1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"/><meta name="og:site_name" content="Navan Chauhan"/><link rel="canonical" href="https://navanchauhan.github.io/posts/2020-11-17-Lets-Encrypt-DuckDns"/><meta name="twitter:url" content="https://navanchauhan.github.io/posts/2020-11-17-Lets-Encrypt-DuckDns"/><meta name="og:url" content="https://navanchauhan.github.io/posts/2020-11-17-Lets-Encrypt-DuckDns"/><title>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt | Navan Chauhan</title><meta name="twitter:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt | Navan Chauhan"/><meta name="og:title" content="Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt | Navan Chauhan"/><meta name="description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS."/><meta name="twitter:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS."/><meta name="og:description" content="Short code-snippet to generate HTTPS certificates using the DNS Challenge through Lets Encrypt for a web-server using DuckDNS."/><meta name="twitter:card" content="summary"/><link rel="stylesheet" href="/styles.css" type="text/css"/><meta name="viewport" content="width=device-width, initial-scale=1.0"/><link rel="shortcut icon" href="/images/favicon.png" type="image/png"/><link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan"/><meta name="twitter:image" content="https://navanchauhan.github.io/images/logo.png"/><meta name="og:image" content="https://navanchauhan.github.io/images/logo.png"/></head><head><script async src="//gc.zgo.at/count.js" data-goatcounter="https://navanchauhan.goatcounter.com/count"></script></head><body class="item-page"><header><div class="wrapper"><a class="site-name" href="/">Navan Chauhan</a><nav><ul><li><a href="/about">About Me</a></li><li><a class="selected" href="/posts">Posts</a></li><li><a href="/publications">Publications</a></li><li><a href="/assets/résumé.pdf">Résumé</a></li><li><a href="https://navanchauhan.github.io/repo">Repo</a></li></ul></nav></div></header><div class="wrapper"><article><div class="content"><span class="reading-time">3 minute read</span><span class="reading-time">Created on November 17, 2020</span><h1>Generating HTTPS Certificate using DNS a Challenge through Let's Encrypt</h1><p>I have a Raspberry-Pi running a Flask app through Gunicorn (Ubuntu 20.04 LTS). I am exposing it to the internet using DuckDNS.</p><h2>Dependencies</h2><pre><code><div class="highlight"><span></span>sudo apt update <span class="o">&&</span> sudo apt install certbot -y
</div></code></pre><h2>Get the Certificate</h2><pre><code><div class="highlight"><span></span>sudo certbot certonly --manual --preferred-challenges dns-01 --email senpai@email.com -d mydomain.duckdns.org
</div></code></pre><p>After you accept that you are okay with you IP address being logged, it will prompt you with updating your dns record. You need to create a new <code>TXT</code> record in the DNS settings for your domain.</p><p>For DuckDNS users it is as simple as entering this URL in their browser:</p><pre><code><div class="highlight"><span></span>http://duckdns.org/update?domains<span class="o">=</span>mydomain<span class="p">&</span><span class="nv">token</span><span class="o">=</span>duckdnstoken<span class="p">&</span><span class="nv">txt</span><span class="o">=</span>certbotdnstxt
</div></code></pre><p>Where <code>mydomain</code> is your DuckDNS domain, <code>duckdnstoken</code> is your DuckDNS Token ( Found on the dashboard when you login) and <code>certbotdnstxt</code> is the TXT record value given by the prompt.</p><p>You can check if the TXT records have been updated by using the <code>dig</code> command:</p><pre><code><div class="highlight"><span></span>dig navanspi.duckdns.org TXT
<span class="p">;</span> <<>> DiG <span class="m">9</span>.16.1-Ubuntu <<>> navanspi.duckdns.org TXT
<span class="p">;;</span> global options: +cmd
<span class="p">;;</span> Got answer:
<span class="p">;;</span> ->>HEADER<span class="s"><<- opco</span>de: QUERY, status: NOERROR, id: <span class="m">27592</span>
<span class="p">;;</span> flags: qr rd ra<span class="p">;</span> QUERY: <span class="m">1</span>, ANSWER: <span class="m">1</span>, AUTHORITY: <span class="m">0</span>, ADDITIONAL: <span class="m">1</span>
<span class="p">;;</span> OPT PSEUDOSECTION:
<span class="p">;</span> EDNS: version: <span class="m">0</span>, flags:<span class="p">;</span> udp: <span class="m">65494</span>
<span class="p">;;</span> QUESTION SECTION:
<span class="p">;</span>navanspi.duckdns.org. IN TXT
<span class="p">;;</span> ANSWER SECTION:
navanspi.duckdns.org. <span class="m">60</span> IN TXT <span class="s2">"4OKbijIJmc82Yv2NiGVm1RmaBHSCZ_230qNtj9YA-qk"</span>
<span class="p">;;</span> Query time: <span class="m">275</span> msec
<span class="p">;;</span> SERVER: <span class="m">127</span>.0.0.53#53<span class="o">(</span><span class="m">127</span>.0.0.53<span class="o">)</span>
<span class="p">;;</span> WHEN: Tue Nov <span class="m">17</span> <span class="m">15</span>:23:15 IST <span class="m">2020</span>
<span class="p">;;</span> MSG SIZE rcvd: <span class="m">105</span>
</div></code></pre><p>DuckDNS almost instantly propagates the changes but for other domain hosts, it could take a while.</p><p>Once you can ensure that the TXT record changes has been successfully applied and is visible through the <code>dig</code> command, press enter on the Certbot prompt and your certificate should be generated.</p><h2>Renewing</h2><p>As we manually generated the certificate <code>certbot renew</code> will fail, to renew the certificate you need to simply re-generate the certificate using the above steps.</p><h2>Using the Certificate with Gunicorn</h2><p>Example Gunicorn command for running a web-app:</p><pre><code><div class="highlight"><span></span>gunicorn api:app -k uvicorn.workers.UvicornWorker -b <span class="m">0</span>.0.0.0:7589
</div></code></pre><p>To use the certificate with it, simply copy the <code>cert.pem</code> and <code>privkey.pem</code> to your working directory ( change the appropriate permissions ) and include them in the command</p><pre><code><div class="highlight"><span></span>gunicorn api:app -k uvicorn.workers.UvicornWorker -b <span class="m">0</span>.0.0.0:7589 --certfile<span class="o">=</span>cert.pem --keyfile<span class="o">=</span>privkey.pem
</div></code></pre><p>Caveats with copying the certificate: If you renew the certificate you will have to re-copy the files</p></div><span>Tagged with: </span><ul class="tag-list"><li><a href="/tags/tutorial">Tutorial</a></li><li><a href="/tags/codesnippet">Code-Snippet</a></li><li><a href="/tags/webdevelopment">Web-Development</a></li></ul></article></div><footer><p>Made with ❤️ using <a href="https://github.com/johnsundell/publish">Publish</a></p><p><a href="/feed.rss">RSS feed</a></p></footer></body></html>
|
