Let's Encrypt works with DynDNS.org? That doesn't seem right

On a whim today I tried setting up a DynDNS,org hostname for one of my IP’s and then proceeded to use Certificate Manager to get a Let’s Encrypt certificate thinking surely it would fail - it works like a champ.

Which begs the question - If it will work with DynDNS, why won’t Let’s Encrypt work with a port other than 80/443?

This seems like a hole to me - I assume anyone seeing whatever.dyndns.org might wonder where they are actually going, but DynDNS has a gagillion domains and some of them look fairly legit.

Does anyone else find this weird?

Not weird at all. SSL doesn’t care about your domain name at all. It just cares that the domain name the person is going to matches the cert that was issued.

Yeah, but I don’t own DynDNS.org, but now I have a certificate issued to a host on their domain? That seems wonky to me.

You have a certificate that says - and ONLY says - that you had access to port 80 or 443 of the host random.whatever.com, and that LetsEncrypt validated that you were the person that controlled what was served from those ports on that host.

That’s all that SSL is. It’s just someone saying that ‘Yep, the person who claims to control random.whatever.com did control it when I checked’. If there wasn’t someone or something who checked that, nothing would stop you from claiming to be google.com.

Note that the problems occur when a certificate authority assumes that because you control random.whatever.com, it means you ALSO control ‘*.whatever.com’ or ‘whatever.com’ itself. That’s not a valid assumption to make, and some CAs have made that mistake. Last year, I think, something happened with an invalid issue of a github related certificate. I’d have to look it up (or you could 8-))

Ok, but then why don’t they support ports other than 80 and 443 - a hostname can only resolve to a single IP (although it could be multiple machines behind the scenes) so no matter what port I claim, it will only resolve to that IP? This seems inconsistent to me.

But you own blah.dyndns.org meaning you own that site as you were able to go to the server that responds to blah.dyndns.org and place files on the server for LE to access and open the ports it needed to get said files.

You are asking in the wrong place. Go ask on their forums why they require only those ports. We have stated our feelings to them along with others but in their defense they are about securing the web and websites are always on 80/443. You never go to a actual website on a different port.

Ports 80 and 443 are the webserver ports. If you don’t control those ports, then you don’t control the webserver.

Alright - I give up - seems weird to me, but all my hosted PBX’s are now going to have Free SSL Certs!

Perhaps I am thinking too much…

Probably yes, you may be.

You’re trying to say ‘Hey, LetsEncrypt, I want to prove I own this hostname by you doing a webserver authentication. I own the webserver on this host, so you should use that. Oh, but by the way, I DON’T own the webserver, so you need to use a different port’.

They, quite correctly, don’t allow you to do that 8)

There are other ways of getting a LE cert (eg, DNS) if you want to prove ownership in another way. But, honestly, just allow port 80 access in from their hosts. It’s much easier.

It’s related to a thing I wasted a HUGE amount of time on last week trying to get multiple PBX’s hosted on the same IP but different ports - My provider didn’t work right with it (T.38 was failing) and Let’s Encrypt didn’t work with it either.

But in case anyone wonders, there is a source of IPv4 IP’s that is also QOS enabled and Redundant - Bigleaf here:

So now all my PBX’s are on their own IP on the standard ports and will have SSL certs - It’s all good.

1 Like

BTW we agree that they should allow authentication and renewals on different ports but they so far are dead set on 80/443 only and well it will take lots of people complaing to maybe get that changed by them.

Yeah, I’m over it - it just seems so wasteful of IPv4 space to only have 1 PBX per IP, but the folly of that undertaking was brought home to me in a big way - I probably wasted 30 hours last week looking at Packet Captures (my T.38) and then reading forums (Let’s Encrypt) and finally just cried Uncle - Bigleaf works like a champ for IP’s and QOS and redundancy so in the long run it’s better anyway.

Just a wild guess,

but maybe they are trying to get people to adopt IPv6 … where that goes, no one needs SNAT :wink: