2

I have several services running on a local server that I would like to work over HTTPS. The problem is that self-signed certificates will always give warning if I am not mistaken so it's not really an option for practical reasons.

I do have a shared hosting service with domain and sub domains and could even get a dedicated domain for this if needed. I got a Let's Encrypt certificate from the host but when using it locally it gives a warning because the local IP is not part of the certificate. The host does not support adding non-hosted IP to the cert so that's no good.

Currently I am running a script on a local machine that contacts the remote server which saves the IP address so when a particular page is accessed it reads the IP and redirects. This works but is no good for SSL. Is there a way to point a domain to a dynamic IP via a script on the server like DDNS services perhaps? In cpanel I can only point it to a static IP value.

What are some solutions to get SSL for local and forwarded external IP's running on a local machine with no warnings?

Example: Test service/site running on a home internet connection.

Local IP 192.168.0.10

External IP 85.24.69.2 (forwarded and accessible from the internet, dynamic IP)

This service should be accessible via HTTPS both from the internet and locally. Local access (no internet required) could be worked around with hosts file if no other solution exists. Address used to access can be IP or a domain.

DominicM
  • 211
  • 3
  • 5
  • 10
  • 1
    Why don't use the domain name when accessing the service locally? – Tero Kilkanen Feb 17 '17 at 12:39
  • @TeroKilkanen Can you elaborate on what you mean by that exactly? – DominicM Feb 17 '17 at 12:41
  • Well, I understand from your description that you are trying to access the service locally with IP address, not a domain name, and that is why the warning is generated. Just use the domain name used in the certificate to access the service and there will be no warning. – Tero Kilkanen Feb 17 '17 at 12:46
  • @TeroKilkanen What domain are you referring to? There is no domain that points to the external IP and obviously a a domain cannot be pointed to local IP's. – DominicM Feb 17 '17 at 12:51
  • 1
    Of course a domain can be pointed to local IPs. You can configure domains on your local DNS any way you want. The IP is not part of the certificate. Configure your local DNS to resolve the domain in the certificate to your local IP and you can use it without problems. – Gerald Schneider Feb 17 '17 at 12:52
  • The certificate has a domain name, which must be used when using a service with that certificate. You only need to set up proper mapping between domain name and IP address to be able to use the domain name. – Tero Kilkanen Feb 17 '17 at 12:53
  • You will need to be more specific as to how that can be achieved as it is not clear to me. The domain that I am using on the shared hosting service cannot be pointed to local IPs (because it cant't connect to to local IP) or even external IPs due to host's policy. – DominicM Feb 17 '17 at 13:11
  • Also see edit for more clarity. – DominicM Feb 17 '17 at 13:17

2 Answers2

2

Steps to fix this is quite simple:

  1. Buy a domain for your local environment
  2. Create a A record on that domain, pointing to your external IP.
  3. In your local DNS server (be it a consumer router or such) configure a DNS-zone for the same domain, pointing to your Internal IP (192.168.0.10).
  4. Install cert-bot auto (and follow the instructions from https://letsencrypt.org/getting-started/
  5. You should be ready to go, with a proper valid secure connection.

You can't use a LE certificate for IP addresses. And you are not suppose to do that for anything, really. As others have pointed out in comments, the certificates are not bound to IP Addresses, but domain names.

mdavidsen
  • 73
  • 8
  • You cannot point a DNS record to a dynamic IP. I do not have a Static IP so I cannot get past step 2. That is the whole problem otherwise the local server would be no different than remote server as far as SSL config is concerned. – DominicM Feb 17 '17 at 14:33
  • You can create a CNAME record that points to a dyndns entry. – Gerald Schneider Feb 17 '17 at 14:56
  • Or you can point the dev domain to 127.0.0.1. I know of many dev teams that do this for developement-only hostnames. – EEAA Feb 17 '17 at 15:04
  • @GeraldSchneider Can you expand on your comment? If you mean I can use the paid / free DDNS service such as dyndns then it's exactly what I am trying to avoid. I know I can use a DDNS service with a custom domain but it's yet another service I have to pay for, manage and be reliant on. – DominicM Feb 17 '17 at 15:15
  • If you want to access a dynamic ip there is no way around a dyndns service. – Gerald Schneider Feb 17 '17 at 15:34
  • That's what I was afraid of. Any reason why you can't manually point the DNS record to the IP once it updates? Seems like the only limitation is that the host doesn't allow programmatic access to dns record management, or maybe there is a way? – DominicM Feb 17 '17 at 16:19
  • I use a DDNS server via afraid.org that updates my IP via a curl request every 5 minutes. – Orphans Feb 20 '17 at 07:33
  • @DominicM Change your DNS provider? Many do include API-access to update your DNS zones. this [SE post here](http://stackoverflow.com/questions/133458/what-dnss-have-api-access ) , provides a good list of providers. You can also sign up for a free Cloudflare.com account, and use their DNS servers with API-access. They do however not provide a authoritative DNS service, so you still have to purchase your domain else where and point the NS records to CF. – mdavidsen Feb 21 '17 at 10:48
0

Assuming you are accessing these services with a web browser, the certificate only cares about the hostname in the request. if you are accessing the service locally, on you LAN, add a host record to DNS.

192.168.0.10 www.example.com

Update your external DNS to point to your public IP. 85.24.69.2 www.example.com

Jeff W.
  • 521
  • 2
  • 7
  • The local services should be accessible via local and remote IP's with no SSL warnings. The hosts file I can use but will only work on one machine which is not ideal as every device would have to be configured separately. If I could access the local services via external IP/domain with no SSL warnings that would be fine and I could use hosts on a main machine so that internet access is not required. – DominicM Feb 17 '17 at 13:00