Certbot & Raspberry Pi: which system to select to install?

Old long thread... I thought my question was simpler...
I run apache2 on a Raspberry Pi model B
Linux berry314 5.10.103+ #1529 Tue Mar 8 12:19:18 GMT 2022 armv6l GNU/Linux
I have ssh access and intended to use Certbot ACME client.
What system should I select?

Thanks

1 Like

Hi @mgirod, and welcome to the LE community forum :slight_smile:

Have you looked at the acme.sh client?

5 Likes

You've kicked a thread from 2015, which is like, practically the beginning of Let's Encrypt.

Everything from then is probably not applicable to now any longer.

You haven't told us the OS/distro you're using, but you can probably use the "Snapd" instructions for installing Certbot.

4 Likes
4 Likes

That's the hostnamenodename of the host Rudy, "berry314", not the distribution. Try Googling it :wink:

(It's called "nodename" in the uname man page apparently :roll_eyes:)

5 Likes

Linux kernel 5.10.103 released

Raspberry Pi OS ?

4 Likes

Possibly, but that specific kernel version is not listed in its release history on Wikipedia: Raspberry Pi OS - Wikipedia

Anyway, if it's Debian based, snap is an option I believe.

5 Likes

If not, then acme.sh may do the trick :wink:

4 Likes

Or one of the other ACME clients :roll_eyes:

Although I believe the armhf architecture snap should work on Raspberry Pi's.

Edit: moved the posts to a new thread, as the previous thread was ancient.

5 Likes

Trying to reply to several questions.
The Raspberry Pi OS version is buster (from /etc/apt/sources.list)

$ uname -s
Linux
$ uname -r
5.10.103+
$ uname -v
#1529 Tue Mar 8 12:19:18 GMT 2022
$  hostname
berry314

I started to look at certbot from the web site, and there, in the instructions, was prompted to select my 'System' from a pull-down menu. 'Linux berry' was not in the list (nor plain 'Linux').
But then, I installed certbot with apt-get.

Now so far, I failed to generate certs.
I have a dynamic IP from dyndns.
Until now, I had only a self-signed cert.
Now I bought a 'girod.fi' domain, intending to use the name berry314.girod.fi (instead of so far berry314.dyndns-pics.com)
At dyndns, I could only add a name, including the redirection.
So, I set a new name, with the redirection:

berry314.thruhere.net -> berry314.girod.fi

but I am not sure for which name to generate certs. Anyway, both fail:

root@berry314:/etc/ddclient# certbot certonly -d thruhere.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for thruhere.net
Input the webroot for thruhere.net: (Enter 'c' to cancel): /home/marc/webroot/
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. thruhere.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 132.226.162.56: Fetching https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: thruhere.net
   Type:   connection
   Detail: 132.226.162.56: Fetching
   https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after
   connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
root@berry314:/etc/ddclient# certbot certonly -d girod.fi
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for girod.fi
Input the webroot for girod.fi: (Enter 'c' to cancel): /home/marc/webroot/girod/
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. girod.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a03:e581:4::11: Invalid response from http://girod.fi/.well-known/acme-challenge/BYLGzzALKGIe72r8ASAn_FVm7Birw5purqRj3XSM9BM: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: girod.fi
   Type:   unauthorized
   Detail: 2a03:e581:4::11: Invalid response from
   http://girod.fi/.well-known/acme-challenge/BYLGzzALKGIe72r8ASAn_FVm7Birw5purqRj3XSM9BM:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

That domain does not seem to be publicly registered:

 # dig NS thruthere.net @a.gtld-servers.net.

; <<>> DiG 9.18.4 <<>> NS thruthere.net @a.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18718
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thruthere.net.                 IN      NS

;; AUTHORITY SECTION:
net.                    900     IN      SOA     a.gtld-servers.net. nstld.verisign-grs.com. 1662465497 1800 900 604800 86400

;; Query time: 29 msec
;; SERVER: 2001:503:a83e::2:30#53(a.gtld-servers.net.) (UDP)
;; WHEN: Tue Sep 06 11:58:42 UTC 2022
;; MSG SIZE  rcvd: 115
5 Likes

Sorry: typo!

tmp> dig NS thruhere.net @a.gtld-servers.net

; <<>> DiG 9.16.1-Ubuntu <<>> NS thruhere.net @a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39817
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thruhere.net.			IN	NS

;; AUTHORITY SECTION:
thruhere.net.		172800	IN	NS	ns1.p201.dns.oraclecloud.net.
thruhere.net.		172800	IN	NS	ns2.p201.dns.oraclecloud.net.
thruhere.net.		172800	IN	NS	ns3.p201.dns.oraclecloud.net.
thruhere.net.		172800	IN	NS	ns4.p201.dns.oraclecloud.net.

;; ADDITIONAL SECTION:
ns1.p201.dns.oraclecloud.net. 172800 IN	A	108.59.166.201
ns1.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2100::c9
ns2.p201.dns.oraclecloud.net. 172800 IN	A	108.59.168.201
ns2.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2110::c9
ns3.p201.dns.oraclecloud.net. 172800 IN	A	108.59.170.201
ns3.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2120::c9
ns4.p201.dns.oraclecloud.net. 172800 IN	A	108.59.172.201
ns4.p201.dns.oraclecloud.net. 172800 IN	AAAA	2600:2000:2130::c9

;; Query time: 27 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Sep 06 13:14:02 IST 2022
;; MSG SIZE  rcvd: 310

I'm confused [easily] ...

What does certbot certonly -d thruhere.net have to do with:

I mean, why not just do:
certbot certonly -d berry314.girod.fi

Note the very different IPs:

Name:    berry314.thruhere.net
Address: 132.226.118.109

Name:      berry314.girod.fi
Addresses: 2a03:e581:4::11
           164.215.39.201
4 Likes

The confusion may be mine...
Indeed, the public name will be the berry314.girod.fi alias (NS record), but shouldn't the 'real host (the 'A' record) require the cert?

Anyway, at this point dyndns is not able to give me an IP...
Waiting for the support to help me...

Only if you intend on serving: https://real-host-name/
If not, then you don't require one.
That is how SNI works and one IP can serve many names.

6 Likes

Hi!
Now I got an NS record in cloudflare for berry314.girod.fi, pointing to berry314.dyndns-pics.com, which has an A record, and a dynamic IP.

But creating the certs fails:

Failed authorization procedure. berry314.girod.fi (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for berry314.girod.fi; DNS problem: SERVFAIL looking up AAAA for berry314.girod.fi - the domain's nameservers may be malfunctioning

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: berry314.girod.fi
   Type:   None
   Detail: DNS problem: query timed out looking up A for
   berry314.girod.fi; DNS problem: SERVFAIL looking up AAAA for
   berry314.girod.fi - the domain's nameservers may be malfunctioning

I thought the nameservers looked OK:

tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	0	IN	A	86.44.5.225
tmp> dig NS girod.fi  | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
girod.fi.		21600	IN	NS	opal.ns.cloudflare.com.
girod.fi.		21600	IN	NS	walt.ns.cloudflare.com.
tmp> dig berry314.dyndns-pics.com | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.dyndns-pics.com. 0	IN	A	86.44.5.225

What can I do?
Thanks,
Marc

That doesn't look right:

nslookup -q=cname berry314.girod.fi opal.ns.cloudflare.com
berry314.girod.fi       nameserver = berry314.dyndns-pics.com

You shouldn't have an NS record entry.
It should likely be a CNAME record entry.

6 Likes

Thanks, fixed in cloudflare.
Now from my laptop, I get:

tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	0	IN	A	86.44.5.225
tmp> dig cname berry314.girod.fi @opal.ns.cloudflare.com | grep -A1 'AUTHORITY SECTION'
;; AUTHORITY SECTION:
girod.fi.		3600	IN	SOA	opal.ns.cloudflare.com. dns.cloudflare.com. 2288240461 10000 2400 604800 3600

which matches the explanation at cloudflare:

CNAME Flattening

Cloudflare will follow a CNAME to where it points and return that IP address instead of the CNAME record. By default, Cloudflare will only flatten the CNAME at the root of your domain, which is girod.fi.

But for some reason, it doesn't propagate to the raspberry pi itself...

ddclient-3.9.1> dig berry314.girod.fi | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	2150	IN	A	104.21.21.89
berry314.girod.fi.	2150	IN	A	172.67.197.83
ddclient-3.9.1> dig cname berry314.girod.fi | grep -A1 'AUTHORITY SECTION'
;; AUTHORITY SECTION:
girod.fi.		2973	IN	SOA	opal.ns.cloudflare.com. dns.cloudflare.com. 2288240461 10000 2400 604800 3600
1 Like

What do you mean "fixed"?
I now get:

Name:      berry314.girod.fi
Addresses: 2606:4700:3037::6815:1559
           2606:4700:3033::ac43:c553
           104.21.21.89
           172.67.197.83
4 Likes

Sorry, I only meant 'fixed in cloudflare':

Type    Name     Content                  Proxy status  TTL
	
A       girod.fi 164.215.39.201           Proxied       Auto
AAAA    *        2a03:e581:4::11          Proxied       Auto
AAAA    girod.fi 2a03:e581:4::11          Proxied       Auto
CNAME   berry314 berry314.dyndns-pics.com Proxied       Auto

with the nameservers as:

Type    Value
NS      opal.ns.cloudflare.com
NS      walt.ns.cloudflare.com

But indeed, now I get the same thing as you do:

tmp> dig berry314.girod.fi | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	3539	IN	A	172.67.197.83
berry314.girod.fi.	3539	IN	A	104.21.21.89