Problem Summary: I successfully created a certificate with the manual method, dns challenge. I want to know how to enable auto-renewal using the manual-auth hook. I have google domains as dns provider. I understand that google has a plugin that might be used. But I need help doing so.
My domain is: vpn.blackknightgroup.dev
I ran this command: sudo certbot --manual --preferred-challenges dns certonly -d vpn.blackknightgroup.dev
It produced this output: successfully produced a manual cert!
My web server is (include version): OpenVPN Access Server
The operating system my web server runs on is (include version): Ubuntu 22.04
My hosting provider, if applicable, is: self-hosted
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, ssh
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest ubuntu snap client
Have you ever automated an ACME client to obtain a certificate via DNS-01 authentication?
[the first time is always the hardest - LOL]
If you have not, then I would suggest that you take plenty of notes.
Notes on what fails and what works.
If you plan on testing a bunch, I suggest that you do so against the LE staging environment.
Just add "--dry-run" to your tests and remove that once all tests complete correctly.
Once that has been conqoured, we can focus on using a --deploy-hook to use the new cert.
well, I'm probably in over my head. Just a network engineer setting up openvpn AS and trying to get rid of the certificate errors. I first tried using certbot with http auth, but could not get it to work. I think it is an iptables problem, but could not get it working even after opening ports 80/443. anyway, I'll keep poking around looki.
--preferred-challenges dns.....I got this working no problem. However, since this does not auto-renew the cert, not really a long-term solution. So, am pursuing two paths:
sudo certbot certonly --standalone .... get this working, think it is a firewall problem
use the -manual-auth-hook to auto-renew.
I am only pursuing the second choice after being unable to figure out iptables policies to permit the first option. any suggestions?
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Here is the iptables config:
Chain INPUT (policy DROP 3805 packets, 182K bytes)
num pkts bytes target prot opt in out source destination
1 26661 54M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 3 292 ACCEPT all -- OPT1 * 0.0.0.0/0 0.0.0.0/0 /* allow incoming from OPT1/DMZ /
3 0 0 ACCEPT all -- LAN * 0.0.0.0/0 0.0.0.0/0 / allow incoming from LAN /
4 2 219 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 / allow loopback traffic /
5 0 0 ACCEPT icmp -- LAN * 0.0.0.0/0 0.0.0.0/0 icmptype 8 / allow ICMP in LAN */
6 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,ESTABLISHED
7 1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,ESTABLISHED
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2386K 1494M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 9477 5250K ACCEPT all -- LAN * 0.0.0.0/0 0.0.0.0/0 /* forward traffic from LAN /
3 4241 289K ACCEPT all -- OPT1 * 0.0.0.0/0 0.0.0.0/0 / forward traffic from OPT1/DMZ */
Chain OUTPUT (policy DROP 94 packets, 5851 bytes)
num pkts bytes target prot opt in out source destination
1 19249 5036K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 2 219 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* allow loopback traffic /
3 7171 507K ACCEPT all -- * WAN 0.0.0.0/0 0.0.0.0/0 / allow outbound to WAN */
4 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80 ctstate ESTABLISHED
5 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:443 ctstate ESTABLISHED
Notice that port 80 was not hit at all. But port 443 have some hits. What am I doing wrong???
Thanks,
The WAN edge device is this ubuntu appliance, which is acting as FW and OpenVPN AS server. Below, are the NAT rules
root@FW6E:/var/log# sudo iptables -t nat -L -n -v --line-numbers
Chain PREROUTING (policy ACCEPT 32027 packets, 9888K bytes)
num pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 41 packets, 2404 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8041 packets, 644K bytes)
num pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 2733 packets, 164K bytes)
num pkts bytes target prot opt in out source destination
1 28986 10M MASQUERADE all -- * WAN 0.0.0.0/0 0.0.0.0/0 /* masquerade to WAN */
root@FW6E:/var/log#
I'm not seeing the NATting... [if any]
Maybe that's expected.
Do you have some other Internet access?
If so, I'd start a packet capture on port 80.
Try: http://vpn.blackknightgroup.dev/
[from that other device]
If no other Internet access, just start the packet capture and let me know when to hit it.
Thanks, will do. The last masquerade line NATs all traffic going out the WAN interface. My inside network is LAN and OPT1 interfaces. But since the vpn.blackknightgroup.dev host is this same box, not sure any nat is being done.