1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
|
<!DOCTYPE html>
<html lang="en">
<head>
<link rel="stylesheet" href="/assets/main.css" />
<link rel="stylesheet" href="/assets/sakura.css" />
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Hey - Post - Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</title>
<meta name="og:site_name" content="Navan Chauhan" />
<link rel="canonical" href="https://web.navan.dev/" />
<meta name="twitter:url" content="https://web.navan.dev/" />
<meta name="og:url" content="https://web.navan.dev/" />
<meta name="twitter:title" content="Hey - Post - Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
<meta name="og:title" content="Hey - Post - Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt" />
<meta name="description" content=" Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS. " />
<meta name="twitter:description" content=" Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS. " />
<meta name="og:description" content=" Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS. " />
<meta name="twitter:card" content=" Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS. " />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
<link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan" />
<meta name="twitter:image" content="https://web.navan.dev/images/logo.png" />
<meta name="og:image" content="https://web.navan.dev/images/logo.png" />
<link rel="manifest" href="manifest.json" />
<meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k" />
<script async src="//gc.zgo.at/count.js" data-goatcounter="https://navanchauhan.goatcounter.com/count"></script>
<script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
</head>
<body>
<nav style="display: block;">
|
<a href="/">home</a> |
<a href="/about/">about/links</a> |
<a href="/posts/">posts</a> |
<a href="/publications/">publications</a> |
<a href="/repo/">iOS repo</a> |
<a href="/feed.rss">RSS Feed</a> |
</nav>
<main>
<h1>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</h1>
<p>I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.</p>
<h2>Dependencies</h2>
<div class="codehilite"><pre><span></span><code>sudo apt update <span class="o">&&</span> sudo apt install certbot -y
</code></pre></div>
<h2>Get the Certificate</h2>
<div class="codehilite"><pre><span></span><code>sudo certbot certonly --manual --preferred-challenges dns-01 --email senpai@email.com -d mydomain.duckdns.org
</code></pre></div>
<p>After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new <code>TXT</code> record in the DNS settings for your domain.</p>
<p>For DuckDNS users it is as simple as entering this URL in their browser:</p>
<pre><code>http://duckdns.org/update?domains=mydomain&token=duckdnstoken&txt=certbotdnstxt
</code></pre>
<p>Where <code>mydomain</code> is your DuckDNS domain, <code>duckdnstoken</code> is your DuckDNS Token ( Found on the dashboard when you login) and <code>certbotdnstxt</code> is the TXT record value given by the prompt.</p>
<p>You can check if the TXT records have been updated by using the <code>dig</code> command:</p>
<div class="codehilite"><pre><span></span><code>dig navanspi.duckdns.org TXT
<span class="p">;</span> <<>> DiG <span class="m">9</span>.16.1-Ubuntu <<>> navanspi.duckdns.org TXT
<span class="p">;;</span> global options: +cmd
<span class="p">;;</span> Got answer:
<span class="p">;;</span> ->>HEADER<span class="s"><<- opco</span>de: QUERY, status: NOERROR, id: <span class="m">27592</span>
<span class="p">;;</span> flags: qr rd ra<span class="p">;</span> QUERY: <span class="m">1</span>, ANSWER: <span class="m">1</span>, AUTHORITY: <span class="m">0</span>, ADDITIONAL: <span class="m">1</span>
<span class="p">;;</span> OPT PSEUDOSECTION:
<span class="p">;</span> EDNS: version: <span class="m">0</span>, flags:<span class="p">;</span> udp: <span class="m">65494</span>
<span class="p">;;</span> QUESTION SECTION:
<span class="p">;</span>navanspi.duckdns.org. IN TXT
<span class="p">;;</span> ANSWER SECTION:
navanspi.duckdns.org. <span class="m">60</span> IN TXT <span class="s2">"4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"</span>
<span class="p">;;</span> Query time: <span class="m">275</span> msec
<span class="p">;;</span> SERVER: <span class="m">127</span>.0.0.53#53<span class="o">(</span><span class="m">127</span>.0.0.53<span class="o">)</span>
<span class="p">;;</span> WHEN: Tue Nov <span class="m">17</span> <span class="m">15</span>:23:15 IST <span class="m">2020</span>
<span class="p">;;</span> MSG SIZE rcvd: <span class="m">105</span>
</code></pre></div>
<p>DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while. </p>
<p>Once you can ensure that the TXT record changes has been successfully applied and is visible through the <code>dig</code> command, press enter on the Certbot prompt and your certificate should be generated.</p>
<h2>Renewing</h2>
<p>As we manually generated the certificate <code>certbot renew</code> will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.</p>
<h2>Using the Certificate with Gunicorn</h2>
<p>Example Gunicorn command for running a web-app:</p>
<div class="codehilite"><pre><span></span><code>gunicorn api:app -k uvicorn.workers.UvicornWorker -b <span class="m">0</span>.0.0.0:7589
</code></pre></div>
<p>To use the certificate with it, simply copy the <code>cert.pem</code> and <code>privkey.pem</code> to your working directory ( change the appropriate permissions ) and include them in the command</p>
<div class="codehilite"><pre><span></span><code>gunicorn api:app -k uvicorn.workers.UvicornWorker -b <span class="m">0</span>.0.0.0:7589 --certfile<span class="o">=</span>cert.pem --keyfile<span class="o">=</span>privkey.pem
</code></pre></div>
<p>Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files</p>
<div class="commentbox"></div>
<script src="https://unpkg.com/commentbox.io/dist/commentBox.min.js"></script>
<script>commentBox('5650347917836288-proj')</script>
</main>
<script src="assets/manup.min.js"></script>
<script src="/pwabuilder-sw-register.js"></script>
</body>
</html>
|
