How to use http instead of dns challenge with certbot

Sirtz · April 1, 2019, 11:26am

Hi,

I am running nextcloupi on an odroid xu4, all up to date.

I am trying to get this to work http://docs.nextcloudpi.com/en/latest/Configure/How-to-get-certificate-with-Letsencrypt-using-DNS-to-verify-domain/ to get around the need to use port 80 + 443 every month for letsencrypt.

But my domain provider (freedns) doesn’t let me use an subdomain starting with a _

I tried using http instead of dns in this command:
sudo certbot -d yourNCP.domain.tld --manual --preferred-challenges dns certonly
and I got to this step in certbot

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

redacted

And make it available on your web server at this URL:

http://subdomain.ignorelist.com/.well-known/acme-challenge/redacted

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

So now I need to find my webroot on the odroid, and put the file in the specified location? How exactly would I do that?

Thanks in advance,
Fritz

OliverV · April 1, 2019, 11:48am

When using html instead of dns to challenge:

Your webroot should be

/var/www/nextcloud

so create folders .well-known/ and acme-challenge/ with

sudo mkdir /var/www/nextcloud/.well-known

and

sudo mkdir /var/www/nextcloud/.well-known/acme-challenge

Then create the file with

sudo nano /var/www/nextcloud/.well-known/acme-challenge/name-is-name-given-by-certbot-link

And Copy/Paste the code generated by certbot into content of the file, save and exit.

In terminal you can use Ctrl+Shift+C or V to copy/paste the long strings used by certbot for the challenge. Both file name and content are randomly generated strings.

I usually visit the link, to check it works, before hitting enter in terminal.

Sirtz · April 1, 2019, 12:56pm

I think it worked, but it returned an error:

Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
Output from ncp:
Unknown user

Hook command "/etc/letsencrypt/renewal-hooks/deploy/ncp" returned error code 1

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/redacted.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/redacted.com-0001/privkey.pem
   Your cert will expire on 2019-06-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Is it fine to proceed anyway? And when checking the link I had to use my domain.com:8443 <-- reflecting my port forwarding. Does this port have to be used in the certbot command? Or is it fine without it?

OliverV · April 1, 2019, 1:18pm

I think the

-0001/

in the path, just means there already was a key and certificate for redacted.com

You will have to edit NC’s webserver config file to reflect the new locations with

sudo nano /etc/apache2/sites-enabled/nextcloud.conf

and reload webserver with

sudo systemctl reload apache2.service

There is no way to tell certbot to use another port, it uses only default 80(http) and 443(https), but once your certificate and key are generated, the certificate will work regardless of port.

Sirtz · April 1, 2019, 1:37pm

According to ncp documentation, the next step is

sudo nano /etc/apache2/sites-enabled/nextcloud.conf
Edit to look like this, certbot provides these locations
SSLCertificateFile /etc/letsencrypt/live/yourNCP.domain.tld/fullchain.pem     
SSLCertificateKeyFile /etc/letsencrypt/keys/0000_key-certbot.pem

So for me that would mean:

SSLCertificateFile /etc/letsencrypt/live/redacted.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/keys/0001_key-certbot.pem

correct?
In /etc/letsencrypt/live/ there are two entries now, redacted.com, and redacted.com-0001. Must have happened because I tried multiple times I guess. Is it fine to leave the two of them, and just use redacted.com-0001?

And second, in /etc/letsencrypt/keys/ there are six files 000X_key-certbot.perm (X = 1-6). Which one should I use for SSLCertificateKeyFile?

OliverV · April 1, 2019, 1:53pm

I would use the path indicated by letsencrypt

Normally the files in the live/ folder are symbolic links to the actual files.

You can list files with -l (long) to view where symlinks point to with

sudo ls -l /etc/letsencrypt/live/

On second thought…It might be better to first backup your letsencrypt folder, and then move all the redacted . com files and folders from redacted . com 0001 to original location. In which case you do not need to edit nextcloud.conf, just reload webserver. Hope @nachoparker finds a moment which best practice fits ncp .

Sirtz · April 1, 2019, 2:11pm

Did it first with the paths indicated by letsencrypt, so my nextcloud.conf looks like this:

SSLCertificateFile /etc/letsencrypt/live/redacted.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/redacted.com-0001/privkey.pem

Now apache doesn’t start. I checked, fullchain.pem in both redacted.com and redacted.com-0001 are indeed empty files.

Apr 01 14:01:55 nextcloudpi systemd[1]: Starting The Apache HTTP Server...
Apr 01 14:01:55 nextcloudpi apachectl[11635]: AH00526: Syntax error on line 5 of /etc/apache2/sites-enabled/ncp.conf:
Apr 01 14:01:55 nextcloudpi apachectl[11635]: SSLCertificateFile: file '/etc/letsencrypt/live/raspinextcloud.ignorelist.com/fullchain.pem' does not exist or is empty
Apr 01 14:01:55 nextcloudpi apachectl[11635]: Action 'start' failed.
Apr 01 14:01:55 nextcloudpi apachectl[11635]: The Apache error log may have more information.
Apr 01 14:01:55 nextcloudpi systemd[1]: apache2.service: Control process exited, code=exited status=1
Apr 01 14:01:55 nextcloudpi systemd[1]: Failed to start The Apache HTTP Server.
Apr 01 14:01:55 nextcloudpi systemd[1]: apache2.service: Unit entered failed state.
Apr 01 14:01:55 nextcloudpi systemd[1]: apache2.service: Failed with result 'exit-code'.

OliverV · April 1, 2019, 2:30pm

what is output of

sudo ls -lh /etc/letsencrypt/live/redacted.com-0001/

and

sudo ls -lh /etc/letsencrypt/archive/redacted.com-0001/

Sirtz · April 1, 2019, 2:37pm

fritz@nextcloudpi:~$ sudo ls -lh /etc/letsencrypt/live/redacted.com-0001/
total 12K
-rw-r--r-- 1 root root 692 Mär  5 16:49 README
lrwxrwxrwx 1 root root  58 Apr   1 12:50 cert.pem -> ../../archive/redacted.com-0001/cert2.pem
lrwxrwxrwx 1 root root  59 Apr   1 12:50 chain.pem -> ../../archive/redacted.com-0001/chain2.pem
lrwxrwxrwx 1 root root  63 Apr   1 12:50 fullchain.pem -> ../../archive/redacted.com-0001/fullchain2.pem
lrwxrwxrwx 1 root root  61 Apr   1 12:50 privkey.pem -> ../../archive/redacted.com-0001/privkey2.pem

fritz@nextcloudpi:~$ sudo ls -lh /etc/letsencrypt/archive/redacted.com-0001/
total 32K
-rw-r--r-- 1 root root 2,0K Mär  5 16:49 cert1.pem
-rw-r--r-- 1 root root 2,0K Apr   1 12:50 cert2.pem
-rw-r--r-- 1 root root 1,7K Mär  5 16:49 chain1.pem
-rw-r--r-- 1 root root 1,7K Apr   1 12:50 chain2.pem
-rw-r--r-- 1 root root 3,6K Mär  5 16:49 fullchain1.pem
-rw-r--r-- 1 root root 3,6K Apr   1 12:50 fullchain2.pem
-rw------- 1 root root 1,7K Mär  5 16:49 privkey1.pem
-rw-r--r-- 1 root root 1,7K Apr   1 12:50 privkey2.pem

OliverV · April 1, 2019, 2:44pm

Dont know why, but links seem to be broken, try using

SSLCertificateFile /etc/letsencrypt/archive/redacted.com-0001/fullchain2.pem
and
SSLCertificateKeyFile /etc/letsencrypt/archive/redacted.com-0001/privkey2.pem

which are the ones generated today.

and should be able to re-run …

sudo systemctl reload apache2.service

Sirtz · April 1, 2019, 3:36pm

Apache wouldn’t start again, had do change the lines in /etc/apache2/sites-enabled/ncp.conf as well.

Now apache started, nextcloud is up and running AND has a valid certificate! Thank you very much Oliver, this would have taken me forever without you!

it_subhash · April 6, 2019, 5:15am

Use below command for use http challenge for ssl

sudo certbot --apache -d xyz.example.com --preferred-challenges http