How to configure Lets Encrypt with closed ports 80 and 443

This entry was originally written by @albrechtar in this github question in 2017.

How to get SSL certs without using Cert Bot (in case you would need to use alternate ports on your instance of NextCloudPi)

You would need to then manually update your SSL certs on your instance of NextCloudPi.

  1. You will need a domain name that allows you to point to other name servers as well as edit the DNS records. I purchased my own (most free 3rd tier domains would not allow this. So I recommend you go to namecheap.com and purchase your domain name (they have them for as low as 2.09 for the first year. Then proceed to dynu.com. Signup and then click the little gear in the top right area it will take you to your control panel(Screenshot1). You will also need to go to namecheap or wherever you get your domain name and add the name servers for Dynu. They have very easy to follow tutorials and instructions if you are unable to figure this out.
  • Click DDNS services.
  • Click Add
  • If you have your own domain use it on the right (Screenshot2)
  • Enter your public ip address (I used X to block mine you would enter your full ip address), and click save.
  • Just to the right you will see a cup with pencils in it that says DNS records you will want to click this. (Screenshot3, Screenshot4).
  1. Open another tab in your browser and goto zerossl.com(Screenshot5)
  • On the left side please click Certificates and Tools (Screenshot6).
  • Click Start under free SSL Certificate wizard and you will see (Screenshot7).
  • Enter your email address, enter your domain name (yourdomain.com) select DNS Verification and accept the TOS and SA, and click Next (Screenshot8)
  • You will be asked to include a www. prefix please select yes.
  • You will see that the system generated the CSR (Screenshot9).
  • Click next and the system will generate the key.(Screenshot10).
  • You will click the download icon and download both the CSR and the KEY (ScreenShot11).
  • Click next and you will see (Screenshot12).
  • Now you will need to go back to your Dynu page (remember we left it open and continue to step 3.
  1. Once you are back on your Dynu page you will notice 4 items (node name, type, TTL, and hostname Screenshot13). Please follow the below steps:
  • Change type to be TXT -Text
  • Node Name copy and paste your domain TXT Record from your zerossl page.
  • Copy and paste the value field from zerossl into the text field on your dynu page(Screenshot13). (TTL can stay at 90).
  • Repeat step 3c for the other entry (you have two one for www. and one that is just your domain).
  • SSH into your pi, and type nslookup -q=TXT XXX", where XXX is one of the records you just pasted into the Node name in step 3b.
  • It will only take a minute or two and then when you run that nslookup it will show you that it sees it (I dont recall the exact wording but it was obvious).
  • Go back to your openssl and click next. Once it verifies it will issue your account key and your domain crt files.

Once you have these files you have your SSL certificate and you will need to put it in the correct folder on your instance of NextCloudPi. I am not 100% certain what file to place these into so I will ask @NCP_Wiki_Team to explain that.

I hope this helps, if anyone has any questions please feel free to message here and I will do my best to help. need to then manually update your SSL certs on your instance of NextCloudPi.

  1. You will need a domain name that allows you to point to other name servers as well as edit the DNS records. I purchased my own (most free 3rd tier domains would not allow this. So I recommend you go to namecheap.com and purchase your domain name (they have them for as low as 2.09 for the first year. Then proceed to dynu.com. Signup and then click the little gear in the top right area it will take you to your control panel(Screenshot 1). You will also need to go to namecheap or wherever you get your domain name and add the name servers for Dynu. They have very easy to follow tutorials and instructions if you are unable to figure this out.
  • Click DDNS services.
  • Click Add
  • If you have your own domain use it on the right (Screenshot2)
  • Enter your public ip address (I used X to block mine you would enter your full ip address), and click save.
  • Just to the right you will see a cup with pencils in it that says DNS records you will want to click this. (Screenshot3, Screenshot4).
  1. Open another tab in your browser and goto zerossl.com(Screenshot5)
  • On the left side please click Certificates and Tools (Screenshot6).
  • Click Start under free SSL Certificate wizard and you will see (Screenshot7).
  • Enter your email address, enter your domain name (yourdomain.com) select DNS Verification and accept the TOS and SA, and click Next (Screenshot8)
  • You will be asked to include a www. prefix please select yes.
  • You will see that the system generated the CSR (Screenshot9).
  • Click next and the system will generate the key.(Screenshot10).
  • You will click the download icon and download both the CSR and the KEY (Screenshot11).
  • Click next and you will see (Screenshot12).
  • Now you will need to go back to your Dynu page (remember we left it open and continue to step 3.
  1. Once you are back on your Dynu page you will notice 4 items (node name, type, TTL, and hostname Screenshot13). Please follow the below steps:
  • Change type to be TXT -Text
  • Node Name copy and paste your domain TXT Record from your zerossl page.
  • Copy and paste the value field from zerossl into the text field on your dynu page(Screenshot13). (TTL can stay at 90).
  • Repeat step 3c for the other entry (you have two one for www. and one that is just your domain).
  • SSH into your pi, and type nslookup -q=TXT XXX", where XXX is one of the records you just pasted into the Node name in step 3b.
  • It will only take a minute or two and then when you run that nslookup it will show you that it sees it (I dont recall the exact wording but it was obvious).
  • Go back to your openssl and click next. Once it verifies it will issue your account key and your domain crt files.

Once you have these files you have your SSL certificate and you will need to put it in the correct folder on your instance of NextCloudPi. This folder is defined in /etc/apache2/sites-available/nextcloud.conf

By default they live under /etc/ssl

...
SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem                                                       
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
...

Screenshots

Screenshot 1

Screenshot 2

Screenshot 3

Screenshot 4

Screenshot 5

Screenshot 6

Screenshot 7

Screenshot 8

Screenshot 9

Screenshot 10

Screenshot 11

Screenshot 12

1 Like

:white_check_mark: This article’s images have been re-uploaded

Hmm, images not working for me. Anyone else?

Hmm, they’re working for me if you mean the images under Screenshots?

Edit: I added an escape character before the pipeline, are the images working now?

Ah, they are working! Slow to render, but now visible.

Article is missing formatting so I replaced 3b) with actual markdown list -

Could use further refinement, but I’m not able to follow it as a wall of text.

Also, seems the screenshots are supposed to be inserted through as opposed to a massive list at the end, so need to add formatting on that.

Thoughts? I’ll try to take more time on this in the coming minutes. Can revert to previous edit if you don’t like this formatting, but some level is formatting is certainly needed to make this easier to follow.

1 Like

Yes the images definitely should be moved to their respective places in the article :slightly_smiling_face: I don’t know but if I’m not completely off on my memory I simply placed the images in the article since I wasn’t sure where they are supposed to go

Edit: yes, just checked the GitHub question and the images are in one post so I most likely uploaded them all in one section