<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="theme-color" content="#6a9fb5">
<title>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</title>
<!--
<link rel="stylesheet" href="https://unpkg.com/latex.css/style.min.css" />
-->
<link rel="stylesheet" href="/assets/c-hyde.css">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Abril+Fatface">
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=PT+Sans:400,400italic,700">
<link rel="stylesheet" href="/assets/main.css">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="og:site_name" content="Navan Chauhan">
<link rel="canonical" href="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html">
<meta name="twitter:url" content="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html">
<meta name="og:url" content="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html">
<meta name="twitter:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt">
<meta name="og:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt">
<meta name="description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS.">
<meta name="twitter:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS.">
<meta name="og:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS.">
<meta name="twitter:card" content="summary_large_image">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link rel="shortcut icon" href="/images/favicon.png" type="image/png">
<link href="/feed.rss" type="application/atom+xml" rel="alternate" title="Sitewide Atom feed">
<meta name="twitter:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png">
<meta name="og:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png">
<meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k">
<script data-goatcounter="https://navanchauhan.goatcounter.com/count"
async src="//gc.zgo.at/count.js"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
<link rel="manifest" href="/manifest.json">
</head>
<body class="theme-base-0d">
<div class="sidebar">
<div class="container sidebar-sticky">
<div class="sidebar-about">
<h1><a href="/">Navan</a></h1>
<p class="lead" id="random-lead">Alea iacta est.</p>
</div>
<ul class="sidebar-nav">
<li><a class="sidebar-nav-item" href="/about/">about/links</a></li>
<li><a class="sidebar-nav-item" href="/posts/">posts</a></li>
<li><a class="sidebar-nav-item" href="/3D-Designs/">3D designs</a></li>
<li><a class="sidebar-nav-item" href="/feed.rss">RSS Feed</a></li>
<li><a class="sidebar-nav-item" href="/colophon/">colophon</a></li>
</ul>
<div class="copyright"><p>© 2019-2024. Navan Chauhan <br> <a href="/feed.rss">RSS</a></p></div>
</div>
</div>
<script>
let phrases = [
"Something Funny", "Veni, vidi, vici", "Alea iacta est", "In vino veritas", "Acta, non verba", "Castigat ridendo mores",
"Cui bono?", "Memento vivere", "अहम् ब्रह्मास्मि", "अनुगच्छतु प्रवाहं", "चरन्मार्गान्विजानाति", "coq de cheval", "我愛啤酒"
];
let new_phrase = phrases[Math.floor(Math.random()*phrases.length)];
let lead = document.getElementById("random-lead");
lead.innerText = new_phrase;
</script>
<div class="content container">
<div class="post">
<h1 id="generating-https-certificate-using-dns-a-challenge-through-lets-encrypt">Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</h1>
<p>I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.</p>
<h2 id="dependencies">Dependencies</h2>
<div class="codehilite">
<pre><span></span><code>sudo<span class="w"> </span>apt<span class="w"> </span>update<span class="w"> </span><span class="o">&&</span><span class="w"> </span>sudo<span class="w"> </span>apt<span class="w"> </span>install<span class="w"> </span>certbot<span class="w"> </span>-y
</code></pre>
</div>
<h2 id="get-the-certificate">Get the Certificate</h2>
<div class="codehilite">
<pre><span></span><code>sudo<span class="w"> </span>certbot<span class="w"> </span>certonly<span class="w"> </span>--manual<span class="w"> </span>--preferred-challenges<span class="w"> </span>dns-01<span class="w"> </span>--email<span class="w"> </span>senpai@email.com<span class="w"> </span>-d<span class="w"> </span>mydomain.duckdns.org
</code></pre>
</div>
<p>After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new <code>TXT</code> record in the DNS settings for your domain.</p>
<p>For DuckDNS users it is as simple as entering this URL in their browser:</p>
<pre><code>http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt
</code></pre>
<p>Where <code>mydomain</code> is your DuckDNS domain, <code>duckdnstoken</code> is your DuckDNS Token ( Found on the dashboard when you login) and <code>certbotdnstxt</code> is the TXT record value given by the prompt.</p>
<p>You can check if the TXT records have been updated by using the <code>dig</code> command:</p>
<div class="codehilite">
<pre><span></span><code>dig<span class="w"> </span>navanspi.duckdns.org<span class="w"> </span>TXT
<span class="p">;</span><span class="w"> </span><<>><span class="w"> </span>DiG<span class="w"> </span><span class="m">9</span>.16.1-Ubuntu<span class="w"> </span><<>><span class="w"> </span>navanspi.duckdns.org<span class="w"> </span>TXT
<span class="p">;;</span><span class="w"> </span>global<span class="w"> </span>options:<span class="w"> </span>+cmd
<span class="p">;;</span><span class="w"> </span>Got<span class="w"> </span>answer:
<span class="p">;;</span><span class="w"> </span>->>HEADER<span class="s"><<- opco</span>de:<span class="w"> </span>QUERY,<span class="w"> </span>status:<span class="w"> </span>NOERROR,<span class="w"> </span>id:<span class="w"> </span><span class="m">27592</span>
<span class="p">;;</span><span class="w"> </span>flags:<span class="w"> </span>qr<span class="w"> </span>rd<span class="w"> </span>ra<span class="p">;</span><span class="w"> </span>QUERY:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>ANSWER:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>AUTHORITY:<span class="w"> </span><span class="m">0</span>,<span class="w"> </span>ADDITIONAL:<span class="w"> </span><span class="m">1</span>
<span class="p">;;</span><span class="w"> </span>OPT<span class="w"> </span>PSEUDOSECTION:
<span class="p">;</span><span class="w"> </span>EDNS:<span class="w"> </span>version:<span class="w"> </span><span class="m">0</span>,<span class="w"> </span>flags:<span class="p">;</span><span class="w"> </span>udp:<span class="w"> </span><span class="m">65494</span>
<span class="p">;;</span><span class="w"> </span>QUESTION<span class="w"> </span>SECTION:
<span class="p">;</span>navanspi.duckdns.org.<span class="w"> </span>IN<span class="w"> </span>TXT
<span class="p">;;</span><span class="w"> </span>ANSWER<span class="w"> </span>SECTION:
navanspi.duckdns.org.<span class="w"> </span><span class="m">60</span><span class="w"> </span>IN<span class="w"> </span>TXT<span class="w"> </span><span class="s2">"4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"</span>
<span class="p">;;</span><span class="w"> </span>Query<span class="w"> </span>time:<span class="w"> </span><span class="m">275</span><span class="w"> </span>msec
<span class="p">;;</span><span class="w"> </span>SERVER:<span class="w"> </span><span class="m">127</span>.0.0.53#53<span class="o">(</span><span class="m">127</span>.0.0.53<span class="o">)</span>
<span class="p">;;</span><span class="w"> </span>WHEN:<span class="w"> </span>Tue<span class="w"> </span>Nov<span class="w"> </span><span class="m">17</span><span class="w"> </span><span class="m">15</span>:23:15<span class="w"> </span>IST<span class="w"> </span><span class="m">2020</span>
<span class="p">;;</span><span class="w"> </span>MSG<span class="w"> </span>SIZE<span class="w"> </span>rcvd:<span class="w"> </span><span class="m">105</span>
</code></pre>
</div>
<p>DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while. </p>
<p>Once you can ensure that the TXT record changes has been successfully applied and is visible through the <code>dig</code> command, press enter on the Certbot prompt and your certificate should be generated.</p>
<h2 id="renewing">Renewing</h2>
<p>As we manually generated the certificate <code>certbot renew</code> will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.</p>
<h2 id="using-the-certificate-with-gunicorn">Using the Certificate with Gunicorn</h2>
<p>Example Gunicorn command for running a web-app:</p>
<div class="codehilite">
<pre><span></span><code>gunicorn<span class="w"> </span>api:app<span class="w"> </span>-k<span class="w"> </span>uvicorn.workers.UvicornWorker<span class="w"> </span>-b<span class="w"> </span><span class="m">0</span>.0.0.0:7589
</code></pre>
</div>
<p>To use the certificate with it, simply copy the <code>cert.pem</code> and <code>privkey.pem</code> to your working directory ( change the appropriate permissions ) and include them in the command</p>
<div class="codehilite">
<pre><span></span><code>gunicorn<span class="w"> </span>api:app<span class="w"> </span>-k<span class="w"> </span>uvicorn.workers.UvicornWorker<span class="w"> </span>-b<span class="w"> </span><span class="m">0</span>.0.0.0:7589<span class="w"> </span>--certfile<span class="o">=</span>cert.pem<span class="w"> </span>--keyfile<span class="o">=</span>privkey.pem
</code></pre>
</div>
<p>Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files</p>
</div>
<blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
<script data-isso="https://comments.navan.dev/"
src="https://comments.navan.dev/js/embed.min.js"></script>
<div id="isso-thread">
<noscript>Javascript needs to be activated to view comments.</noscript>
</div>
</div>
<script src="assets/manup.min.js"></script>
<script src="/pwabuilder-sw-register.js"></script>
</body>
</html>