I'm confused about where to run Certbot

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://homelab.glenspcservice.com/

I ran this command: N/A

It produced this output: N/A

My web server is (include version): Unsure

The operating system my web server runs on is (include version): Unsure

My hosting provider, if applicable, is: Mochahost

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): 102.0 (build 26)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

I've set up Ubuntu 22.04 Live Server VM on a bare metal server running Windows Server 2019. From there I installed Bitwarden in a docker container.

I'm a bit lost as to how to obtain a Let's Encrypt SSL Certificate. My understanding of the instructions is that Certbot has to run behind my domain. This is the step I'm not sure how to do. Some of the video's I've watched describe how to set it up in a docker container but that would put it on my home network along with Bitwarden, not "behind" my domain, right? Wouldn't Certbot have to run on my webhost somehow?

Thanks in advance.

2 Likes
2

Hello @glen4cindy, welcome to the Let's Encrypt community. :slightly_smiling_face:

It seems you have obtained a Let's Encrypt Certificate.
Using this online tool https://crt.sh/ here is a list of issued certificates for the domain name crt.sh | homelab.glenspcservice.com, the latest being 2022-12-18.
Although using this online tool https://letsdebug.net/ has results here https://letsdebug.net/homelab.glenspcservice.com/1305819 presently with ERRORs so obtaining another certificate could be an issue.

Using this online tool Let's Debug Toolkit has results here https://tools.letsdebug.net/cert-search?m=domain&q=homelab.glenspcservice.com&d=168 of "he Registered Domain (glenspcservice.com) has used 3 of 50 weekly certificates."

Also Testing and Debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

2 Likes
3

Supplemental information

$ nmap homelab.glenspcservice.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-19 16:27 UTC
Nmap scan report for homelab.glenspcservice.com (97.88.217.20)
Host is up (0.088s latency).
rDNS record for 97.88.217.20: 097-088-217-020.res.spectrum.com
Not shown: 997 filtered ports
PORT     STATE  SERVICE
443/tcp  closed https
5001/tcp open   commplex-link
5060/tcp open   sip

Nmap done: 1 IP address (1 host up) scanned in 7.50 seconds

Best Practice - Keep Port 80 Open

1 Like
4

Thanks for the quick reply Bruce.

I took a look at my cPanel. I discovered I already had an SSL certificate issued by Let's Encrypt.

From my understanding of the installation process I need 3 things

SSLCertificateFile
SSLCertificateKeyFile
SSLCertificateChainFile

How do I download the certificate files that are already installed on my webserver so I can add them to Bitwarden?

Thanks again in advance

3 Likes
5

Hi @glen4cindy you should be able to download the Issued Certificate from here crt.sh | 8236216517 on the left down a bit look for
image

1 Like
6

Here is a link to help you choose the chain you want Long (default) and Short (alternate) Certificate Chains Explained
Here is a link for Chain of Trust - Let's Encrypt

2 Likes
7

They will also need the private key though.

In order to find that, they may need more than just cPanel access to that system.
[not 100% sure on that; as, I don't use cPanel]

3 Likes
8

Yep, I cannot help them with that. I do not know where they have the Private Key.

9

That depends entirely on the ACME client used [and how it was configured].
And, maybe more so, their amount of access to that system.
[which that may have]

3 Likes
10

Question: why would Bitwarden require the Let's Encrypt certificate of your website?

5 Likes
11

You Tube is the reason - LOL

3 Likes
12

I'm sorry. I'm new at this. I'm trying to learn. Maybe I'm doing it completely wrong.

The first question the installer asks is the domain name for my Bitwarden instance.

I'm self-hosting this install so it's installed in a docker container on a Ubuntu 22 Linux host.

I chose a subdomain I created on a domain I own. Maybe I did this wrong too but according to a couple of guides I read this is one way to do it.

The very next question concerns Let's Encrypt. The documentation for Let's Encrypt seems to indicate at least part of it needs to reside "behind" your domain.

If I'm not doing this right could you please add an answer to your question?

Is an SSL cert not needed at all?

Thanks in advance.

1 Like
13

Yes, YouTube is a guide but I know I cannot depend on everything there.

Can you suggest a better resource for this topic?

We all have to start somewhere. I've failed a few times here and now I'm asking for help.

Maybe I'll be able to offer help for the next one once I learn.

1 Like
15

My advice is to have a clear picture of what you are doing/intend to do.
Like an actual schematic diagram would be the most excellent "picture".
And you should understand what each piece of that puzzle is doing, how it does it, and how all the pieces work together to accomplish your "plan".
Did I mention that you need "a plan"?

This is not the right place to discuss such plans/designing - but maybe someone will be willing to review your situation and point you in the right direction [or at least point out any flaws (if they find any)].

I don't have a bag of instructional links to rummage through.
I'm mostly self-taught, so I do know what you might be going through.
But, since I've been doing this for so long, I really don't know how anyone is learning anything these days - LOL

As for "you tube", is it full of everything [good and bad].
We mostly run across the things that fail [the ones that worked don't need our help] and that may be skewing my perspective about it.
I think it just takes some researching/common sense [although it seems uncommon these days] to make sense of what they are showing/asking you to do BEFORE you do any of it; It needs to make sense. If it doesn't, then don't "just do it" OR get more information about it... until it does make sense [or you realize they are just as lost as you are and you need to look elsewhere].

...enough of this...

Cheers from Miami :beers:

4 Likes
16

Thanks for such a carefully written and well-thought-out response.

The truth is, I did a lot of research before beginning this project. When I hit a roadblock I did more research looking for answers before I came here asking questions.

Just to clear things up, in case someone is reading this later and finds themselves in the same place I was in, they will find the same answer I did.

It turns out that when I configured the domain that I intended to use with Bitwarden, I used my webhost to do this. My primary website has a certificate from Let's Encrypt and the domain I configured was automatically provided a certificate.

The certificate that Bruce showed me that was issued does not match the certificate my webhost issued, hence my confusion.

Thanks again rg305 and everyone else for your help.

I'm up and running now.

3 Likes
17

Issued or currently being served?

3 Likes
18

Well Let's Debug cannot find it HTTP-01 click this link for results.

Presently using this online tool https://check-host.net/ shows from around the world there is no DNS record for homelab.glenspcservice.com
Permanent links to these check reports:

With nslookup shows the same from my location:

$ nslookup homelab.glenspcservice.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find homelab.glenspcservice.com: NXDOMAIN

$ nslookup -q=soa homelab.glenspcservice.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find homelab.glenspcservice.com: NXDOMAIN

$ nslookup -q=ns homelab.glenspcservice.com
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find homelab.glenspcservice.com: NXDOMAIN
1 Like
19

I learned that in order to make use of the dynamic DNS available from my webhost I needed to start with that instead of configuring a subdomain first.

So I configured my domain and called it bitwarden.glenspcservice.com.

Once I got this part working I no longer needed the subdomains so I deleted them which is the reason for your results.

1 Like
20

Both?

bitwarden.glenspcservice.com AutoSSL Domain Validated
Expires on March 18, 2023. The certificate will renew via AutoSSL.

1 Like
21

Here is a list of issued certificate for crt.sh | glenspcservice.com it includes the domain and subdomains. Thus your server should be serving one of the certificates that will name match the domain name being served.

image
image1388×462 30.3 KB

However I cannot reach bitwarden.glenspcservice.com

~$ openssl s_client -showcerts -servername bitwarden.glenspcservice.com bitwarden.glenspcservice.com:443 < /dev/null
405721C7107F0000:error:8000006F:system library:BIO_connect:Connection refused:../crypto/bio/bio_sock2.c:125:calling connect()
405721C7107F0000:error:10000067:BIO routines:BIO_connect:connect error:../crypto/bio/bio_sock2.c:127:
connect:errno=111

$ nmap -Pn bitwarden.glenspcservice.com
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-24 14:26 PST
Nmap scan report for bitwarden.glenspcservice.com (97.88.217.20)
Host is up (0.087s latency).
rDNS record for 97.88.217.20: 097-088-217-020.res.spectrum.com
Not shown: 996 filtered ports
PORT     STATE  SERVICE
443/tcp  closed https
5001/tcp open   commplex-link
5060/tcp open   sip
8443/tcp open   https-alt

Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
1 Like