OK, so now that I have that going, how about some inter-server SSL connections? When I was at JPMC we were required to make all servers talk to each other over SSL. All API's and other data sharing connections had to be protected by SSL. The bank was its own authority but it also slaved to an outside party. This ensured that all traffic on the network was 2) coming from a known/sanctioned JPMC device and b) was less likely to be sniffed in transit.

I'm not suggesting that we make ALL 44net connected devices SSL compliant but certainly the ones involved with holding up the network.

Mark / NI2O

On Thu, Oct 30, 2025 at 11:28 AM Mark Phillips <enicomms@gmail.com> wrote:
To answer my own question ....

Requesting a certificate for wx.ni2o.ampr.org

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/wx.ni2o.ampr.org/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/wx.ni2o.ampr.org/privkey.pem
This certificate expires on 2026-01-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate

So "yes" it will auto renew a "standalone".



On Thu, Oct 30, 2025 at 11:20 AM Mark Phillips <enicomms@gmail.com> wrote:
Thanks chaps. I think I have it now. Would someone please try https://ni2o.ampr.org

Also, with ths manual method do I have to renew the cert every 3 months? The acme/certbot tool will take care of that for you automatically. Not sure about the manual method though.

I gave it some more thought and opted for individual certs fo the servers in the end. other .ni2o.ampr.org services will get SSL over the weekend.

Mark / NI2O

On Thu, Oct 30, 2025 at 8:53 AM Cory (NQ1E) <cory@nq1e.hm> wrote:
The actual problem depends on which error message you're getting.

ampr.org doesn't seem to be opting out of certificate issuance with DNS CAA records, so you should be able to get one. However, the HTTP validation method will be the only one available to you. That means the machine you're running the ACME client on will need to be able to accept incoming connections on port 80 from the public Internet, at the IP address behind your FQDN.



On Thu, Oct 30, 2025, 05:10 Mark Phillips via 44net <44net@mailman.ampr.org> wrote:
Hi Folks,

I'm having some trouble trying to get LetsEncrypt SSL certificates authorised for use on my WWW devices. The issue seems to be that I do not have control of the TLD and so I can never authorise the issuing of the certificate.

I've tried *.ni2o.ampr.org (generic catch all), fqdn.ni2o.ampr.org (device specific) and many other variations but they all fail at the authorizing of the cert.

What am I doing wrong? I'm using LetEncrypt (free not-for-profit) SSL certificates successfully in other areas but i do control the domain for those.

Thanks for your help

Mark / G7LTT
_______________________________________________
44net mailing list -- 44net@mailman.ampr.org
To unsubscribe send an email to 44net-leave@mailman.ampr.org