Years ago, partly out of curiosity, I started self-hosting web sites on a server located at my house. As I was doing consulting, this allowed me to set up client visible sites for testing and demonstration.
This presented a bit of a problem as I wasn’t willing to foot the cost of a fixed IP address and a “business” account. So, I had to find a way to make my DHCP assigned IP address public. Dyndns.com to the rescue. At the time, they were about the only option available. And for a basic set up, free.
Back then, I was running on Windows Server 2003 (32 bit) and the machine was set up as a web server, a file server and our internet proxy.
This configuration served well enough for several years, but several things happened to change that. The hardware started to become unstable, Server 2003 was sunsetted and new .NET versions no longer supported it, and I started to add video and other technologies to my development portfolio.
After the hardware upgrade I continued to use Dyndns as my domain registrar and DNS provider. After a while, I needed more than their basic package and opted for a paid account. Eventually they discontinued the free option but the pricing on my tier remained the same, so I wasn’t affected. I think this change occurred around the time they were acquired by Oracle, but that was a while ago and my memory is fuzzy on the details.
I continued this way for a while, but there were storm clouds forming.
Foremost, there was the push to move everything on the web to SSL. While it’s always been possible to purchase a cert, a group called Let’s Encrypt came along offering free certs. And Google (and the various browsers) became increasingly aggressive about encouraging SSL use. So, I figured I’d better go along.
One of the downsides to Let’s Encrypt is that their certs expire every 90 days. There are numerous automated scripts and I experimented with several of them. The best supported were for Linux and since I was running Windows, it took a bit more effort to find one that worked for me. Ultimately, I settled on one that worked, but still required some manual intervention. It was only once every 90 days and I got advance notice, so I figured it was not that onerous. Being the procrastinator that I am, I did manage to delay a couple of times when the cert expired, but for the most part, it worked OK.
But it wasn’t optimal. Because I was using subdomains, i.e., http://something.vmoregon.com, I had to play some games with Dyndns and the configuration on my server. I was using what they called “web hops”. Basically 304 redirects from Dyndns mapped to http://vmoregon.com/something on my server. Once the request reached my server, I redirected again from http to https.
Due to the nature of the certs issued by Let’s Encrypt, all requests had to be to vmoregon.com/something. It was possible to add each subdomain to a cert, but that was a lot of work. Ultimately, I longed for a wildcard cert. This would allow me to create a cert for vmoregon.com and add *.vmoregon.com as second URL. This allowed me to stand up a new subdomain by just adding it to my IIS.
It took almost 2 years for Let’s Encrypt to put that in place and required a major change to their infrastructure and API. Then it took another year for update clients to catch up.
All of the pieces finally fell into place and I changed to a wildcard cert. And coincident with this I also changed DNS providers.
There were numerous reasons:
- My subscription was expiring
- Dyndns didn’t support wildcard DNS
- The Dyndns console had always had a confusing and difficult UI and hadn’t been updated since I started using it
- Technical support from them was slow and frustrating. It was either email or a phone call (call back). Response was frequently more than a day. And, on at least one occasion, completely wrong
But the biggest single reason was they decided to discontinue the services that I had depended on.
I can’t fault them; it was undoubtedly a business decision driven by revenue and cost of upgrading their systems to continue to support existing services.
So, I went in search of a new provider. Unlike when I chose Dyndns, there are now quite a few providers. And after looking over the offerings of several, I ended up with ClouDNS.
I was a bit nervous, they’re based in Bulgaria, and would have felt more comfortable with a US company. But so far, my fears have been unfounded.
Their support model is stellar: 24/7 chat support and the techs are knowledgeable and helpful. In the one case where I did get incorrect information, the tech made extra effort to get corrected information to me quickly.
The final reason is that wildcard certs require adding a TXT DNS record for verification and ClouDNS has an API, Dyndns does not. Case closed.
I’ve now migrated both my domain registrar and my DNS provider. It’s only been a few months, but, so far, I’m satisfied.
With the shift to a wildcard cert, I needed to find another update client. As I’m running Windows Server, I started with .NET clients. Unfortunately, they were either immature, or I was unable get them to work on my server. I ended up with Certify The Web. It’s GUI based and was pretty straightforward to configure and get working.
The only complication came in that I needed to write an update script for ClouDNS for the TXT record needed for domain verification. After a bit of research and reading, I wrote a python script that does the job. It probably took about an hour to write and a couple more for debugging and clean up.
Everything is in place now and I’ll monitor is for a while and eventually forget all about it until something goes wrong.