How to create certificate for a Socket.io server?

My domain is: *.idontcare.fr
I ran this command: sudo certbot certonly
The operating system my web server runs on is (include version): raspbian ( Debian 11 )
I can login to a root shell on my machine : yes
I'm using a control panel to manage my site : no
The version of my client is : 2.7.4

I'm trying to run another node server which uses socket.io securely :

const https = require('https');
const options = {
    key: fs.readFileSync(
      '/etc/letsencrypt/live/xxx.idontcare.fr/privkey.pem'
    ),
    cert: fs.readFileSync(
      '/etc/letsencrypt/live/xxx.idontcare.fr/fullchain.pem'
    ),
  };

const httpServer = https.createServer(options);

I'm running severals servers like this which all depends on a apache2 server configuration to host some html .... But this time the "frontend" will be an android app ! Which means that it won't be an actual web-hosted front ... :fearful:

As far as I understood then I must create my certificate with the 3rd option of certbot : webroot.

But to check the server, certbot must find his generated file in some /.well-known/acme-challenge/ directory... This implies that this file is in a directory where it can be downloaded / listed .... No ?

So I HAVE to create some apache2 virtualHost where the Options has the Indexes one right ?
But may I create this for the creation and then deletes it or it would be used each time Certbot tries to renew the certificate ? :confused:

I don't know much about socket.io, so my advice will be general. There's a few options for how I'd consider setting this up:

  1. Run some sort of reverse-proxy in front of your socket.io application. You can use something like Caddy which has support for Let's Encrypt built-in. Because Socket.io uses websockets you'll need a few lines of configuration to enable that in Caddy, but it's pretty easy and means your socket.io application doesn't need any additional code to do TLS (ie, you can delete the https code you pasted). Docs: Behind a reverse proxy | Socket.IO

  2. Web Root with Certbot or other ACME clients. Certbot will write files to disk in some folder. Your Socket.io application needs to handle requests to /.well-known/acme-challenge and read the files from disk to serve them. This is usually pretty easy in most HTTP frameworks, but I don't know much about socket.io.

  3. Different ports. One easy option is to run Certbot "standalone" on port 80, and your socket.io application listens on a different port (maybe 8443). Your Android app will have to know to use the different port.

5 Likes

There may also be the option of using DNS-01 authentication.
Which requires placing the required token into the DNS zone [instead of within the web server].
The added benefit of this method is that it can be done from any system with Internet access.
From there you can then copy the cert[and key] to whichever system(s) may need them.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.