www.wordpress.com --- subdomain , e.g. encrypting.wordpress.com
www.weebly.com --- subdomain , e.g. encrypting.weebly.com
www.wix.com --- subdomain , e.g. encrypting.wix.com
Another question is after I have a free domain name , do I host it using Raspberry Pi by making Raspberry Pi my Raspberry Pi Web Server / hosting provider, as shown in Build your own Raspberry Pi Web Server - Pi My Life Up
?
To use Letsencrypt you just need to have access to your DNS records for your domain. Most if not all hosting providers will let you add DNS records to your domain through them. I'm not sure about those free providers, but if they allow you to set DNS then just do the following:
Create a DNS record with "A" type and set the value to the public IP of the raspberry pi (probably your home public IP). Note that port 80 and 443 need to be forwarded to the pi's internal (private IP address) on your router (usually something like "NAT" or "inbound NAT"), if your pi is behind a router.
Also, my specific instructions in that thread (in the link you posted) are for the lighttpd configuration, if you have multiple hostnames in the certificate (using SAN -- Subject Alternate Name fields). In my specific case I used my own internal CA (not Letsencrypt) to generate the certificate, since it's just for a local (non-internet) DNS name.
You said
"Create a DNS record with “A” type and set the value to the public IP of the raspberry pi"
I assume that means whenever there is a change in my home public IP (e.g. due to a change of my internet service provider (ISP)) , I also have to change the "value to the public IP of the raspberry pi" in my domain name account again ?
Whenever I change my ISP , I need to go to my domain name account DNS record “A” type and set the value to the new public IP of the raspberry pi , right ?
Is that the only change required?
Or I also have to run certbot again and go through the installation of Let's Encrypt again whenever there is a change in my home public IP ?
Yes, that is mostly correct. You'll need to update the DNS record anytime your public IP changes. HOWEVER, there is an alternative that requires only requires you to update the IP every 2-3 months instead, and this alternative happens to be more secure, so I would recommend it.
My alternative suggestion is to only have your DNS record point to your public IP while you're requesting the certificate from Letsencrypt (running certbot). Once you have obtained the certificate (and configured pihole to use it, as described in the first post in the other thread), I would suggest changing the DNS record to point to the pihole's local IP (192.168.1.50 for example) instead of your public IP. This way, the pihole has a valid/trusted certificate, BUT it is only accessible on your local LAN, and not accessible from the internet, which makes more sense security-wise.
Then you'll just need to update the DNS to your public IP every 2-3 months, essentially whenever you need to renew the Letsencrypt cert (by re-running certbot). Then of course once you've renewed the cert, you can change the DNS back to the private IP of the pihole.
If you want to keep your pihole accessible from the internet for some reason (and therefore keep using the public IP in the DNS record), you can check out some dynamic DNS providers, some of which can automatically detect that your public IP changed and automatically update the DNS record with your new IP. No-IP Free - Dynamic DNS - Create a Free DDNS Account Now - No-IP is one such provider. Again though, I don't recommend permanently setting the DNS to your public IP for security reasons, unless you have a good reason for doing so.
Your question about Github.com and scripts being legit/safe is valid and a good one. Most people will recommend that you read through scripts from the internet to ensure you know what it is doing. But, this script is ok and you shouldn't have to worry.
As everyone else has stated, you will need to own the domain name you want to use for your home. So, if you want to use pihole.bill2.org then you will need to make sure you own bill2.org. Couple of ways of doing that.
5 - now, once you have you use acme.sh to issue your keys, the way I do it is export them:
acme.sh --install-cert -d *.bill2.org --key-file ~/bill2key.pem --certfile ~/bill2certfile/pem --full-certchain ~/bill2ca.pem >>> this will create files.
To add to PiHole -> there's a great FAQ in the PiHole discourse section:
Now, personally? Do you NEED TLS if the PiHole web interface is ONLY accessed when you're at home? Prob not. BUT, it's not a bad idea if you're super concerned about security AND (in my opinion) it's fun!
It has definitely cleared up some of the questions I had.
I definitely need all the help I can get because I am still reading up on A record and port forwarding 80 and 443 etc.
This project will help me understand Certificate Authority and domain name and DNS management and port forwarding and some other basic networking concepts.
I plan to write a step by step tutorial on this topic for dummies like me once I am successful with this project.
