For a few years, I have successfully self hosted my own personal website (http, not secure) on an RPi5, using Apache as web server. I then changed broadband provider from BT (copper wire with dynamic IP) to brsk (fibre optic with static IP) and at the same time, tried to change from http to https. To this end, I used Letsencrypt to install a certificate on my webserver, something Letsencrypt says has been successful. However, I cannot now access the website externally (localhost works fine). Inputting http://robinboardman.me.uk into my Chrome browser just loads the login page for my Icotera router.
I have spent a long time searching the internet for answers but when one doesn't know the correct question to ask, it's hard to get a useful answer. One suggestion was to use SSLLabs to test the site, a summary of the feedback being "Certificate name mismatch. Alternate names not found in the certificate. We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect." Other feedback is that the certificate is self-signed. Whilst I understand the words , I don't know what to do about to make the website work.
I am sure there are others out there who use an RPi to self host a website (mine really is basic) so I was wondering if anyone has any thoughts on the above and/or advice to give. Just where to start looking would be a help.

In your Icotera router. have you set port forwarding to the Pi for port 443 (and 80)

Duggie,

I concur with Neil - I see the same router login page that you describe when trying the link... suspect that you've enabled forwarding to link socket 80 traffic to your server, not your socket 443 traffic.

Couple of other points for you to consider...

First: if you're going to use LetsEncrypt certificates [good idea!] then you should also deploy CertBot - it's from the EFF and it will automate the replacement of your certs, which can turn in to a real nuisance if you try and do it manually.

Second: you don't mention your home network setup... but if your network goes: External ISP Line - Your Firewall/Router - Your Web Server... and if your web server is on your home network [i.e. local IP address in the 192.168.0.0 range... then please be aware that what you're doing is seriously dangerous. If your web server has *any* vulnerabilities in it, an attacker who compromises your web server is automatically on your home network. I appreciate this could be a lot more cost, but if you want to host from home, I'd strongly recommend you invest in something like a Protectli server. Smack a copy of pfSense on it - and then set up one of the Ethernet ports on the Protectli box to be a DMZ - a "De-Militarized Zone"... What that means is that your server gets ring-fenced on it's own little bit of network - and if an attacker compromises that host, they are still *outside* your firewall and *not* on your home network.

Yes, you're going to spend a bunch more money on hardware [pfSense is free without support] but you're much less likely to get hacked. Have a read of this

https://en.wikipedia.org/wiki/DMZ_(computing)

I really, *really* recommend you set up a decent firewall with a DMZ. And hey, if you like that, get another Pi 3B and drop a copy of NGinx on it, configured in to reverse proxy mode. Add a WAF module with some basic lock-down rules and you'll be a lot more secure than you are now.

sproggit wrote: ↑

Thu Nov 13, 2025 10:19 pm

Second: you don't mention your home network setup... but if your network goes: External ISP Line - Your Firewall/Router - Your Web Server... and if your web server is on your home network [i.e. local IP address in the 192.168.0.0 range...

There are other private subnets and at the end of the day it doesn't matter which subnet you're using if the webserver and your LAN are using the same one.

I'm guessing you meant e.g. not i.e.

then please be aware that what you're doing is seriously dangerous. If your web server has *any* vulnerabilities in it, an attacker who compromises your web server is automatically on your home network. I appreciate this could be a lot more cost, but if you want to host from home, I'd strongly recommend you invest in something like a Protectli server. Smack a copy of pfSense on it - and then set up one of the Ethernet ports on the Protectli box to be a DMZ - a "De-Militarized Zone"... What that means is that your server gets ring-fenced on it's own little bit of network - and if an attacker compromises that host, they are still *outside* your firewall and *not* on your home network.

Yes, you're going to spend a bunch more money on hardware [pfSense is free without support] but you're much less likely to get hacked. Have a read of this

https://en.wikipedia.org/wiki/DMZ_(computing)

I really, *really* recommend you set up a decent firewall with a DMZ. And hey, if you like that, get another Pi 3B and drop a copy of NGinx on it, configured in to reverse proxy mode. Add a WAF module with some basic lock-down rules and you'll be a lot more secure than you are now.

Be careful with that. Not all domestic routers support a DMZ and some older ones that do do not put it into a separate subnet. They just port forward all unused ports to that box.

Knowledge, skills, & experience have value. If you expect to profit from someone's you should expect to pay for them.

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

Duggieb wrote: ↑

Thu Nov 13, 2025 8:58 pm

For a few years, I have successfully self hosted my own personal website (http, not secure) on an RPi5, using Apache as web server. I then changed broadband provider from BT (copper wire with dynamic IP) to brsk (fibre optic with static IP) and at the same time, tried to change from http to https. To this end, I used Letsencrypt to install a certificate on my webserver, something Letsencrypt says has been successful. However, I cannot now access the website externally (localhost works fine). Inputting http://robinboardman.me.uk into my Chrome browser just loads the login page for my Icotera router.
I have spent a long time searching the internet for answers but when one doesn't know the correct question to ask, it's hard to get a useful answer. One suggestion was to use SSLLabs to test the site, a summary of the feedback being "Certificate name mismatch. Alternate names not found in the certificate. We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect." Other feedback is that the certificate is self-signed. Whilst I understand the words , I don't know what to do about to make the website work.
I am sure there are others out there who use an RPi to self host a website (mine really is basic) so I was wondering if anyone has any thoughts on the above and/or advice to give. Just where to start looking would be a help.

You are right that link doesn't work. When I first installed certificates I discovered one included the full chain of trust and the other didn't. I installed the wrong one and latter and discovered the full chain of trust worked better.

Like so many things, https is overcomplicated for no good reasons and for many bad ones. Sorry I can't help more. I hope you get it resolved.

neilgl wrote: ↑

Thu Nov 13, 2025 10:03 pm

In your Icotera router. have you set port forwarding to the Pi for port 443 (and 80)

Yes I have.

If I use the http link to your site it gives Using the https version gets me (on iPad Safari) a "Not Private" error, as the certificate is not trusted, issued by 48...99.icotera

That issued by icotera looks wrong as we should be seeing your LE cert.

neilgl wrote: ↑

Fri Nov 14, 2025 9:25 am

If I use the http link to your site it gives

Code: Select all

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.65 (Debian) Server at robinboardman.me.uk Port 80

Using the https version gets me (on iPad Safari) a "Not Private" error, as the certificate is not trusted, issued by 48...99.icotera

That issued by icotera looks wrong as we should be seeing your LE cert.

Is there any chance you could try to access my site again. I had noticed an error in my port forward settings and don't know if I corrected it before or after your access. Thank you in anticipation.

Duggieb wrote: ↑

Sat Nov 15, 2025 3:30 pm

neilgl wrote: ↑

Fri Nov 14, 2025 9:25 am

If I use the http link to your site it gives

Code: Select all

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.65 (Debian) Server at robinboardman.me.uk Port 80

Using the https version gets me (on iPad Safari) a "Not Private" error, as the certificate is not trusted, issued by 48...99.icotera

That issued by icotera looks wrong as we should be seeing your LE cert.

Is there any chance you could try to access my site again. I had noticed an error in my port forward settings and don't know if I corrected it before or after your access. Thank you in anticipation.

I'm seeing https on port 80.

Generally port 80 remains unencrypted http and only port 443 https. Also, the full chain of trust seems missing from what you've installed.

Are you following the Apache documentation, a howto blog or advice from a chatbot? I'm not sure what configurations you've changed. I remember Apache configuration not being obvious. It took hours to get http and https working and another day to get them working right (hopefully).

Last edited by ejolson on Sat Nov 15, 2025 4:06 pm, edited 1 time in total.

The port is still not forwarded correctly. I get an error warning that the certificate is self-signed and when I accept the risk I get a log-in page for your router.

I hope you have a very strong password configured on your router!

nigelbartlett1 wrote: ↑

Sat Nov 15, 2025 4:06 pm

The port is still not forwarded correctly. I get an error warning that the certificate is self-signed and when I accept the risk I get a log-in page for your router.

I hope you have a very strong password configured on your router!

That explains it. Maybe Apache is fine but the router never forwards the connection.

When we shifted houses, the residential Internet service provider provided a combination modem router that set the destination for forwarded ports based on MAC address. Only one IP number can be associated with that MAC or the router will get confused and sometimes forward packets to the wrong IP. In this case it was also important to turn off host-side MAC address randomisation.

Another option is use your own router. This avoids limitations of the one built-in. For example, I used to run a webserver directly on a Linux system that also functioned as the router. This was long ago.

Last edited by ejolson on Sat Nov 15, 2025 4:39 pm, edited 6 times in total.

"Is there any chance you could try to access my site again" yes still the same error just now

Some routers won't forward port 80 (eg VirginMedia).

pidd wrote: ↑

Sat Nov 15, 2025 4:43 pm

Some routers won't forward port 80 (eg VirginMedia).

This is one of the reasons I put my VirginMedia into Modem Mode and use my own router.

Unreadable squiggle

rpdom wrote: ↑

Sat Nov 15, 2025 5:33 pm

pidd wrote: ↑

Sat Nov 15, 2025 4:43 pm

Some routers won't forward port 80 (eg VirginMedia).

This is one of the reasons I put my VirginMedia into Modem Mode and use my own router.

Are you sure it still doesn't interfere with 80 or 443, my port 443 is showing closed at the moment and I'm pretty sure its not my router doing that, all other ports are showing stealth.

pidd wrote: ↑

Sat Nov 15, 2025 6:44 pm

rpdom wrote: ↑

Sat Nov 15, 2025 5:33 pm

pidd wrote: ↑

Sat Nov 15, 2025 4:43 pm

Some routers won't forward port 80 (eg VirginMedia).

This is one of the reasons I put my VirginMedia into Modem Mode and use my own router.

Are you sure it still doesn't interfere with 80 or 443, my port 443 is showing closed at the moment and I'm pretty sure its not my router doing that, all other ports are showing stealth.

I think so. I used to run a web server with port 80 and had ssh enabled for a while too. But those run through a VPN from a cloud server now, so I don't use port forwarding any more.

Unreadable squiggle

rpdom wrote: ↑

Sat Nov 15, 2025 10:55 pm

pidd wrote: ↑

Sat Nov 15, 2025 6:44 pm

rpdom wrote: ↑

Sat Nov 15, 2025 5:33 pm

This is one of the reasons I put my VirginMedia into Modem Mode and use my own router.

Are you sure it still doesn't interfere with 80 or 443, my port 443 is showing closed at the moment and I'm pretty sure its not my router doing that, all other ports are showing stealth.

I think so. I used to run a web server with port 80 and had ssh enabled for a while too. But those run through a VPN from a cloud server now, so I don't use port forwarding any more.

Is that VPN one you set up yourself?

ejolson wrote: ↑

Sun Nov 16, 2025 12:43 am

rpdom wrote: ↑

Sat Nov 15, 2025 10:55 pm

I think so. I used to run a web server with port 80 and had ssh enabled for a while too. But those run through a VPN from a cloud server now, so I don't use port forwarding any more.

Is that VPN one you set up yourself?

Yes.

Unreadable squiggle

If you're going to run a separate firewall box (presumably with several network ports, so you can physically separate networks), you could also look at OPNSense instead of pfSense. IIRC the OPNSense people forked pfSense and improved it - the UI is certainly less confusing than I remember pfSense being. Both options allow a VPN between the firewall and remote sites. I think there were some other issues with pfSense, possibly centred around the way the overall project was proceeding (can't remember for sure now). And OPNSense is based in Europe, which could be a selling point for some.