ProScan: Secure HTTPS Web Server with Let's Encrypt Error Response

[rodentkj]

ProScan v23.5
Current Unsecure Web Server is up, running and accessible internal and external.
Now moving forward to add HTTPS support using Let's Encrypt.
No Antivirus and Windows firewall disabled.
In my router I Port forwarded 80. Confirmed it is open and can be contacted via DNS name.

In ProScan I provided an email address, DNS Domain name and selected the Secure (HTTPS) server type.
When I click the Get Certificate button, I received a generic error (sorry no screenshot) stating to check port 80.
Not knowing about the 5 attempt limit per hour, I now get this error. And will need to wait for a bit before I can try again.


Is there anything in the above error message that would provide a clue as to what the issue may be?
Or any other suggestion?

 

[jjn555]

Hmmm.... I never saw THIS before. It just popped up this morning. Maybe this is a clue, maybe not. Is remote access into my SDS200 impossible/impractical using a VPN? I'm not using any VPN at the moment.

Nevermind. I answered my own question. I rebooted, then turned on my Norton VPN, got an external address, typed it in as xxx.xxx.xxx.xxx:5000 on my phone and got the somewhat expected "This site can't be reached" message. Sigh.

 

[ndebaggis]

Thank you. This is great stuff. Despite me being reasonably competent with radio and networks, it's frustrating in that I know that it's likely one basic thing I have wrong in my setup.
I had an idea after looking at some of your screenshots that might be the root cause of my problem. I don't have a domain name registered to me. I'm only a guy who is a customer of an ISP (www.spectrum.com). I'm not a business that has a URL such as 'www.radioreference.com'. Is THAT what's needed for all this to work? Do I need to somehow visit godaddy.com and get something like "www.wisconsin-jim-makes-great-homebrew-beer.com"?

Yes, you would need a valid domain name as you noted, in your example your domain would be wisconsin-jim-makes-great-homebrew-beer.com, which you'd purchase from a name registrar.

There are several moving parts to this though; you'd either need a static IP address from your ISP, or, assuming they don't hand out static to residential customers (most don't), you'd need to use a registrar that supports dynamic DNS updates. I've never used dynamic DNS since I've had a home static for many years so I really can't help with the dynamic update aspect. You could take a look at a registrar that has free dynamic DNS service, and a Windows dynamic DNS update client at: Dynu they seem to have good documentation and you can purchase your domain name directly through them.

If you have a static IP through your ISP then it's a much easier task; you purchase the domain name via the registrar, log in to the admin panel and then add whatever hostname to the DNS section as an 'A' record, in your example that's the "www" part of wisconsin-jim-makes-great-homebrew-beer.com, then you'd enter your static IP to that 'A' record.

Unfortunately, Letsencrypt does not yet issue certs on IP addresses but they're planning to do that in the near future. They have a blog post on how that will work here: We've Issued Our First IP Address Certificate This might be a really good option but I'm not sure if @ProScan would need to add new code to support it. The IP based cert will only be valid for 6 days so renewals would get tiresome doing them manually. But, this option would eliminate needing a domain name registration and all the extra complexity that goes with it. The only issue is if you have a residential broadband dynamic DHCP IP you'd have to do a full certificate issuance every time the IP changes, it wouldn't be just a renewal on an existing certificate.

 

[ndebaggis]

Nevermind. I answered my own question. I rebooted, then turned on my Norton VPN, got an external address, typed it in as xxx.xxx.xxx.xxx:5000 on my phone and got the somewhat expected "This site can't be reached" message. Sigh.

Wait... do you always use Norton's VPN service on the ProScan computer? if so, that could certainly be causing issues. Most VPN clients force ALL traffic through the VPN tunnel network. I doubt Norton has an option to allow traffic initiated from the Internet inbound to your computer via the VPN tunnel.

 

[jjn555]

Wait... do you always use Norton's VPN service on the ProScan computer? if so, that could certainly be causing issues. Most VPN clients force ALL traffic through the VPN tunnel network. I doubt Norton has an option to allow traffic initiated from the Internet inbound to your computer via the VPN tunnel.

No, I don't typically use a VPN. I just wanted to try it to out as a test, mainly because of that warning message I got from Norton about a port that's open. I'm kinda surprised it took so long for Norton to see that my port 5000 was open, since I've had it running that way for a few years. Whatever. Anyway, I couldn't get the SDS200 to be seen when running Norton VPN. So, I went back and turned it off.. I don't know enough about how Norton VPN works to create an exception (or if that's even possible).

 

[jjn555]

Yes, you would need a valid domain name as you noted, in your example your domain would be wisconsin-jim-makes-great-homebrew-beer.com, which you'd purchase from a name registrar.

There are several moving parts to this though; you'd either need a static IP address from your ISP, or, assuming they don't hand out static to residential customers (most don't), you'd need to use a registrar that supports dynamic DNS updates. I've never used dynamic DNS since I've had a home static for many years so I really can't help with the dynamic update aspect. You could take a look at a registrar that has free dynamic DNS service, and a Windows dynamic DNS update client at: Dynu they seem to have good documentation and you can purchase your domain name directly through them.

If you have a static IP through your ISP then it's a much easier task; you purchase the domain name via the registrar, log in to the admin panel and then add whatever hostname to the DNS section as an 'A' record, in your example that's the "www" part of wisconsin-jim-makes-great-homebrew-beer.com, then you'd enter your static IP to that 'A' record.

Unfortunately, Letsencrypt does not yet issue certs on IP addresses but they're planning to do that in the near future. They have a blog post on how that will work here: We've Issued Our First IP Address Certificate This might be a really good option but I'm not sure if @ProScan would need to add new code to support it. The IP based cert will only be valid for 6 days so renewals would get tiresome doing them manually. But, this option would eliminate needing a domain name registration and all the extra complexity that goes with it. The only issue is if you have a residential broadband dynamic DHCP IP you'd have to do a full certificate issuance every time the IP changes, it wouldn't be just a renewal on an existing certificate.

Yeah, that's kinda what I was starting to believe. I'll have to look more into getting a domain name and whether I want to pay for it just for this SDS200 connection thing I'm trying to solve. Maybe that's a dead-end anyway. My ISP normally keeps my external address unchanged, but a few times a year, they'll change it. When they do, I just change my external address within the Web Server tab on Proscan. It's no big deal as far as I'm concerned since this SDS200 server to my scanner is really ONLY for my personal use.

 

[ProScan]

Yeah, that's kinda what I was starting to believe. I'll have to look more into getting a domain name and whether I want to pay for it just for this SDS200 connection thing I'm trying to solve.

The SDS200 is a different connection. That is a connection from the scanner to ProScan. If that's working, meaning you have audio and display data then that part is good. That connection can't be secured.

Maybe that's a dead-end anyway. My ISP normally keeps my external address unchanged, but a few times a year, they'll change it. When they do, I just change my external address within the Web Server tab on Proscan. It's no big deal as far as I'm concerned since this SDS200 server to my scanner is really ONLY for my personal use.

The browser to ProScan Web Server is the other connection.
If you want the connection to be secured (shows in the browser as secured) then you need a domain name. I use No-IP | Smarter DNS Starts Here FREE. After you obtain a domain name then you can get a letsencrypt cert. Certs are tied to domain names and not dotted decimal IP addresses.

An exception, If using the inside IP address only such as your phone using WiFi data to connect to your network and using dotted decimal IP address on your phone browser then you can use a self signed cert.

 

[ogppc]

Not sure if its much help or adding to the situation, but what I do is use OBS to forward my scanner to youtube. I know I can't manipulate it remotely using that method (I do that through a VPN back into my system). My youtube feed is just a screenshot of proscan.

 

[jjn555]

The SDS200 is a different connection. That is a connection from the scanner to ProScan. If that's working, meaning you have audio and display data then that part is good. That connection can't be secured.


The browser to ProScan Web Server is the other connection.
If you want the connection to be secured (shows in the browser as secured) then you need a domain name. I use No-IP | Smarter DNS Starts Here FREE. After you obtain a domain name then you can get a letsencrypt cert. Certs are tied to domain names and not dotted decimal IP addresses.

An exception, If using the inside IP address only such as your phone using WiFi data to connect to your network and using dotted decimal IP address on your phone browser then you can use a self signed cert.

Awesome info for this rookie. Thanks, Bob. Sorry for the long delay, but as always, real life often gets in the way of my hobbies. I'm encouraged that I really might be able to get HTTPS working, after all. Thanks!
-Jim