LetsEncrypt without port 80

nanu.nanu · March 13, 2021, 1:06am

I have the NextCloudPi up and running but am hitting a wall trying to get LetsEncrypt working. My ISP blocks port 80, hence the app in the Nextcloud Panel app will not succeed. Through doing a little searching I came across this post:

Got through steps 1-4, so I have the certificates in the drive. But step 5 is not for this type of installation.
How do I get the NCP to use these certificates?

das1996 · March 13, 2021, 6:21am

The general advice is to point the webserver to the certs.

The specifics depend on which web server is in use (nginx, apache, etc.).

Which domain registrar are you using?

Reiner_Nippes · March 13, 2021, 11:43am

That will be a bit tricky.

The easy part: You’ll look into ~/.acme.sh/<your-domain>/ add look at the <your-domain.conf> file. And you probably find something like the following:

Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='<some-path>/<your-domain>.key'
Le_ReloadCmd='systemctl reload apache2'
Le_RealFullChainPath='<some-path>/<your-domain>.fullchain.cer'

You have to change the Le_Real<***>Path entries to point to your “nextcloudpi letsencrypt” certs. Probably inside /etc/letsencrypt/live or similar.

And you have to change the “Le_ReloadCmd” to make the nextcloudpi web server to reload it’s config.

Now the problem: You have to permanently disable the builtin certbot in nextcloudpi. (I don’t know nextcloudpi very well.) Probably it’s enough to edit this crontab entry.

github.com

nextcloud/nextcloudpi/blob/master/bin/ncp/NETWORKING/letsencrypt.sh#L68


  for domain in $DOMAIN $OTHER_DOMAIN; do
    [[ "$domain" != "" ]] && {
      [[ $domain_string == "" ]] && \
        domain_string+="${domain}" || \
        domain_string+=",${domain}"
    }
  done
  "${letsencrypt}" certonly -n --force-renew --no-self-upgrade --webroot -w "${ncdir}" --hsts --agree-tos -m "${EMAIL}" -d "${domain_string}" && {

    # Set up auto-renewal
    cat > /etc/cron.weekly/letsencrypt-ncp <<EOF
#!/bin/bash
source /usr/local/etc/library.sh

# renew and notify
$letsencrypt renew --quiet

# notify if fails
[[ \$? -ne 0 ]] && notify_admin \
                     "SSL renewal error" \
                     "SSL certificate renewal failed. See /var/log/letsencrypt/letsencrypt.log"

Alternative: as you can see in the nextcloud/vm scripts certbot is also able to use the dns challange.

github.com

nextcloud/vm/blob/master/lib.sh#L744


    uir_hsts="--uir --hsts"
fi
a2dissite 000-default.conf
systemctl reload apache2.service
default_le="--rsa-key-size 4096 --renew-by-default --no-eff-email --agree-tos $uir_hsts --server https://acme-v02.api.letsencrypt.org/directory -d $1"
#http-01
local  standalone="certbot certonly --standalone --pre-hook \"systemctl stop apache2.service\" --post-hook \"systemctl start apache2.service\" $default_le"
#tls-alpn-01
local  tls_alpn_01="certbot certonly --preferred-challenges tls-alpn-01 $default_le"
#dns
local  dns="certbot certonly --manual --manual-public-ip-logging-ok --preferred-challenges dns $default_le"
local  methods=(standalone dns)

for f in ${methods[*]}
do
    print_text_in_color "${ICyan}" "Trying to generate certs and validate them with $f method."
    current_method=""
    eval current_method="\$$f"
    if eval "$current_method"
    then
        return 0

so you may change the nextcloudpi letsencrypt script to use the dns challange as well.

probably it’s only this line:

github.com

nextcloud/nextcloudpi/blob/master/bin/ncp/NETWORKING/letsencrypt.sh#L65



  # Do it
  local domain_string=""
  for domain in $DOMAIN $OTHER_DOMAIN; do
    [[ "$domain" != "" ]] && {
      [[ $domain_string == "" ]] && \
        domain_string+="${domain}" || \
        domain_string+=",${domain}"
    }
  done
  "${letsencrypt}" certonly -n --force-renew --no-self-upgrade --webroot -w "${ncdir}" --hsts --agree-tos -m "${EMAIL}" -d "${domain_string}" && {

    # Set up auto-renewal
    cat > /etc/cron.weekly/letsencrypt-ncp <<EOF
#!/bin/bash
source /usr/local/etc/library.sh

# renew and notify
$letsencrypt renew --quiet

# notify if fails

check the certbot documentain for more details.

nanu.nanu · March 14, 2021, 2:52am

I am using a free one from duckdns.org. NextcloudPi uses Apache is I am not mistaken.

nanu.nanu · March 14, 2021, 2:53am

Wow! That’s above what I was planning on doing!

Reiner_Nippes · March 14, 2021, 9:54am

@nanu.nanu maybe instead of using acme.sh you may have a look at

and see if you can integrate this into your nextcloudpi.

nanu.nanu · March 14, 2021, 6:58pm

Thank you!

nictronik99 · May 19, 2022, 2:26pm

you have some news? were you able to configure it?