This was fantastic thanks. Would be great if this was built into GetUmbrel (you would need to be able to configure the dynamic DNS and request an SSL certificate of course). It meant I could finish my sons Bitcoin 3D printing store (www.robotechy.com) this evening.
Dankje well Jorijn, works well so far. Really appreciate the effort putting this together
Two questions I have
Why is step 7 necessary, as in Step 6 certbot would be able to offer an option to do the redirect for you?
Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
After adding the manual redirect, I’m getting the following Warn message from nginx testing:
umbrel@umbrel:~ $ sudo nginx -t
nginx: [warn] conflicting server name “subdomain.main-domain.com” on 0.0.0.0:15080, ignored
nginx: [warn] conflicting server name “subdomain.main-domain.com” on [::]:15080, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
While it was fine at step 5 (so basically before the SSL certificate pull). Any idea where the warning is coming from?
In my case it didn’t recognise the automated redirect so I had to add it manually.
Your second warning might indicate that the manual redirect wasn’t needed anymore. The message basically means you have two server blocks for the same server name. This would be 1) the automated redirect and 2) the manual redirect.
All good, works anyway, despite the warning log. BTCPay Server online.
I’ll try it a second time on another node (not umbrel), should be same straightforward, just need to adjust the ports and add UFW rules. Rest should be similar. Will report back here.
I am on step 3 and am having trouble setting up port forwarding…
When I try to forward port 80 to port 15080 and port 443 to port 15443 I get the following error message:
“The configured port range including the Connection Request port is not permitted”
I am now stuck on trying to create the SSL certificate, when I run the certbot command it returns an error:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: btcpay.domain.com
Type: unauthorized
Detail: Invalid response from
http://btcpay.domain.com/.well-known/acme-challenge/8RVwXhBNY3JbHSVCwQPrI7g2w9BDra-pvUM55UMSNNw
[100.100.100.100]: "<!DOCTYPE html><html
lang=en><head><title>Umbrel</title><meta charset=utf-8><meta
http-equiv=X-UA-Compatible content=\"IE=edge\"><"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
*where btcpay.domain.com is the subdomain I’m using and 100.100.100.100 is the home IP
I’m hoping you get an answer. I’m stuck on port forwarding as well. My router won’t let me port forward 443 and 80 to the desired ports at the same time. Im going to try doing different port numbers like you did but The error is saying I can’t do both at the same time because one is in use? Doesn’t make sense because one is 80 and the other is 443.
Just a thought but I do see it talk about dns. Not sure if you checked that. Maybe something is off. Also. Not sure what he meant by conf files… maybe this happens if you don’t do that?
You can use any ports, as long as they are not already claimed on your network. You just have to replace the corresponding ports you are actually forwarding to in the config settings.
So in my example, port 80 forwards to 780, and port 443 forwards to 7443. In this case, follow the guide as written being sure to replace every mention of “1580” with “780”, and every mention of “15443” with “7443” (or whatever ports you actually choose).
Hi,
I am very much stuck with Step 4.
I ran this command and installed everything “sudo apt update”. No problem.
Then ran this command “sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface python3-certbot-nginx nginx” and everything installed error free. When trying to access umbrel, I get redirected to the nginx screen. It seems like nginx was installed on port 80.
Am I doing something wrong? And where am I going wrong?
Update:
I got it to work. I reflashed the SD card with umbrel. And attempted the installation of nginx again. This time I got the expected errors and was able to remap the port.
Hi jorijn first of all I want to thank you for the excellent contribution … I have successfully performed your procedure on raspberry pi 4 … now I have installed umbrel on parallales on mac successfully and btcpay is installed … I have tried to run your procedure again but I receive an error in the installation of the certificates … maybe you’ve already been there and can help me … thanks
That means you’re not running the right version of certbot. Certbot on Raspbian (on Umbrel) is held back a couple of versions. The newer versions don’t support SNI TLS validation. You can however look through --help as I’m sure there’s another option available. I don’t know which one from the top of my mind.
Internet public domain names / IPs: google.com / 142.250.74.78, these are IP/domain names that anybody connected to the internet can “see” and access them and are maintained by public DNS servers. You need to buy or rent an IP from a ISP in order to be able to manage it for your own machines/systems.
Private IPs: 192.168.1.x / 10.0.0.x / 172.16.0.x These are IPs visible ONLY inside your LAN (home area network) and are maintained by your home router, assigning one to each of your devices connected to that router. In Umbrel configuration also you can see them in lnd.conf file as one IP per service /app. So these IPs ARE NOT accessible from outside, only if you configure in your router to forward specific ports to specific IPs inside your LAN.
Public VPN IPs: special services that offers you a secured tunnel to a specific server, that offers you a dedicated public IP to be used for accessing the internet. Like a strawman, a fake identity to hide your real IP / location. These IPs are visible and accessible by anybody in internet.
Private VPN IPs: special private IPs, generated in a public server, with encryption and secured access, that offers to users a dedicated tunnel through an internal private IP range, directly to your home devices. Each point / device will have its own IP, in the same range. This is what is using Tailscale.
Tor Network: a special network that uses the normal Internet network, but is not visible and accessible by regular browsers / devices, they need a dedicated proxy that convert and decrypt the onion addresses in order to be accessible. All traffic on Tor network is encrypted P2P and is not necessary to use open ports, each onion address can be redirected internally to a specific port.
To test / see which is your “public IP” of your location, go to https://ping.eu (not using any vpn, just a simple browser). That is your IP that anybody in internet “see” you. If you do not have any port forwarding from outside into your internal devices/IPs, NOBODY can access any of your home devices.
Now, your internal LAN IP, is managed by your router.
You can find your assigned IP, by running arp -a in a terminal command prompt screen. Or just look into your router, which IP is assigned to your node/devices.
Internal LAN IPs are NOT accessible from outside.