Can't get SSL certificates - eviltoast

Hey all, I’d love some more eyes on this problem I’ve been having.

Context:

  • I’m behind a CGNAT.
  • I have a domain
  • I have VPN with a dedicated IP
  • My DNS records are pointed at that dedicated IP
  • I have a TP_Link A8 Router, and a Surfboard DOCSIS 3.1
    • Router has Bonded light
  • I’m running a server with Proxmox VM
    • It works amazing locally

Goal(s):

  • Use NextCloud/OwnCloud
    • Ability to access NC/OC from outside local network
    • Being able to use domain name instead of dedicated IP when accessing page

Actions:

  • Install a Debian 12 VM (or LXC depending upon attempt)
  • Update package repositories
  • Add user to sudoers file
  • Install UFW
  • Install VPN application
  • Enable UFW
    • Deny ALL but 40,443
  • Install Docker Engine
  • Enable VPN
  • Install Cosmos Server
    • Go through initial setup
      • Configure domain as Dedicated IP
  • Here my attempts just hang.
    • I have tried this using NGINX Reverse Proxy
    • I have tried this using Apache2 as a reverse proxy

Technical Information

  • Port scanning options see ports as open
  • SSL certificate application (letscrypt) hangs

I have also followed the ‘how to’ https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html from Nextcloud, using manual installation, and can install it, but when I get to the letscrypt stage, I can never get it to complete. I’ve tried the AIO as well. as the Docker image.

The issue is always with SSL/connecting from the outside. I can access it locally, but that doesn’t help me leave commercial clouds behind!

I’ve included my network diagram of what I *think* is going on

https://preview.redd.it/xt1o7o4aez1c1.png?width=1148&format=png&auto=webp&s=ff7c8bfef0cc612ce80505a0ffa63dd9a2e04953

Thanks!

  • stealth_PLEMC@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Was going to suggest the same. A guy at work was trying to tell me we’d have to open ports eventually for an application behind a VPN. While he was telling me I was wrong, I added the record, and pulled certs. They should really lead with that IMHO