summaryrefslogtreecommitdiff
path: root/Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md
diff options
context:
space:
mode:
Diffstat (limited to 'Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md')
-rw-r--r--Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md81
1 files changed, 81 insertions, 0 deletions
diff --git a/Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md b/Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md
new file mode 100644
index 0000000..76387ba
--- /dev/null
+++ b/Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md
@@ -0,0 +1,81 @@
+---
+date: 2020-11-17 15:04
+description: Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS.
+tags: Tutorial, Code-Snippet, Web-Development
+---
+
+# Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt
+
+I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.
+
+## Dependencies
+
+```bash
+sudo apt update && sudo apt install certbot -y
+```
+
+## Get the Certificate
+
+```bash
+sudo certbot certonly --manual --preferred-challenges dns-01 --email senpai@email.com -d mydomain.duckdns.org
+```
+
+After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new `TXT` record in the DNS settings for your domain.
+
+
+For DuckDNS users it is as simple as entering this URL in their browser:
+
+```
+http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt
+```
+
+Where `mydomain` is your DuckDNS domain, `duckdnstoken` is your DuckDNS Token ( Found on the dashboard when you login) and `certbotdnstxt` is the TXT record value given by the prompt.
+
+You can check if the TXT records have been updated by using the `dig` command:
+
+```bash
+dig navanspi.duckdns.org TXT
+; <<>> DiG 9.16.1-Ubuntu <<>> navanspi.duckdns.org TXT
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27592
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 65494
+;; QUESTION SECTION:
+;navanspi.duckdns.org. IN TXT
+
+;; ANSWER SECTION:
+navanspi.duckdns.org. 60 IN TXT "4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"
+
+;; Query time: 275 msec
+;; SERVER: 127.0.0.53#53(127.0.0.53)
+;; WHEN: Tue Nov 17 15:23:15 IST 2020
+;; MSG SIZE rcvd: 105
+
+```
+
+DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while.
+
+Once you can ensure that the TXT record changes has been successfully applied and is visible through the `dig` command, press enter on the Certbot prompt and your certificate should be generated.
+
+## Renewing
+
+As we manually generated the certificate `certbot renew` will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.
+
+## Using the Certificate with Gunicorn
+
+Example Gunicorn command for running a web-app:
+
+```bash
+gunicorn api:app -k uvicorn.workers.UvicornWorker -b 0.0.0.0:7589
+```
+
+To use the certificate with it, simply copy the `cert.pem` and `privkey.pem` to your working directory ( change the appropriate permissions ) and include them in the command
+
+```bash
+gunicorn api:app -k uvicorn.workers.UvicornWorker -b 0.0.0.0:7589 --certfile=cert.pem --keyfile=privkey.pem
+```
+
+Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files