Creating SSL on a Mac Mini

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: z4262009.eero.online

I ran this command: sudo certbot certonly --standalone -d z4262009.eero.online --http-01-port 22

It produced this output:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: z4262009.eero.online
  Type:   connection
  Detail: 73.140.114.180: Fetching http://z4262009.eero.online/.well-known/acme-challenge/3qnIu-08Uv0xxFQw44sIJ2U7sD_RKYqs7hzE6i36SYU: Error getting validation data

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 22. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version): Standalone

The operating system my web server runs on is (include version):
macOS Sonoma

My hosting provider, if applicable, is:
Xfinity

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

--
In summary, I have Eeros Plus as my router, with the ability to forward ports etc. I have my DDNS as z4262009.eero.online. For my selected Mac mini, I haven't set any port forwarding as 22 seems to already be open.

I have unloaded SSH via:
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist. When I ran the command I get the error mentioned above. I know I can ssh via the WAN ip address, and I want to first access my SSH server. Next up, add additional servers.

Any help would be appreciated. Thanks

The Let's Encrypt validation servers need to be able to connect to your server on port 80--what made you decide to specify port 22? Port 22 is ordinarily used for SSH, not for HTTP.

To elaborate on this, --http-01-port lets you choose what port Certbot will attempt to answer the challenge on, but it does not let you choose what port the certificate authority will attempt to perform the challenge on. That is always hardcoded as 80, and you can't change it.

The purpose of --http-01-port is cases where you can forward a port (as seen by the rest of the Internet) to a different port on your server, like if your router or firewall forwarded incoming connections on port 80 to port 8080 of your web server behind the firewall, or something.

Thanks for clarifying. OK so I have port 80 open externally. I did run this as:
sudo certbot certonly --standalone -d z4262009.eero.online -v

Got the following:

ertbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: z4262009.eero.online
  Type:   unauthorized
  Detail: 73.140.114.180: Invalid response from http://z4262009.eero.online/.well-known/acme-challenge/uJto3BXPnxh6w9BFawokypuxBDNHfo6MZVmeOMGMrcw: "<!DOCTYPE html><html lang=\"en\"><head>\n  <meta charset=\"utf-8\">\n  <title>Homebridge</title>\n  <base href=\"/\">\n\n  <meta name=\"view"

Basically it's hitting my Homebridge page, which I forward from 80 -> 8581. I guess firstly do I have the right ports and port forwarding and then the right commands in here

LE doesn't see that forward and neither do I.
But even if you could hear the redirection to port 8581, LE would NOT follow it.
LE will only follow redirections to other HTTP or HTTPS ports on FQDNs.
So... no IPs in the URL and no other ports can be used in the redirection.

What is HomeBridge? And can it be moved to listening on any port other than 80?

I think @glad.tree6096 is forwarding external port 80 to the Mac Mini's port 8581.

@glad.tree6096 The options I can think of for you in this setup would be:

(1) Get Certbot to integrate more with Homebridge (I don't know offhand how to do this, it depends on the details of the Homebridge web server; for example, if it can serve static files from a specified directory, you may be able to use Certbot's --webroot method to cause the challenge files to be placed under that directory)

(2) Temporarily shut down Homebridge for a few seconds each time while you get your certificates (e.g. with Certbot options --pre-hook "service homebridge stop" --post-hook "service homebridge start" or whatever the right commands to stop and restart the service would be), in which case you can use --standalone and --http-01-port 8581

(3) Use a different challenge method to get your certificate, most likely by integrating with a DNS API.

Or:

(4) Put a reverse proxy also capable of delivering the challenge between the internet and Homebridge. E.g. nginx or Apache or some other reverse proxy.

Thanks for that. Would SSH server do that as well?

OK so I managed to generate an ssl certificate by turning off home bridge for a moment. I have it stored but I suspect the permissions aren’t right because homebridge is failing to access the location of that file even though I created it in the home directory. Does certbot add any special permissions that are restrictive ?

Would SSH server do what? Reverse proxy HTTP/HTTPS? No, SSH is a completely different protocol.

Certbot runs as root (usually, in your case you seem to be using sudo, so Certbot runs as root indeed), so to access the private key, the service trying to load the private key would also need to be root. You could perhaps use a --deploy-hook (see the Certbot user guide for more info about that) if you require the files in a different location with different permissions. But make sure the private key is kept safe, i.e., no "regular" process/user can access it.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.