From bfd3a825c2d73bd842769cdfaf11ad0319a3bd6e Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Wed, 26 May 2021 23:58:29 +0530 Subject: added code and content --- Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md | 81 ++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md (limited to 'Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md') diff --git a/Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md b/Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md new file mode 100644 index 0000000..76387ba --- /dev/null +++ b/Content/posts/2020-11-17-Lets-Encrypt-DuckDns.md @@ -0,0 +1,81 @@ +--- +date: 2020-11-17 15:04 +description: Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS. +tags: Tutorial, Code-Snippet, Web-Development +--- + +# Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt + +I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS. + +## Dependencies + +```bash +sudo apt update && sudo apt install certbot -y +``` + +## Get the Certificate + +```bash +sudo certbot certonly --manual --preferred-challenges dns-01 --email senpai@email.com -d mydomain.duckdns.org +``` + +After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new `TXT` record in the DNS settings for your domain. + + +For DuckDNS users it is as simple as entering this URL in their browser: + +``` +http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt +``` + +Where `mydomain` is your DuckDNS domain, `duckdnstoken` is your DuckDNS Token ( Found on the dashboard when you login) and `certbotdnstxt` is the TXT record value given by the prompt. + +You can check if the TXT records have been updated by using the `dig` command: + +```bash +dig navanspi.duckdns.org TXT +; <<>> DiG 9.16.1-Ubuntu <<>> navanspi.duckdns.org TXT +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27592 +;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 65494 +;; QUESTION SECTION: +;navanspi.duckdns.org. IN TXT + +;; ANSWER SECTION: +navanspi.duckdns.org. 60 IN TXT "4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk" + +;; Query time: 275 msec +;; SERVER: 127.0.0.53#53(127.0.0.53) +;; WHEN: Tue Nov 17 15:23:15 IST 2020 +;; MSG SIZE rcvd: 105 + +``` + +DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while. + +Once you can ensure that the TXT record changes has been successfully applied and is visible through the `dig` command, press enter on the Certbot prompt and your certificate should be generated. + +## Renewing + +As we manually generated the certificate `certbot renew` will fail, to renew the certificate you need to simply re-generate the certificate using the above steps. + +## Using the Certificate with Gunicorn + +Example Gunicorn command for running a web-app: + +```bash +gunicorn api:app -k uvicorn.workers.UvicornWorker -b 0.0.0.0:7589 +``` + +To use the certificate with it, simply copy the `cert.pem` and `privkey.pem` to your working directory ( change the appropriate permissions ) and include them in the command + +```bash +gunicorn api:app -k uvicorn.workers.UvicornWorker -b 0.0.0.0:7589 --certfile=cert.pem --keyfile=privkey.pem +``` + +Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files -- cgit v1.2.3