Certificate for a server under VPN: how to get alternate challenge?

My domain is: comp.beta-lorraine.fr
I ran this command: # certbot --apache
It produced this output: Detail: 147.100.156.194: Fetching http://comp.beta-lorraine.fr/.well-known/acme-challenge/GdlQ-4QTB4pKbc2Y728NmIFassvQEdfAa3wUtZAvLGU: Timeout during connect (likely firewall problem)
My web server is (include version): Apache
The operating system my web server runs on is (include version): Ubuntu 22.04

I am trying to certificate a new web server that is accessible only from our institutional network or a VPN, so the default challenge to verify the machine that is undertaken with the certbot certificate fails as the certbot server doesn't have access to the machine.

I do control the DNS for this machine, as I registered the name in GANDI and I can add a TXT record to the DNS using the GANDI interface.
However it's not clear the way I need to proceed.

All I want is that my colleagues, from within our network, can access to https://comp.beta-lorraine.fr to go to our server's IP (147.100.156.194).
I understood that GANDI supports an automatic update of the DNS that can be used to not only perform the initial challenge but the automatic renewals as well, but I loss a tutorial on which are the tools that need to be used in this situation.

Thank you if you can point me to the right page or summarize the procedure :slight_smile:

I think you're just looking for using the DNS-01 challenge to prove you own the name, assuming that the DNS server is publicly accessible even if the web site isn't.

You just want a Gandi DNS plugin for certbot, I'm pretty sure some are around. With some quick web searching I found this:

Which is also linked from the certbot documentation:

https://eff-certbot.readthedocs.io/en/stable/using.html#third-party-plugins

I haven't tried it, but I think that's what you're looking for.

7 Likes

In addition to Peter's suggestion, you could switch to a different ACME Client like acme.sh or lego. Both support Gandi DNS challenges.

For acme.sh, be sure to use --server letsencrypt to get a Let's Encrypt cert as it defaults to ZeroSSL. You can also set the default CA in a similar way. See

7 Likes

Thank you both... I think I need to look a bit more in details on how the whole process works.. up to now (on other servers) I was just running a couple of commands and everything was working, I guess it was "too easy" and didn't allow to appreciate the whole process behind...

2 Likes

I successfully managed to get the certificate with the gandi certbot plugin.

These are the steps I did follow on a Ubuntu 20.04 server with apache.

SSL Certification

We start from a situation where https works but it is not certified (i.e. the default when you install apache). Le's going to certify it.
We are going to use let's encrypt and its "certboat" client (https://letsencrypt.org/ - https://certbot.eff.org), but because the server is under VPN, it is not reacheable from the outer world so we can't use the default "challenge" to prove we own the domain we want to encrypt.
Instead we'll need to use a DNS based challenger performed trough the certboad plugin certboar-plugin-gandi

Software installation

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo apt-get update
sudo apt-get install certbot python3-certbot-apache
apt install python3-pip
pip install certbot-plugin-gandi

Retrieve of the Personal Access Token using the GANDI web interface

Get a Personal Access Token for the beta organization, give it a name, allow all organization and permission for managing the DNS. Change the default expiration from 1 month to 1 year

Your PERSONAL_ACCESS_TOKEN will look like an alphanumerical random string
Test it with: curl -H "Authorization: Bearer PERSONAL_ACCESS_TOKEN" https://id.gandi.net/tokeninfo

Let's save the token:

nano /etc/letsencrypt/gandi.ini :

>>>
# Gandi personal access token
dns_gandi_token=PERSONAL_ACCESS_TOCKEN
<<<

Get the certificate and point the apache site configuration to use it

certbot certonly --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi.ini -d YOUR_DOMAIN

You should get an output like:

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
This certificate expires on 2024-05-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

I am not sure about the automatic schedule, so as suggested in the plugin git page let's manually add an entry to crontab:

nano /etc/crontab :

>>>
0 3 * * 0 certbot renew -q --authenticator dns-gandi --dns-gandi-credentials /etc/letsencrypt/gandi/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory
<<<

Finally let's edit the site configuration file to point to the certificates:

nano /etc/apache2/sites-enabled/virtual_site.conf :

SSLEngine on
>>>
  SSLCertificateFile      /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem
  SSLCertificateKeyFile   /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem
<<<

service apache2 restart

That's all. Thank you :slight_smile:

1 Like

Glad you got your cert.

I think you should revise your renewal cron though. Mostly because you should not set all those parameters on the renew. The options used to get the cert are saved in a renewal config file in the /renewal/ folder. The renew command uses those.

When you specify all those options on the renew command it will overwrite the options saved in all the renewal config files. That can cause problems if you have multiple certs. Even just ones you create for testing.

Certbot's install process usually sets up a renew as a cronjob or systemd timer. If you really don't have one you can setup a new one like you did. But, it is best to use the same command as Certbot uses to properly request a random start time. See here:

https://eff-certbot.readthedocs.io/en/latest/using.html#setting-up-automated-renewal

5 Likes

Thank you. Indeed running certbot to get the certificate I got the message Certbot has set up a scheduled task to automatically renew this certificate in the background. and I can see in cron.d the crontab entry:

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

So it seems that adding that crontab entry is not needed. You may want to make a pull request or raise an issue with the certbot gandi plugin, as I got that options from their github readme...

Thanks again,
Antonello

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.