<!DOCTYPE html>
<html lang="en">
<head>
<link rel="stylesheet" href="/assets/main.css" />
<link rel="stylesheet" href="/assets/sakura.css" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</title>
<meta name="og:site_name" content="Navan Chauhan" />
<link rel="canonical" href="https://web.navan.dev/" />
<meta name="twitter:url" content="https://web.navan.dev/" />
<meta name="og:url" content="https://web.navan.dev/" />
<meta name="twitter:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
<meta name="og:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
<meta name="description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
<meta name="twitter:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
<meta name="og:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
<meta name="twitter:card" content="summary_large_image" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
<link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan" />
<meta name="twitter:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png" />
<meta name="og:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png" />
<link rel="manifest" href="manifest.json" />
<meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k" />
<script data-goatcounter="https://navanchauhan.goatcounter.com/count"
async src="//gc.zgo.at/count.js"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.navan.dev/js/plausible.js"></script>
<!-- Begin Inspectlet Asynchronous Code. Only for some testing, will be removed soon -->
<script type="text/javascript">
(function() {
window.__insp = window.__insp || [];
__insp.push(['wid', 1038401947]);
var ldinsp = function(){
if(typeof window.__inspld != "undefined") return; window.__inspld = 1; var insp = document.createElement('script'); insp.type = 'text/javascript'; insp.async = true; insp.id = "inspsync"; insp.src = ('https:' == document.location.protocol ? 'https' : 'http') + '://cdn.inspectlet.com/inspectlet.js?wid=1038401947&r=' + Math.floor(new Date().getTime()/3600000); var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(insp, x); };
setTimeout(ldinsp, 0);
})();
</script>
<!-- End Inspectlet Asynchronous Code -->
</head>
<body>
<nav style="display: block;">
|
<a href="/">home</a> |
<a href="/about/">about/links</a> |
<a href="/posts/">posts</a> |
<a href="/publications/">publications</a> |
<a href="/repo/">iOS repo</a> |
<a href="/feed.rss">RSS Feed</a> |
</nav>
<main>
<h1>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</h1>
<p>I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.</p>
<h2>Dependencies</h2>
<div class="codehilite">
<pre><span></span><code>sudo apt update <span class="o">&&</span> sudo apt install certbot -y
</code></pre>
</div>
<h2>Get the Certificate</h2>
<div class="codehilite">
<pre><span></span><code>sudo certbot certonly --manual --preferred-challenges dns-01 --email senpai@email.com -d mydomain.duckdns.org
</code></pre>
</div>
<p>After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new <code>TXT</code> record in the DNS settings for your domain.</p>
<p>For DuckDNS users it is as simple as entering this URL in their browser:</p>
<pre><code>http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt
</code></pre>
<p>Where <code>mydomain</code> is your DuckDNS domain, <code>duckdnstoken</code> is your DuckDNS Token ( Found on the dashboard when you login) and <code>certbotdnstxt</code> is the TXT record value given by the prompt.</p>
<p>You can check if the TXT records have been updated by using the <code>dig</code> command:</p>
<div class="codehilite">
<pre><span></span><code>dig navanspi.duckdns.org TXT
<span class="p">;</span> <<>> DiG <span class="m">9</span>.16.1-Ubuntu <<>> navanspi.duckdns.org TXT
<span class="p">;;</span> global options: +cmd
<span class="p">;;</span> Got answer:
<span class="p">;;</span> ->>HEADER<span class="s"><<- opco</span>de: QUERY, status: NOERROR, id: <span class="m">27592</span>
<span class="p">;;</span> flags: qr rd ra<span class="p">;</span> QUERY: <span class="m">1</span>, ANSWER: <span class="m">1</span>, AUTHORITY: <span class="m">0</span>, ADDITIONAL: <span class="m">1</span>
<span class="p">;;</span> OPT PSEUDOSECTION:
<span class="p">;</span> EDNS: version: <span class="m">0</span>, flags:<span class="p">;</span> udp: <span class="m">65494</span>
<span class="p">;;</span> QUESTION SECTION:
<span class="p">;</span>navanspi.duckdns.org. IN TXT
<span class="p">;;</span> ANSWER SECTION:
navanspi.duckdns.org. <span class="m">60</span> IN TXT <span class="s2">"4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"</span>
<span class="p">;;</span> Query time: <span class="m">275</span> msec
<span class="p">;;</span> SERVER: <span class="m">127</span>.0.0.53#53<span class="o">(</span><span class="m">127</span>.0.0.53<span class="o">)</span>
<span class="p">;;</span> WHEN: Tue Nov <span class="m">17</span> <span class="m">15</span>:23:15 IST <span class="m">2020</span>
<span class="p">;;</span> MSG SIZE rcvd: <span class="m">105</span>
</code></pre>
</div>
<p>DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while. </p>
<p>Once you can ensure that the TXT record changes has been successfully applied and is visible through the <code>dig</code> command, press enter on the Certbot prompt and your certificate should be generated.</p>
<h2>Renewing</h2>
<p>As we manually generated the certificate <code>certbot renew</code> will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.</p>
<h2>Using the Certificate with Gunicorn</h2>
<p>Example Gunicorn command for running a web-app:</p>
<div class="codehilite">
<pre><span></span><code>gunicorn api:app -k uvicorn.workers.UvicornWorker -b <span class="m">0</span>.0.0.0:7589
</code></pre>
</div>
<p>To use the certificate with it, simply copy the <code>cert.pem</code> and <code>privkey.pem</code> to your working directory ( change the appropriate permissions ) and include them in the command</p>
<div class="codehilite">
<pre><span></span><code>gunicorn api:app -k uvicorn.workers.UvicornWorker -b <span class="m">0</span>.0.0.0:7589 --certfile<span class="o">=</span>cert.pem --keyfile<span class="o">=</span>privkey.pem
</code></pre>
</div>
<p>Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files</p>
<blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
<script data-isso="//comments.navan.dev/"
src="//comments.navan.dev/js/embed.min.js"></script>
<section id="isso-thread">
<noscript>Javascript needs to be activated to view comments.</noscript>
</section>
</main>
<script src="assets/manup.min.js"></script>
<script src="/pwabuilder-sw-register.js"></script>
</body>
</html>