Newbie needs help with DuckDNS + LE + Ubuntu

Jaegs · May 13, 2017, 2:51am

My apologies for asking such a basic question, and maybe this is not possible, but I’m struggling getting LE setup for my server. Here’s my setup:

I’m running Ubuntu 16.04 LTS with a typical LAMP setup
I have a dynamic IP address through my ISP
I use DuckDNS

I’ve installed let’s encrypt and have run the script to get the certificate:

% ./letsencrypt-auto --apache -d ****.duckdns.org
(where **** is my subdomain setup through DuckDNS)

When I run this, I get the following error:

Failed authorization procedure. ****.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to (my IP address):443 for tls-sni-01 challenge

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: ****.duckdns.org
Type: connection
Detail: Failed to connect to (my IP address):443 for tls-sni-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

So, what am I doing wrong? Any tips would be most appreciated!

sahsanu · May 13, 2017, 9:42am

Hi @Jaegs,

The first thing you should check is that your ISP allows you to connect to your home router on ports 80 and 443, some ISPs don't allow it. The second thing is to check your router is port forwarding ports 80 and 443 to your Ubuntu server and that server Ubuntu has no firewall or have the appropiate rules to allow connections on ports 80 and 443.

Let's start with these checks and will see what could be the next step to solve your connection issue.

PS: Funny family avatar

Cheers,
sahsanu

Jaegs · May 13, 2017, 2:50pm

Doh! I’m an idiot: I hadn’t set up a port redirect for 443–kinda necessary for https . Anyway, it worked perfectly, once that was in place. I was even able to set up my vanity domain redirect as well. Thanks!

Jaegs · May 13, 2017, 3:02pm

Quick follow-up question: I’ve been using multiple tutorials to get this set up, but I figured I’d just ask here–and if you want to just point me to documentation, that’d be fine: how do a set up automatic renewals for the certificates? I assume through cron, using a similar command, but can you tell/show me the syntax?

danb35 · May 13, 2017, 3:09pm

The only thing you should need in the command is “letsencrypt-auto renew”. Run that once a day; it will check your existing certs and attempt to renew them if they have less than 30 days left.

sahsanu · May 13, 2017, 3:30pm

@Jaegs, ups, two questions in the same post means more beer you would need to pay

As root, create an entry on your crontab:

# crontab -e

and add a line like this:

17 */12 * * * /path/to/letsencrypt-auto renew

It will check every 12 hours (00:17 and 12:17) whether your certificates need to be renewed, if they doesn’t the command will do nothing. You should change /path/to by the right path where letsencrypt-auto is located.

The problem with this command is that your root user will receive a mail twice a day (every time the command is executed), to avoid this you can use the --quiet switch of letsencrypt-auto:

17 */12 * * * /path/to/letsencrypt-auto renew --quiet

And you won’t receive any mail… well, only if the command has some error but you won’t even notice whether the cert has been renewed, so lets add the following:

17 */12 * * * /path/to/letsencrypt-auto renew --quiet --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2'

So, with this last command you won’t receive a mail every day but will receive a mail if some error occurs and when the cert is being renewed.

But… if the cert is renewed you will need to reload your apache to use the new issued cert is used so lets add a command to reload your apache.

17 */12 * * * /path/to/letsencrypt-auto renew --quiet --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2' --post-hook "service apache2 reload"

Before put anything of the above in your crontab, you should check that it will work fine in your system, so as root, execute the command without the --quiet option and with --dry-run option to simulate the renewal.

# /path/to/letsencrypt-auto renew --dry-run --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2' --post-hook "service apache2 reload"

Note: in case you want that mails sent by cron use any other mail address than root, when you edit your cron job with crontab -e, at the beginning of the file you can use the variable MAILTO.

MAILTO="jaegs@whatever.tld" 17 */12 * * * /path/to/letsencrypt-auto renew --quiet --no-self-upgrade --renew-hook 'echo "\nI have renewed the certificate located in ${RENEWED_LINEAGE} and this certificate contains the following domains ${RENEWED_DOMAINS}\n\n" >&2' --post-hook "service apache2 reload"

P.S.: the renew switch attempts to renew any previously-obtained certificates that expire in less than 30 days. Just in case you didn’t know it.

I hope this helps.

Cheers,
sahsanu

Jaegs · May 13, 2017, 3:53pm

Perfect, thanks so much!

system · June 12, 2017, 4:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.