Hi everyone,
New Duplicacy user – trying to switch over from Arq – purchased a personal license yesterday. I’ll need more licenses if I can successfully get my PoC working and resolve open issues. Here’s one that I’ve not been able to solve through searching the forum:
I’ve tried multiple approaches to having the Duplicacy Web edition issue Let’s Encrypt certificates for the server I have running on my local network that is using RFC1918 private addresses.
Forum posts I found that didn’t resolve my question:
- Problems with the web-ui
- Custom certificates for web edition
- There are several others the Forum says I can only post 2 links as a new user…
Here’s the situation:
- I have an instance of Duplicacy Web 1.3.0 running in a jail on my FreeBSD NAS (FreeNAS).
- I have Duplicacy setup and running scheduled backup jobs to my Backblaze B2 account.
- Duplicacy is being accessed at 10.10.10.10:80 but I’ve also tried 10.10.10.10:3875
- I created a DNS A Record (fictitious but representative example) of duplicacy . home . mydomain . com that is globally (and publicly) resolvable to 10.10.10.10.
All is working just fine and I can access my Duplicacy web instance insecurely (HTTP) on ports 80 or 3875 using a settings.json such as:
{
"listening_address": ":80",
"temporary_directory": "/root/.duplicacy-web/repositories",
"log_directory": "/root/.duplicacy-web/logs",
"dark_mode": false
}
However, if I change this to:
{
"listening_address": ":80",
"https_address": ":443",
"https_domain": "duplicacy.home.mydomain.com",
"temporary_directory": "/root/.duplicacy-web/repositories",
"log_directory": "/root/.duplicacy-web/logs",
"dark_mode": false
}
I see log entries such as:
2020/07/27 08:01:45 http: TLS handshake error from 10.10.10.238:56442: acme/autocert: unable to satisfy "https://acme-v02.api.letsencrypt.org/acme/authz-v3/6142500006" for domain "duplicacy.home.mydomain.com": no viable challenge type found
2020/07/27 08:01:45 http: TLS handshake error from 10.10.10.238:56447: acme/autocert: missing certificate
Note: 10.10.10.238 is the laptop on the same private network I’m access the web interface from.
I realize that typically people are using Let’s Encrypt to create certificates for web services running on the public Internet but there is no reason that you can’t use it for securing servers on a private local network. I have done this successfully with 7 other servers I have running in my home without any problem since I can create A Records that point to my 10...* addresses. However, in those cases, I’ve setup the Let’s Encrypt certbot myself and use a DNS-01 challenge since it does not involve Let’s Encrypt’s servers trying to reach the server on HTTP Port 80 looking for the token (which of course can’t work for 10...* private servers.
My question is whether it is:
- It it possible for me to get visibility into the token the Duplicacy certbot is looking for during the challenge? I could put this up on a web server that is publicly accessible so that Let’s Encrypt’s servers can check for the token both during certificate issuance and subsequent renewals.
- If #1 isn’t possible, can Duplicacy consider supporting DNS-01 challenges? This would be a lot easier for individuals to host the DNS records for the challenge.
Either way, I think this would be a useful feature as I have no interest (for security reasons) in exposing any Duplicacy servers I setup to the public Internet. However, I don’t want to leave traffic between my Duplicacy web servers and any workstations I’m managing them from as insecure HTTP.
I tried to search through GitHub as well to see if I could find the associated code to assess the level of difficulty in adding DNS-01 challenges (I’m a SW dev as my day job) – but it appears that only the duplicacy CLI source is publicly available.
Thanks in advance for the assistance.