Need help with DNS setup for generating cert

Hi all! First post here!

I am trying to secure a node-red webservice endpoint using the Let's Encrypt certificate. I need help setting up DNS so i can create the cert.
My domain machielsen.net is hosted on 1and1. In that domain i had (!) a subdomain aws. with DNS servers in Route53. On this subdomain i wanted to run nodered.aws.machielsen.net so i created an A record in Route53 to point to my EC2 instance. All works fine when using HTTP. Now i want to move from HTTP to HTTPS but i am lost as to how to set up the CAA records.
Do i set up a CAA record for my machielsen.net domain in 1and1?
Do i set up a CAA record for aws.machielsen.net in Route53?
Do i both?
How do i generate the cert? Using the --standalone or the --route53 plugin?
Once i have the cert i need to add the cert details to the nodered settings.js file. How can i download the cert and see that information?

Thanks,

Ton.

1 Like

Up to you. Good if you do, doesn't matter if you don't.

The second record is redundand if you set a parent one, tho.

Again up to you. If you are already running an http server, maybe --webroot is more appropriate than --standalone. The route53 plugin will work but is sounds like an overkill.

3 Likes

CAA records are not required, but your DNS server does have to respond properly to a request for them. "I don't have a CAA record" is a proper response; "what's a CAA record?" isn't. We've seen some issues where servers respond with the latter. But as long as your DNS isn't broken, you'll be fine.

Now, if you want to set up CAA records, their content is up to you, as long as it allows letsencrypt.org to issue a cert for the domain.

Whichever you prefer, or whichever best fits your needs. --standalone will require that certbot be able to listen on port 80, so if your application is doing that already, you should plan on doing something else.

The cert will be saved to your server (in /etc/letsencrypt/live/yourdomain if you're using certbot), and from there you can adjust your configuration as needed.

2 Likes

Ok, "up to you" is not a good answer because if i knew what to do i would not ask the question. I was hoping it would be a simple matter of generating a cert and configuring it on my nodered instance, but apparently it's not like this.
Maybe i have to clarify, as mentioned in my original post, i want to run nodered. Nodered doesn't run on port 80. It runs on port 1880, so if the cert script depends on a webserver running on port 80, then that is not working.

Ok, so i understand that the CERTBOT will listen on port 80. As mentioned, my website runs on 1880, so certbot should be good to go on port 80. I would only have to change the security group to allow port 80 inbound. From where would i allow inbound port 80?

Up to you means you can do either. If you don't have a webserver on port 80, certbot can spawn its own if you say --standalone

I have no idea. It depends on where your machine is and what software runs on it.

1 Like

If you're asking where these connections would be coming from, the answer is potentially the entire Internet. Let's Encrypt doesn't, and won't, publish IP addresses (or ranges) that they validate from.

2 Likes

Go to your EC2 Console. Your Security Group config is there.

And, I would not add a CAA record yet. A CAA is used to block Certificate Authorities from issuing certs. Get your cert first and add CAA later if you want to prevent anyone but Let's Encrypt from issuing more certs.

2 Likes

Ok, guys. Thanks for the help. I was digging way too deep. I just have to run the certbot certonly -d mydomain.com and all is good. Cert is on the machine and i can get it into nodered with no issues.
It was much simpler as i thought.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.