Blog

Rock64: LAMP + WordPress + Let’s Encrypt SSL | part 3

We deployed our blog in our local network, today we are going to get a free domain and SSL certificate and create some rules in our router to forward all the http or https request to our internal server.

Free domain 

In order to get a free domain for our blog, we are going to need create an account in Freenom

On “freenom” we can search for a domain name and get a free domain, also, they have the option to get a domain “.com”, “.net”, etc for a very good price.

Search for your domain name
List of free results
List of “premium” domains name

As you can see you have multiple options, in my case I got the domain “devandadmin.com” for 8 dlls, also I got the domain name “devandadmin.tk” for free.

Choose your preferred domain name and follow the site steps for complete the domain’s registration. 

We are done at this moment with the domain part. 

DNS 

Now, the next option will be create an account on “Hurricane Eletric Internet Services”, this site provides a free DNS service. 

Frenoom comes with its own DNS services, but “HE” (Hurricame Electric) has the Dynamic DNS option which is great because we don’t have a static IP address (most of the time only business account has a static IP address) and with the dynamic DNS option we can update our external IP address automatically. 

HE DNS features

Once registered and logged with our HE accounts, the first thing to do is add a new domain to manage. 

We need to go back to “freenom”, and go to the option Services -> My Domains

List of my domains

Then on your desired domain, click on the button “Manage Domain”. 

Then go to the option: Management tools -> Nameservers 

The last step will be add the HE name serves instead of use the default name servers used by freenom: 

Save the changes and wait at least 30 minutes before return to HE. 

Ok, after a couple of tacos/coffee/donuts go back to HE and click on the option “Add new domain” front the left side of the site. 

Type the name of the domain registered on “freenom”, in my case “devandadmin.com”.

If you got any error, we need to wait a little bit more before try again, if the process goes well, you will have your domain added to your account. 

Adding DNS records 

We need to add a new “A” record that point to our External IP address. 

Click on the “Edit zone” option in your domain (yellow pencil icon). 

Now, select the tab “New A” in order to add our first A record. 

On the name field: type the name of your domain. 

Then, select the “checkbox”: Enable entry for dynamic DNS. 
This option is going to discover your external IP address and fill everything for you and click on the green button (submit).

Note: you need to be doing this process from your home in order to grab the right IP address. 

Now add a new CNAME record, select the tab “New CNAME”, example: 

With this CNAME record, all the request to www.devandadmin.com are going to point to “devandadmin.com” which has your external IP address. 

Click on submit for save the changes. 

DDNS Key 

As mentioned before, HE has some tools to change our external IP address automatically, so, if our ISP change our external IP address, we don’t need go to HE and update the value manually. 

From the list of DNS records, on the column “DNS” click on the “update” icon to generate a DDNS Key: 

Click on the “Generate a key” button, save the key generated and then click on “submit”. 

DDNS 

We are going to need use the key generated before to make some “http” request in order to update our external IP address automatically.

Here are a few examples to get you started (manual testing) 

http://[your domain name]:[your password]@dyn.dns.he.net/nic/update?hostname=[your domain name] 
Autodetect my IPv4/IPv6 address: 

curl -4 "http://dyn.example.com:[email protected]/nic/update?hostname=dyn.example.com"

curl -6 "http://dyn.example.com:[email protected]/nic/update?hostname=dyn.example.com"  
Specify my IPv4/IPv6 address: 

curl "http://dyn.example.com:[email protected]/nic/update?hostname=dyn.example.com&myip=192.168.0.1"


curl "http://dyn.example.com:[email protected]/nic/update?hostname=dyn.example.com&myip=2001:db8:beef:cafe::1

Here are a couple more examples that allow sending the password in the URL 

Note: The username is also the hostname. The password is sent using ‘password=’. This skips HTTP basic auth. 

Authentication and Updating using GET 

curl "https://dyn.dns.he.net/nic/update?hostname=dyn.example.com&password=password&myip=192.168.0.1

curl "https://dyn.dns.he.net/nic/update?hostname=dyn.example.com&password=password&myip=2001:db8:beef:cafe::1

Authentication and Updating using a POST 

curl "https://dyn.dns.he.net/nic/update" -d "hostname=dyn.example.com" -d "password=password" -d "myip=192.168.0.1" 

curl "https://dyn.dns.he.net/nic/update" -d "hostname=dyn.example.com" -d "password=password" -d "myip=2001:db8:beef:cafe::1" 

We are going to create a CRON JOB that’s run every 24 hours, this cron job will launch an “http” request to update the IP address for us.

We are going to use the command CRONTAB in order to create our CRON job easily. 

CRONTAB 

In your Rock64/Pi/server run the command: 

sudo crontab –e 

Enter your “root” credentials, after that, you are going to be prompted for select an “editor”, I select the option “1” which is “nano”. 

Go the last line and enter the next line: 

@daily /usr/bin/curl http://[hostname]:[generated key]@dyn.dns.he.net/nic/update?hostname=[hostname

You will need to replace the [hostname] with your domain record and the generated key with the key that you generated on the HE sites for your “A” record.

Example: 
@daily /usr/bin/curl http://devandadmin.com:[email protected]/nic/update?hostname=devandadmin.com

You can test the result using the URL generated in your browse, the response should be blank page with your external IP address. 

Router rules 

This section is difficult to explain because all the routers has a different UI, I have a Netgear router at home and I’m going to use that as a reference only, you are going to need to replicate the same configuration in your own router. 

The first step is establish a connection to the router admin site, most of the times you can use the router IP address which is your gateway address.

If you are on windows you can run “ipconfig” from the CMD and look for the “default gateway” value, if you are on Linux you can use “ifconfig”. 

If you have a NetGear router like me, you can browse to: http://routerlogin.net/ in order to access to the admin interface. 

It’s going to prompt for admin credentials before get admin access, so type your user and password. 

Navigate to “Advanced” -> Advance setup -> Port Forwarding / Port Triggering 

Now, check the option “Port Forwarding”, 

On the Service name combo box: Select Http 

On the Internal IP address: type the IP address of your Rock64/Pi/Server 

Click on “Add” to save the configuration. 

We added our first rule, to redirect all the http request (port 80) to our Rock64, but also, we need an extra rule for all the HTTPS request (port 443). 

If the “https” option is not listed on the “service name” combo box, Netgear has an additional option to specify the port required, use that option to create a rule to forward all the request coming to the port 443 to your server. 

SSL certificate 

With the domain, DNS and rules in place, your blog is available to the world now, you can open your favorite browser and type your domain name and see how your blog is displayed, it is magic.

But, depending on your browser, you will have a legend or icon about that your site is not secure, example in Google Chrome. 

That doesn’t look cool, your site does not look like a “trust” site, we need to fix that.

The solution is install an SSL certificate in our web server, but the price of an SSL certificate is not cheap. 

There is not reason to spent 50 box in our case.

Fortunately for us, Let’s encrypt exist and has the option for generate our SSL certificate for free and on a very easy way to do it. 

Installing Cerboot client

Open an SSH session in your Rock64 and type the next commands: 

sudo add-apt-repository ppa:certbot/certbot 
sudo apt-update
sudo apt-get install python-certbot-apache

Now, we have the “let’s encrypt” client installed (cerboot). 

The next command it is going to create, deploy and validate the certificate in your Apache web server: 

sudo certbot --apache -d devandadmin.com -d www.devandadmin.com 

Note: replace “devandadmin.com” with your domain name 

During the process, you are going to be prompted for accept some terms and also specify your contact information. 

But, after a few seconds, your certificate will be available in your site. 

Now you can type: https://yourdomain.com and see the certificate installed in your server. 

This has been everything. 

We learned how to deploy our own home web server, using a free domain, free DNS service and also, we got a free SSL certificate. 

Thank you for read this post. 

Sources: Let’s encrypt tutorial

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: