I feel like I have a doozy of a complicated issue and am looking for some guidance.
I’m new to Selfhosting so I got myself an off-the-shelf Asustor NAS. It’s got apps which is cool, so I’ve installed Jellyfin. I want to access my Jellyfin over the web so I’ve set up DDNS via my Asusstor Manual Connect and FreeDNS. This works well, I can access it over HTTP but the domain is… kind of long and unpleasant, so I got myself a “pretty” domain and setup a CNAME to the FreeDNS. I’m port forwarding on my router, everything works, so far so good.
To make it overtly complicated, I want to make the connection HTTPS. This is where I’m struggling. I’ve set up the SSL cert for my “pretty” domain via Lets Encrypt, but it times out. I’m not sure if, or how I can make the FreeDNS HTTPS or covered under my Lets Encrypt cert since I don’t technically own the FreeDNS domain. My provider doesn’t give my any wildcard options on the “pretty” domains cert either.
I’ve got the HTTPS set on my Asustor and Jellyfin based on the “pretty” domains SSL cert. I’ve got my port-forwarding 443 to Jellyfins suggested HTTPS port on my router. I feel like the lynchpin is the FreeDNS subdomain handing off the DDNS request but I’m not sure how to solve it. Any suggestions on how I can get this setup to work? Anyone else run a similar setup where they access their local X port via the web via HTTPS?
Open to similar experiences, suggestions, ideas, pretty much anything at this point.
Lets Encrypt should be fine issuing a cert on a FreeDNS hostname using the HTTP-01 challenge, I believe you may also need port 80 open?
The basic steps would be install a letsencrypt client on the NAS, issue a cert for the FreeDNS hostname, then give that cert to jellyfin directly or to a reverse proxy sitting in front of it.
I do have port 80 open as well as 443, both going to my Jellyfin HTTP/HTTPS ports respectively. HTTP seems to work for both when I access “pretty” domain and the FreeDNS URLs directly. It’s really only when I try to force HTTPS that I’m having issues.
I’ll play around with Let’s Encrypt today to see if I can get the FreeDNS cert applied. I’ve tried to use AI to assist me in learning how to do all this, it suggests I need both my “pretty” domain and the FreDNS domain tied to the same Cert, which Im unable to do at my current domain registrar, so I might also need to move that but I’ll take it one step at a time.
I want to access my Jellyfin over the web
Do you want other people to access jellyfin? Or strangers?
Or would a VPN like wireguard (or even tailscale) be more appropriate?No, I don’t necessarily want other people to access my Jellyfin, but my folx live out in the boons, (visiting on holidays etc.) and that was the only way I could find to reliably access my media. I guess I also come from a web background so it felt right to me. The Asustor I have really limits what I can and can’t do with it. I got it as a like, starter point since it felt out of the box. I’m also on Windows lol.
Do you have any resources for how I could grant access outside my network with a VPN, wireguard, or tailscale? I’m open to other options, I’m really just kind of fumbling my way through this idea of what I want.
If its just yourself (or up to 3 people), go with tailscale. Sign up for a free account, looks like there is an installer in the asusator (or whatever its called) app store.
Start reading up on tailscale. Its essentially a managed VPN designed for enterprises with features for servers and infrastructure.
How exactly is SSL terminated in your setup? Usually, you’d use something like nginx or apache for termination, but I don’t see that in your description?
So who exactly has the private key?
I’m still pretty green so I’m not sure what terminated means in this context.
My domain registrar for my “pretty” domain (not FreeDNS) allowed me to issue a Let’s Encrypt on it. It gave me the encrypted Cert code, Private Key code, and Immediate Cert code. I was able to bring them down into
.crtand.keyfiles respectively and assign them to my NAS. Jellyfin though required a PKCS #12 file so I installed openssl CLI via Choco and fed it my .crt and .key files to generate the necessary pfx file. So, right now all the cert information is tied to my “pretty” domain via my domain register. I would assume that my register and Let’s Encrypt has my private key info, but also my key files uploaded to the NAS and rolled into the PFK file.Not sure if that helps or answers your question but that’s the info I got.
“Terminated” means something that’s using the certificate to encrypt connections. You got the certificate but doesn’t sound like anything is actually using it.
You can give it to Jellyfin so it can start encrypting the HTTPS port. The downside is that you’ll be stuck using your pretty domain for just Jellyfin, for now.
If you decide to use it for more services later you can install a reverse proxy, get a wildcard certificate for *.pretty.domain, start creating subdomains as CNAMEs to the FreeDNS (eg. jellyfin.pretty.domain) and defining them in the reverse proxy.
The reverse proxy will be handling the forwarded port and terminate the encryption for all subdomains, and will hand-off the unencrypted connection privately to the relevant app based on which domain the visitor is using (and issuing 404 not found it they use a domain you haven’t defined).
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL NAS Network-Attached Storage SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network nginx Popular HTTP server
[Thread #607 for this sub, first seen 16th Mar 2024, 16:25] [FAQ] [Full list] [Contact] [Source code]
deleted by creator
New Lemmy Post: HTTPS with FreeDNS (https://lemmy.world/post/13177123)
Tagging: #SelfHosted(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)
I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md
