1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
---
date: 2020-11-17 15:04
description: Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS.
tags: Tutorial, Code-Snippet, Web-Development
---
# Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt
I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.
## Dependencies
```bash
sudo apt update && sudo apt install certbot -y
```
## Get the Certificate
```bash
sudo certbot certonly --manual --preferred-challenges dns-01 --email senpai@email.com -d mydomain.duckdns.org
```
After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new `TXT` record in the DNS settings for your domain.
For DuckDNS users it is as simple as entering this URL in their browser:
```
http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt
```
Where `mydomain` is your DuckDNS domain, `duckdnstoken` is your DuckDNS Token ( Found on the dashboard when you login) and `certbotdnstxt` is the TXT record value given by the prompt.
You can check if the TXT records have been updated by using the `dig` command:
```bash
dig navanspi.duckdns.org TXT
; <<>> DiG 9.16.1-Ubuntu <<>> navanspi.duckdns.org TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27592
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;navanspi.duckdns.org. IN TXT
;; ANSWER SECTION:
navanspi.duckdns.org. 60 IN TXT "4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"
;; Query time: 275 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Tue Nov 17 15:23:15 IST 2020
;; MSG SIZE rcvd: 105
```
DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while.
Once you can ensure that the TXT record changes has been successfully applied and is visible through the `dig` command, press enter on the Certbot prompt and your certificate should be generated.
## Renewing
As we manually generated the certificate `certbot renew` will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.
## Using the Certificate with Gunicorn
Example Gunicorn command for running a web-app:
```bash
gunicorn api:app -k uvicorn.workers.UvicornWorker -b 0.0.0.0:7589
```
To use the certificate with it, simply copy the `cert.pem` and `privkey.pem` to your working directory ( change the appropriate permissions ) and include them in the command
```bash
gunicorn api:app -k uvicorn.workers.UvicornWorker -b 0.0.0.0:7589 --certfile=cert.pem --keyfile=privkey.pem
```
Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files
|
