<!DOCTYPE html>
<html lang="en">
<head>
<link rel="stylesheet" href="https://unpkg.com/latex.css/style.min.css" />
<link rel="stylesheet" href="/assets/main.css" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</title>
<meta name="og:site_name" content="Navan Chauhan" />
<link rel="canonical" href="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html" />
<meta name="twitter:url" content="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html />
<meta name="og:url" content="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html" />
<meta name="twitter:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
<meta name="og:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
<meta name="description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
<meta name="twitter:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
<meta name="og:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
<meta name="twitter:card" content="summary_large_image" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
<link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan" />
<meta name="twitter:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png" />
<meta name="og:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png" />
<meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k" />
<script data-goatcounter="https://navanchauhan.goatcounter.com/count"
async src="//gc.zgo.at/count.js"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
<link rel="manifest" href="/manifest.json" />
</head>
<body>
<center><nav style="display: block;">
|
<a href="/">home</a> |
<a href="/about/">about/links</a> |
<a href="/posts/">posts</a> |
<a href="/3D-Designs/">3D designs</a> |
<!--<a href="/publications/">publications</a> |-->
<!--<a href="/repo/">iOS repo</a> |-->
<a href="/feed.rss">RSS Feed</a> |
</nav>
</center>
<main>
<h1 id="generating-https-certificate-using-dns-a-challenge-through-lets-encrypt">Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</h1>
<p>I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.</p>
<h2 id="dependencies">Dependencies</h2>
<div class="codehilite">
<pre><span></span><code>sudo<span class="w"> </span>apt<span class="w"> </span>update<span class="w"> </span><span class="o">&&</span><span class="w"> </span>sudo<span class="w"> </span>apt<span class="w"> </span>install<span class="w"> </span>certbot<span class="w"> </span>-y
</code></pre>
</div>
<h2 id="get-the-certificate">Get the Certificate</h2>
<div class="codehilite">
<pre><span></span><code>sudo<span class="w"> </span>certbot<span class="w"> </span>certonly<span class="w"> </span>--manual<span class="w"> </span>--preferred-challenges<span class="w"> </span>dns-01<span class="w"> </span>--email<span class="w"> </span>senpai@email.com<span class="w"> </span>-d<span class="w"> </span>mydomain.duckdns.org
</code></pre>
</div>
<p>After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new <code>TXT</code> record in the DNS settings for your domain.</p>
<p>For DuckDNS users it is as simple as entering this URL in their browser:</p>
<pre><code>http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt
</code></pre>
<p>Where <code>mydomain</code> is your DuckDNS domain, <code>duckdnstoken</code> is your DuckDNS Token ( Found on the dashboard when you login) and <code>certbotdnstxt</code> is the TXT record value given by the prompt.</p>
<p>You can check if the TXT records have been updated by using the <code>dig</code> command:</p>
<div class="codehilite">
<pre><span></span><code>dig<span class="w"> </span>navanspi.duckdns.org<span class="w"> </span>TXT
<span class="p">;</span><span class="w"> </span><<>><span class="w"> </span>DiG<span class="w"> </span><span class="m">9</span>.16.1-Ubuntu<span class="w"> </span><<>><span class="w"> </span>navanspi.duckdns.org<span class="w"> </span>TXT
<span class="p">;;</span><span class="w"> </span>global<span class="w"> </span>options:<span class="w"> </span>+cmd
<span class="p">;;</span><span class="w"> </span>Got<span class="w"> </span>answer:
<span class="p">;;</span><span class="w"> </span>->>HEADER<span class="s"><<- opco</span>de:<span class="w"> </span>QUERY,<span class="w"> </span>status:<span class="w"> </span>NOERROR,<span class="w"> </span>id:<span class="w"> </span><span class="m">27592</span>
<span class="p">;;</span><span class="w"> </span>flags:<span class="w"> </span>qr<span class="w"> </span>rd<span class="w"> </span>ra<span class="p">;</span><span class="w"> </span>QUERY:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>ANSWER:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>AUTHORITY:<span class="w"> </span><span class="m">0</span>,<span class="w"> </span>ADDITIONAL:<span class="w"> </span><span class="m">1</span>
<span class="p">;;</span><span class="w"> </span>OPT<span class="w"> </span>PSEUDOSECTION:
<span class="p">;</span><span class="w"> </span>EDNS:<span class="w"> </span>version:<span class="w"> </span><span class="m">0</span>,<span class="w"> </span>flags:<span class="p">;</span><span class="w"> </span>udp:<span class="w"> </span><span class="m">65494</span>
<span class="p">;;</span><span class="w"> </span>QUESTION<span class="w"> </span>SECTION:
<span class="p">;</span>navanspi.duckdns.org.<span class="w"> </span>IN<span class="w"> </span>TXT
<span class="p">;;</span><span class="w"> </span>ANSWER<span class="w"> </span>SECTION:
navanspi.duckdns.org.<span class="w"> </span><span class="m">60</span><span class="w"> </span>IN<span class="w"> </span>TXT<span class="w"> </span><span class="s2">"4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"</span>
<span class="p">;;</span><span class="w"> </span>Query<span class="w"> </span>time:<span class="w"> </span><span class="m">275</span><span class="w"> </span>msec
<span class="p">;;</span><span class="w"> </span>SERVER:<span class="w"> </span><span class="m">127</span>.0.0.53#53<span class="o">(</span><span class="m">127</span>.0.0.53<span class="o">)</span>
<span class="p">;;</span><span class="w"> </span>WHEN:<span class="w"> </span>Tue<span class="w"> </span>Nov<span class="w"> </span><span class="m">17</span><span class="w"> </span><span class="m">15</span>:23:15<span class="w"> </span>IST<span class="w"> </span><span class="m">2020</span>
<span class="p">;;</span><span class="w"> </span>MSG<span class="w"> </span>SIZE<span class="w"> </span>rcvd:<span class="w"> </span><span class="m">105</span>
</code></pre>
</div>
<p>DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while. </p>
<p>Once you can ensure that the TXT record changes has been successfully applied and is visible through the <code>dig</code> command, press enter on the Certbot prompt and your certificate should be generated.</p>
<h2 id="renewing">Renewing</h2>
<p>As we manually generated the certificate <code>certbot renew</code> will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.</p>
<h2 id="using-the-certificate-with-gunicorn">Using the Certificate with Gunicorn</h2>
<p>Example Gunicorn command for running a web-app:</p>
<div class="codehilite">
<pre><span></span><code>gunicorn<span class="w"> </span>api:app<span class="w"> </span>-k<span class="w"> </span>uvicorn.workers.UvicornWorker<span class="w"> </span>-b<span class="w"> </span><span class="m">0</span>.0.0.0:7589
</code></pre>
</div>
<p>To use the certificate with it, simply copy the <code>cert.pem</code> and <code>privkey.pem</code> to your working directory ( change the appropriate permissions ) and include them in the command</p>
<div class="codehilite">
<pre><span></span><code>gunicorn<span class="w"> </span>api:app<span class="w"> </span>-k<span class="w"> </span>uvicorn.workers.UvicornWorker<span class="w"> </span>-b<span class="w"> </span><span class="m">0</span>.0.0.0:7589<span class="w"> </span>--certfile<span class="o">=</span>cert.pem<span class="w"> </span>--keyfile<span class="o">=</span>privkey.pem
</code></pre>
</div>
<p>Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files</p>
<blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
<script data-isso="https://comments.navan.dev/"
src="https://comments.navan.dev/js/embed.min.js"></script>
<section id="isso-thread">
<noscript>Javascript needs to be activated to view comments.</noscript>
</section>
</main>
<script src="assets/manup.min.js"></script>
<script src="/pwabuilder-sw-register.js"></script>
</body>
</html>