| 1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
 | <!DOCTYPE html>
<html lang="en">
<head>
    
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1">
    <meta name="theme-color" content="#6a9fb5">
    <title>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</title>
    <!--
    <link rel="stylesheet" href="https://unpkg.com/latex.css/style.min.css" /> 
    -->
    <link rel="stylesheet" href="/assets/c-hyde.css" />
    <link rel="stylesheet" href="http://fonts.googleapis.com/css?family=PT+Sans:400,400italic,700|Abril+Fatface">
    <link rel="stylesheet" href="/assets/main.css" />
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="og:site_name" content="Navan Chauhan" />
    <link rel="canonical" href="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html" />
    <meta name="twitter:url" content="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html" />
    <meta name="og:url" content="https://web.navan.dev/posts/2020-11-17-Lets-Encrypt-DuckDns.html" />
    <meta name="twitter:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
    <meta name="og:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
    <meta name="description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
    <meta name="twitter:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
    <meta name="og:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS." />
    <meta name="twitter:card" content="summary_large_image" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
    <link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan" />
    <meta name="twitter:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png" />
    <meta name="og:image" content="https://web.navan.dev/images/opengraph/posts/2020-11-17-Lets-Encrypt-DuckDns.png" />
    <meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k" />
    <script data-goatcounter="https://navanchauhan.goatcounter.com/count"
        async src="//gc.zgo.at/count.js"></script>
    <script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
    <link rel="manifest" href="/manifest.json" />
    
</head>
<body class="theme-base-0d">
    <div class="sidebar">
    <div class="container sidebar-sticky">
        <div class="sidebar-about">
            <h1><a href="/">Navan</a></h1>
            <p class="lead" id="random-lead">Alea iacta est.</p>
        </div>
        <ul class="sidebar-nav">
            <li><a class="sidebar-nav-item" href="/about/">about/links</a></li>
            <li><a class="sidebar-nav-item" href="/posts/">posts</a></li>
            <li><a class="sidebar-nav-item" href="/3D-Designs/">3D designs</a></li>
            <li><a class="sidebar-nav-item" href="/feed.rss">RSS Feed</a></li>
            <li><a class="sidebar-nav-item" href="/colophon/">colophon</a></li>
        </ul>
        <div class="copyright"><p>© 2019-2024. Navan Chauhan <br> <a href="/feed.rss">RSS</a></p></div>
    </div>
</div>
<script>
let phrases = [
    "Something Funny", "Veni, vidi, vici", "Alea iacta est", "In vino veritas", "Acta, non verba", "Castigat ridendo mores",
    "Cui bono?", "Memento vivere", "अहम् ब्रह्मास्मि", "अनुगच्छतु प्रवाहं", "चरन्मार्गान्विजानाति", "coq de cheval", "我愛啤酒"
    ];
let new_phrase = phrases[Math.floor(Math.random()*phrases.length)];
let lead = document.getElementById("random-lead");
lead.innerText = new_phrase;
</script>
    <div class="content container">
    
	<div class="post">
	<h1 id="generating-https-certificate-using-dns-a-challenge-through-lets-encrypt">Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</h1>
<p>I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.</p>
<h2 id="dependencies">Dependencies</h2>
<div class="codehilite">
<pre><span></span><code>sudo<span class="w"> </span>apt<span class="w"> </span>update<span class="w"> </span><span class="o">&&</span><span class="w"> </span>sudo<span class="w"> </span>apt<span class="w"> </span>install<span class="w"> </span>certbot<span class="w"> </span>-y
</code></pre>
</div>
<h2 id="get-the-certificate">Get the Certificate</h2>
<div class="codehilite">
<pre><span></span><code>sudo<span class="w"> </span>certbot<span class="w"> </span>certonly<span class="w"> </span>--manual<span class="w"> </span>--preferred-challenges<span class="w"> </span>dns-01<span class="w"> </span>--email<span class="w"> </span>senpai@email.com<span class="w"> </span>-d<span class="w"> </span>mydomain.duckdns.org
</code></pre>
</div>
<p>After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new <code>TXT</code> record in the DNS settings for your domain.</p>
<p>For DuckDNS users it is as simple as  entering this URL in their browser:</p>
<pre><code>http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt
</code></pre>
<p>Where <code>mydomain</code> is your DuckDNS domain, <code>duckdnstoken</code> is your DuckDNS Token ( Found on the dashboard when you login) and <code>certbotdnstxt</code> is the TXT record value given by the prompt.</p>
<p>You can check if the TXT records have been updated by using the <code>dig</code> command:</p>
<div class="codehilite">
<pre><span></span><code>dig<span class="w"> </span>navanspi.duckdns.org<span class="w"> </span>TXT
<span class="p">;</span><span class="w"> </span><<>><span class="w"> </span>DiG<span class="w"> </span><span class="m">9</span>.16.1-Ubuntu<span class="w"> </span><<>><span class="w"> </span>navanspi.duckdns.org<span class="w"> </span>TXT
<span class="p">;;</span><span class="w"> </span>global<span class="w"> </span>options:<span class="w"> </span>+cmd
<span class="p">;;</span><span class="w"> </span>Got<span class="w"> </span>answer:
<span class="p">;;</span><span class="w"> </span>->>HEADER<span class="s"><<- opco</span>de:<span class="w"> </span>QUERY,<span class="w"> </span>status:<span class="w"> </span>NOERROR,<span class="w"> </span>id:<span class="w"> </span><span class="m">27592</span>
<span class="p">;;</span><span class="w"> </span>flags:<span class="w"> </span>qr<span class="w"> </span>rd<span class="w"> </span>ra<span class="p">;</span><span class="w"> </span>QUERY:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>ANSWER:<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>AUTHORITY:<span class="w"> </span><span class="m">0</span>,<span class="w"> </span>ADDITIONAL:<span class="w"> </span><span class="m">1</span>
<span class="p">;;</span><span class="w"> </span>OPT<span class="w"> </span>PSEUDOSECTION:
<span class="p">;</span><span class="w"> </span>EDNS:<span class="w"> </span>version:<span class="w"> </span><span class="m">0</span>,<span class="w"> </span>flags:<span class="p">;</span><span class="w"> </span>udp:<span class="w"> </span><span class="m">65494</span>
<span class="p">;;</span><span class="w"> </span>QUESTION<span class="w"> </span>SECTION:
<span class="p">;</span>navanspi.duckdns.org.<span class="w">        </span>IN<span class="w">    </span>TXT
<span class="p">;;</span><span class="w"> </span>ANSWER<span class="w"> </span>SECTION:
navanspi.duckdns.org.<span class="w">    </span><span class="m">60</span><span class="w">    </span>IN<span class="w">    </span>TXT<span class="w">    </span><span class="s2">"4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"</span>
<span class="p">;;</span><span class="w"> </span>Query<span class="w"> </span>time:<span class="w"> </span><span class="m">275</span><span class="w"> </span>msec
<span class="p">;;</span><span class="w"> </span>SERVER:<span class="w"> </span><span class="m">127</span>.0.0.53#53<span class="o">(</span><span class="m">127</span>.0.0.53<span class="o">)</span>
<span class="p">;;</span><span class="w"> </span>WHEN:<span class="w"> </span>Tue<span class="w"> </span>Nov<span class="w"> </span><span class="m">17</span><span class="w"> </span><span class="m">15</span>:23:15<span class="w"> </span>IST<span class="w"> </span><span class="m">2020</span>
<span class="p">;;</span><span class="w"> </span>MSG<span class="w"> </span>SIZE<span class="w">  </span>rcvd:<span class="w"> </span><span class="m">105</span>
</code></pre>
</div>
<p>DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while. </p>
<p>Once you can ensure that the TXT record changes has been successfully applied and is visible through the <code>dig</code> command, press enter on the Certbot prompt and your certificate should be generated.</p>
<h2 id="renewing">Renewing</h2>
<p>As we manually generated the certificate <code>certbot renew</code> will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.</p>
<h2 id="using-the-certificate-with-gunicorn">Using the Certificate with Gunicorn</h2>
<p>Example Gunicorn command for running a web-app:</p>
<div class="codehilite">
<pre><span></span><code>gunicorn<span class="w"> </span>api:app<span class="w"> </span>-k<span class="w"> </span>uvicorn.workers.UvicornWorker<span class="w"> </span>-b<span class="w"> </span><span class="m">0</span>.0.0.0:7589
</code></pre>
</div>
<p>To use the certificate with it, simply copy the <code>cert.pem</code> and <code>privkey.pem</code> to your working directory ( change the appropriate permissions ) and include them in the command</p>
<div class="codehilite">
<pre><span></span><code>gunicorn<span class="w"> </span>api:app<span class="w"> </span>-k<span class="w"> </span>uvicorn.workers.UvicornWorker<span class="w"> </span>-b<span class="w"> </span><span class="m">0</span>.0.0.0:7589<span class="w"> </span>--certfile<span class="o">=</span>cert.pem<span class="w"> </span>--keyfile<span class="o">=</span>privkey.pem
</code></pre>
</div>
<p>Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files</p>
	</div>
	<blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
	<script data-isso="https://comments.navan.dev/"
        src="https://comments.navan.dev/js/embed.min.js"></script>
	<section id="isso-thread">
	    <noscript>Javascript needs to be activated to view comments.</noscript>
	</section>
    </div>
    <script src="assets/manup.min.js"></script>
    <script src="/pwabuilder-sw-register.js"></script>    
</body>
</html>
 |