why this happens.
@subven said in cloudron ssl behind fritz!box:
Cloudron does not work without a domain you own or at least can controle.
As said before, the domain is registered and I do control the DNS
-
I am running the same setup here and the exposed host option is the easiest thing to use here. If you have set your Cloudron instance as exposed host (and make sure only one host is exposed) then the fritzbox webinterface should not interfere. If it does maybe you have to check on your fritzbox settings and maybe reset some.
Also just to be sure, the exposed host is reachable via your public IP.
So the first thing is to make sure you can SSH into your ubuntu server / Cloudron using the public IP. If that works, then we are a big step forwards.
-
@andreasb said in cloudron ssl behind fritz!box:
As said before, the domain is registered and I do control the DNS
You said you do not use a DNS provider
The problem is within your FritzBox configuration thats why you get an webserver answer from the box and not Cloudron. Did you turned on the remote maintenance function or linked the box to a myfritz account? Does your Cloudron use DCHP with a reservated address (mandatory for exposed hosts to work).
Check if ports you want to use are already in use. You can do so by trying to open them up manually (errors out if port is already in use). Last, check TCP-Port for FritzBox services itself:
-
@nebulon yes, had read that in another thread before, and still it doesn't work in my case - no idea why not.
- The cloudron is the one and only exposed host on the fritzbox
- the dyndns-service seems to work properly: the ip there is regularly updated, and the ip is correct.
- connection through SSH using the external IP as well works.
Only when trying to access the cloudron UI through "my.xxx.yyy", all browsers I tested (firefox, edge, opera, brave) throw "insecure connection", and the certificate presented is the self-signed one of the fritzbox.
I had been wondering if naming plays a role. @nebulon, you did not by chance change the fritzbox's name from the default "fritz.box" to sth else?
-
@subven said in cloudron ssl behind fritz!box:
You said you do not use a DNS provider
not one of the "automated" ones like Cloudflare but Cloudron's "custom" way. but of course, the domain is registered
- no, I'm not using myfritz,
- I tested both configurations regarding the remote maintenance function, make fritzbox accessible from outside and not - this did not change anything.
- yes, the cloudron is on a fixed IP
-
-
@andreasb said in cloudron ssl behind fritz!box:
Only when trying to access the cloudron UI through "my.xxx.yyy", all browsers I tested (firefox, edge, opera, brave) throw "insecure connection", and the certificate presented is the self-signed one of the fritzbox.
That's because your fritzbox is answering on port 443 instead of passing it on to Cloudron.
Disable web/management access to the fritzbox from the internet side (or change the port), so that 443 is available to be forwarded to the internal Cloudron IP.
-
thx for everybody's inputs and sorry for my delay - took some time testing, and here's my wrap-up.
on the Fritzbox
- external access is deactivated in two places: remote administration, FB "Fritz!Box-Dienste", application access ("Heimnetz, Netzwerkeinstellungen")
- the Cloudron is configured as an "exposed host"
- DynDNS is configured and working correctly, the provider is DynV6.com
- DNS rebind protection: exemptions configured for the Cloudron ("my.*"), as well as for the apps running on the Cloudron
as a result, access from internet IPs works and the Cloudron as well as all apps are reachable.
Still, if accessed from a computer within Fritzbox-Network (192.168.x.y), neither app, nor the Cloudron respond. Instead, the already mentioned Fritzbox access page shows.
So it's not perfect, but usable and my question is answered.
-
@andreasb accessing the server with the local IP is expected to not work. For a start Cloudron uses domains to figure out which app the reverse proxy on cloudron should forward the request to and if you access the fritzbox internal IP it will always respond with its own interface. At least that is the only behavior I know.
-
@nebulon
as said, there's no real problem right now, still I don't understand the behaviour and am curious.you're talking about accessing the Cloudron through entering the IP (192.168.x.y) in the browser?
It's clear that this wouldn't work and this is not what I'm doing, it's a little more complicated:
- the PC I'm accessing from, is in the same network segment than the cloudron (192.168.x.z).
- OpenVPN is active, the OpenVPN service is on a second cloudron outside in the internet
- still, when entering the URL (https://my.domain.*), the fritzbox page shows
- as soon as I connect the PC to a different network segment (192.168.y.z) everything works!
I don't understand why. Shouldn't the use of external VPN service make the internal source IP invisible?
