Does CertBot support Cherrypy servers?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hqyc1973.com

I ran this command:

It produced this output:

My web server is (include version): Cherrypy on Ubuntu 18.04LTS

The operating system my web server runs on is (include version): Ubuntu 18.04LTS

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not sure if it supports my system?

Hi,

I would say it does, but it depends on what you mean by support. certbot probably won't help you setup your cherrypy for secured connections like how it did with common webserver like Nginx or apache if you only use cherrypy without reverse proxy of Nginx or something else.

Based on my quick read through of the program, if you are hosting your cherrypy and ask it to listen to requests on port 80 and 443, then you'll need to either use DNS validation or to use a standalone authenticator and reload/restart your application everytime the certificate updates (unless your software can dynamically pickup certificate and keys changes)

If you are using a reverse proxy like Nginx or apache, things are much easier as you can use webroot (by creating an exception on your webserver configuration that won't forward a specific path to your application), their respective certbot plugin (by temporarily editing your webserver configuration file) or DNS validation. You also don't need to worry about restart the cherrypy application because you can terminate the secured connections at reverse proxy if it's hosted on the same machine, which means every certificate update will just need to reload the webserver.

Thank you so much for your reply. I don't think I'm using Nginx, unless AWS's Route 53 automaticially link one to my incoming request?

In my case I don't actually need port 80, it will be exclusively https. Can I get away with those complicated authenticator/reloader things?

It's great that you mentioned you are using Route53.
If you are using route53 as your dns provider, just install aws-route53 dns plugin for certbot (and certbot itself) via snap.
Just follow the instructions on this page and configure your route53 with an IAM identity, then you are able to issue certificate with DNS based authentication automatically.

However, you must find a way to let your cherrypy know (or to pickup) certificate changes (aka when you renewed one). Else it will always serve the same certificate if you didn't restart/reload.

Great! I want to further clarify this:
For the non-stop option(using --webroot) do I need to have a long-running parallel server listening to port 80? I only have one server and rather have it listen to port 443.

Also, I don't quite understand your last comment:

If you use --webroot, you need a server that at least listen to port 80.

Try it. When it's time to renew, your cherrypy server will keep using the old certificate (even when it expired). You must do something to your server and ask it to pickup the certificate either automatically or by restart.

Screenshot 2021-04-17 05.19.59
I've just tried following the steps in the documentation, but encountered an error, please refer to the attached screenshot.

What is likely to be wrong here?

Your existing webserver is already binding on port 80 and 443, so you should use another method to validate.

@niujh I'm sensing that you don't fully grasp the theory behind how Let's Encrypt (and ACME in general) works. I would urge you to read the basic documentation about ACME and Let's Encrypt:

It seems you're using the standalone plugin of certbot. Which documentation did you read that made you use that specific authenticator plugin?

After you've read the above linked documentation (which is the bare minimum, there are many more interesting documents in the general "Documentation" section of the Let's Encrypt website), you should also read the certbot documentation about the available plugins:

2 Likes

Very timely! I'll study this. Thx

When it comes to installing, is there any difference between using snap vs using pip3?

Both would have the most recent version. The certbot devs recommend using snap. Pip is just available for users not able or willing to use snap.

Thank you. Also for AWS Route 53 DNS, do I need to use root user to create policy and credential?

I looked up on the internet and found this: https://www.reddit.com/r/selfhosted/comments/la0f99/set_up_https_with_lets_encrypt_for_your/

But still some important steps missing there.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.