I followed this guide: https://notthebe.ee/blog/easy-ssl-in-homelab-dns01/

But my Nginx Proxy Manager is running on a VPS that is connected to my local network through a WireGuard tunnel. Could that be an issue? I don’t know why it’s not working?

My NPM is also accessible to the local IP of my homeserver on which WireGuard is running.

  • citizen@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    1 year ago

    It’s not clear what’s the purpose of NPM in your case. Do you want to serve internal network or expose to Internet. If it’s the latter, you need to see what interface you exposed NPM port on (have to be your public network - VPS IP), your firewall needs to allow incoming connections on that port. Most likely you will be using port 443 and maybe 80 for redirect (checkbox in NPM always use TLS). Use IP address first to eliminate DNS issues. Once IP is valid test DNS with nslookup/dig to see if it resolves to your IP.

    OpenSSL command needs to be executed from VPS to eliminate network issues and just validate certificate setup. The IP and port would depend on what port you exposed. 127.0.0.1 should work from that context. Once you see certificate you can execute openssl command from your local and use WireGuard tunnel IP to connect to service. This is for internal network.

    • Dataprolet@lemmy.dbzer0.comOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      NPM should serve as both, but only issuing SSL certificates for my local network is the issue. Have you taken a look at the tutorial I’ve linked in the original post?

      • citizen@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        Yeah I looked at tutorial. Port 81 is only for management (NPM admin gui). Then you have your traffic ports for proxy services. Those would be 80 and 443 normally. You would need to expose those ports to the Internet if you want to access NPM/proxy your service. Port 81 shouldn’t be exposed on your public interface make sure it isn’t or at least have firewall rule to allow only local network (ideally management network/vlan)

        • Dataprolet@lemmy.dbzer0.comOP
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Ah I see. As I’ve said the proxy is working for my domain and is available from the internet. So that shouldn’t be an issue…

          This is the output of the openssl command:

          spoiler
          # openssl s_client -connect 127.0.0.1:443 -showcerts
          
          CONNECTED(00000003)
          80DB1D0BDC7F0000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:../ssl/record/rec_layer_s3.c:1586:SSL alert number 112
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 7 bytes and written 297 bytes
          Verification: OK
          ---
          New, (NONE), Cipher is (NONE)
          Secure Renegotiation IS NOT supported
          Compression: NONE
          Expansion: NONE
          No ALPN negotiated
          Early data was not sent
          Verify return code: 0 (ok)
          ---
          
          spoiler
          # openssl s_client -connect 127.0.0.1:80 -showcerts
          
          CONNECTED(00000003)
          809B89C5DB7F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
          ---
          no peer certificate available
          ---
          No client certificate CA names sent
          ---
          SSL handshake has read 5 bytes and written 297 bytes
          Verification: OK
          ---
          New, (NONE), Cipher is (NONE)
          Secure Renegotiation IS NOT supported
          Compression: NONE
          Expansion: NONE
          No ALPN negotiated
          Early data was not sent
          Verify return code: 0 (ok)
          ---