this post was submitted on 31 Jan 2024
5 points (85.7% liked)

Selfhosted

39919 readers
302 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

I set up SSL certificates for my internal services behind Traefik, but I was having some issues obtaining the certificates. I ended up having to add this line in my Docker compose file to bypass PiHole which is controlling the internal hostnames for my domain:

- --certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53

After adding that, I was able to successfully pull a cert. The issue is, I have a firewall set up that blocks DNS requests from everywhere except my DNS servers (PiHole), so I had to pause that rule temporarily to get the request to go through.

Wondering what I can do here (if anything) to resolve this without having to disable my firewall rules regularly.

all 7 comments
sorted by: hot top controversial new old
[–] [email protected] 1 points 9 months ago (1 children)

I would start by testing if you can resolve acme-v02.api.letsencrypt.org from the PiHole and if not, see what you need to unblock that.

[–] [email protected] 1 points 9 months ago (1 children)
[–] [email protected] 1 points 9 months ago

Did some more testing to get some details. The error I am getting from Traefik is that Cloudflare cannot create the record because it already exists (PiHole already has the entries). If I delete the records from PiHole, Traefik can then create the TXT records in Cloudflare.

[–] [email protected] 1 points 9 months ago (1 children)

Create a new rule on the firewall to allow DNS requests to cloudflare from that host only.

[–] [email protected] 1 points 9 months ago

That is what I ended up doing temporarily, but I think I will just make it temporarily permanent. I could likely set up another Docker container to run a DNS server connected to a DoH resolver, and use that container as the DNS server for Traefik, but that's a lot of work.

[–] [email protected] 0 points 9 months ago* (last edited 9 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
PiHole Network-wide ad-blocker (DNS sinkhole)
SSL Secure Sockets Layer, for transparent encryption

3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #470 for this sub, first seen 31st Jan 2024, 14:55] [FAQ] [Full list] [Contact] [Source code]