Hello, I am Eduardo from Argentina, I don't speak english very well.
I have apache listening in port 80 and works fine.
I run certbot certonly --apache -d node.net.ar -d www.node.net.ar -d smaug.node.net.ar
Then I configured manually vhost for:
node.net.ar with alias www.node.net.ar /var/www/html/node
smaug.node.net.ar /var/www/html/smaug
My domain is: node.net.ar (www.node.net.ar and smaug.node.net.ar)
My web server is: apache 2
The operating system my web server runs on is: debian 10
I can login to a root shell on my machine: yes
The version of my client is: 1.9.0 Everything works fine.
First I tried certbot certonly --standalone -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar and I get an error about binding port 80 and I think is because apache is using 80.
Then I tried certbot certonly --webroot -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar and it ask me for a webroot, I didn't know what to do and I enter c to cancel.
Then I tried certbot certonly --apache -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar because I have apache. Certificates where installed, I enabled https in dashboard configuration and tried https://grid.net.ar:18084 and didn't work.
Then I did cerbot delete and deleted grid.net.ar certificates.
Then I tried again certbot certonly --webroot -d grid.net.ar -d iot.grid.net.ar -d mqtt.grid.net.ar
to add a webroot and it didn't ask me for a webroot, ran ok and certificate was installed.
At this point https://grid.net.ar:18084 didn't work yet. cerbot certificates shows me both domains with respective subdomains, paths to /etc/letsencipt/live, etc
Any advice how to solve this scenario? The medium.com guide doesn't have apache.
My idea is to use grid.net.ar to access dashboard and then use iot or mqtt subdomain to allow devices to connect to mqtt broker by tcp ssl or websocket ssl.
you have a web server that is capable of securing that connection.
The bad news is:
you will need to use a reverse proxy to secure emqx
OR
you will need to configure emqx to use the cert itself
I know nothing about emqx, so I can't say if/how that would be possible.
I do, however, know enough about Apache/NGINX to say that it should be relatively easy to setup a reverse proxy to reach the emqx securely via either port 443 (using SNI), or 18084, or even via both ports (if there is a NAT firewall or port forwarding device inline).
READERS: Get involved and participate: If you read something you like, then click to like it
I'm not sure that you should be changing anything in the archive folder.
I guess we will see if that is required when a new cert is issued; as it will then be xxxxx2.pem (and so on).
No, I didn't use anything. I've read that emqx need permission to read the cert file.
It changed from root:root to root:emqx and works.
I will see what happens in 3 months.