Create Certificate without exposing port 80

My domain is: gschmidt.duckdns.org

I ran this command:
sudo /etc/letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges dns --email gsc@ziggo.nl -d gschmidt.duckdns.org -w /home/pi/domoticz/www/

It produced this output:
afbeelding

My web server is (include version): Domoticz Version: 4.10717

The operating system my web server runs on is (include version): Raspbian Buster version 10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.2.0

It has been 3 years ago since my last installed letsencrypt for Domoticz.
Back then I had to create an auth.sh and cleanup.sh and then the command to create the certificate:
sudo /etc/letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges dns --manual-auth-hook /home/pi/duckdns/auth.sh --manual-cleanup-hook /home/pi/duckdns/cleanup.sh

It seems to have changed a bit when using --preferred-challenges=dns and create a DNS TXT record

Since my router/firewall software pfSense is blocking port 80, and I am not allowed to re-route it I have to use this option. But on the domoticz site is not described where to use or store the DNS TXT record and what should be included in the record.

Could somebody explain to me how to deploy the DNS record?

from https://www.duckdns.org/spec.jsp

TXT Record API

The TXT update URL can be requested on HTTPS or HTTP. It is recommended that you always use HTTPS
We provide HTTP services for unfortunate users that have HTTPS blocked

You can update your domain(s) TXT record with a single HTTPS get to DuckDNS
your TXT record will apply to all sub-subdomains under your domain e.g. xxx.yyy.duckdns.org shares the same TXT record as
yyy.duckdns.org
https://www.duckdns.org/update?domains={YOURVALUE}&token={YOURVALUE}&txt={YOURVALUE}[&verbose=true][&clear=true]

Hi @gschmidt

please read your output.

A TXT entry _acme-challenge.gschmidt.duckdns.org is required.

There is a check of your domain, created Friday- https://check-your-website.server-daten.de/?q=gschmidt.duckdns.org#txt

No TXT entry:

Should look like

Read

PS: If you use dns validation, your local Domoticz isn’t relevant. Your nameserver (from duckdns) is relevant.

Wow fast answer, thanx!

How should I use that in:
sudo /etc/letsencrypt/letsencrypt-auto certonly --manual --preferred-challenges dns --email gsc@ziggo.nl -d gschmidt.duckdns.org -w /home/pi/domoticz/www/

And at which location is the TXT record stored?

You didn’t read the shared document.

Your output screenshot tells you how to set up the DNS TXT record. You set the record up on DuckDNS:

Hostname: _acme-challenge.gschmidt.duckdns.org
Value: (the value you blocked out of your screenshot)
TTL: 300 ideally

Not sure if duckdns is one of the DNS hosts with a plugin you can install, and I can’t find that doc for the life of me rn, but you can also try using acme.sh. Pretty quick & easy to use.

I am sorry Juergen, I have read it and am trying to understand this doc in how to use it…the explanation is well documented but still difficult to understand for me (and maybe others)

This (securing) part of using domoticz in the outside world is way out of my league. Once I know the steps how to create a certificate (whitout exposing port 80) I make a text file with the all steps.

Creating a letsencrypt certificate (and create an auto renewal) for a domoticz system is not done on a regular basis (only when a fresh install is required). Last time was 3 years ago.

Therefor I would like know how to:

  • _acme-challenge.gschmidt.duckdns.org…is it part of a parameter of the letsencrypt-auto certonly function ?

  • Where should I store the DNS textfile (local or somewhere else?)…and does it have *.txt as extension or .sh?
    (3 years ago a had to create on my local machine an auth.sh and cleanup.sh to point at)

There is no “DNS textfile”. There’s a DNS record, and it’s on the authoritative DNS server(s) for your domain.

Jippie…I have managed to redirect the ports on my router, so now I can use the default command!

pi@Domotica-Pi:~ $ sudo /etc/letsencrypt/letsencrypt-auto certonly --webroot --e                                                 mail gsc@ziggo.nl -d gschmidt.duckdns.org -w /home/pi/domoticz/www/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gschmidt.duckdns.org
Using the webroot path /home/pi/domoticz/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/gschmidt.duckdns.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/gschmidt.duckdns.org/privkey.pem
   Your cert will expire on 2020-05-09. To obtain a new or tweaked
   version of this certificate in the future, simply run
   letsencrypt-auto again. To non-interactively renew *all* of your
   certificates, run "letsencrypt-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Thanx for the help anyway