Private domain with LE certificate

gusto1 · January 6, 2022, 3:49pm

In the nginx reverse proxy (see post 19)

rg305 · January 6, 2022, 4:05pm

The nginx will then always do:

So, it really matters not what you put there (in the nginx).

For added visualization, try:
http://your.outside.IP/

gusto1 · January 7, 2022, 5:42am

My external IP shows nginx default and that's fine.

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.

Thank you for using nginx.

rg305 · January 7, 2022, 4:16pm

The contents of:
http://192.168.1.106
was expected.
There must be more to the nginx config [that you have NOT shown].

gusto1 · January 8, 2022, 10:55am

In nginx I created one config file for all vhosts.

#---subdomain---
server {
    server_name subdomain.example.com;

    location / {
        proxy_pass http://192.168.1.106;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem; 
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
}

server {
    if ($host = subdomain.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name subdomain.example.com;
    return 404; # managed by Certbot
 
 
}

#---subdomain2---
server {
    server_name subdomain2.example.com;

    location / {
        proxy_pass http://192.168.1.106;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem; 
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    
}

server {
    if ($host = subdomain2.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 
 
    listen 80;
    server_name subdomain2.example.com;
    return 404; # managed by Certbot
 
 
}

Now everything works great.
I would still like to automate the certificate renewal process. However, I use a DNS server freenom.
Freenom has an API but I'm not a programmer, so I can't create a script to automate the process.

rg305 · January 8, 2022, 3:36pm

Glad to hear that but I tend to disagree.

That -0001 generally indicates a problem.
Please show the output of:
certbot certificates

And also the file:
/etc/letsecnrypt/renewal/EXAMPLE.COM.conf

gusto1 · January 8, 2022, 5:09pm

I'm sorry, but in the config and log files I rewrite my real domain, eaxmple.com.

 Certificate Name: example.com-0001
    Domains: *.example.com
    Expiry Date: 2022-04-03 10:31:15+00:00 (VALID: 84 days)
    Certificate Path: /etc/letsencrypt/live/example.com-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com-0001/privkey.pem
  Certificate Name: example.com
    Domains: example.com www.example.com
    Expiry Date: 2022-03-19 17:59:53+00:00 (VALID: 70 days)
    Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem

# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/example.com-0001
cert = /etc/letsencrypt/live/example.com-0001/cert.pem
privkey = /etc/letsencrypt/live/example.com-0001/privkey.pem
chain = /etc/letsencrypt/live/example.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/example.com-0001/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 45c8bc5977a3aaddfc232bb2161c9305
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory

rg305 · January 8, 2022, 5:19pm

The first cert is good for all names that end with ".example.com" [not for good for example.com].
The second cert is only good for example.com and www.example.com.

So, if that is how you use them, then continue to do so.

The first does require renewal via DNS authentication.
Which means, in order to automate the renewal, it will need an ACME client that includes an DNS API plugin for the DSP (DNS Service Provider) used.

The second can be easily renewed via HTTP authentication.

So...
Does the ACME client support that DSP?
[if not, then you may need to switch to another ACME client that does]

gusto1 · January 10, 2022, 4:08pm

I installed this plugin in the new LXC. It works well and the certificate was automatically renewed via the DNS-01 challenge.
I've used the update so far

sudo certbot --nginx

only HTTP-01 Challenge

How to make HTTP-01 and DNS-01 updated automatically now?

rg305 · January 10, 2022, 4:09pm

If by update you mean renew, then use:
sudo certbot renew

gusto1 · January 10, 2022, 6:09pm

That means if I use it

sudo certbot renew

both HTTP-01 and DNS-01 challenges will work ?

rg305 · January 10, 2022, 6:11pm

DNS-01 challenges require the use of DNS API that can update the DNS zone automatically.
If that was used during the cert issuance, then it can be reused during the renewal.
If the DNS settings were done manually, then certbot can't renew them automatically (without further manual assistance).

Osiris · January 10, 2022, 6:13pm

@rg305 A DNS plugin was used.

rg305 · January 10, 2022, 6:15pm

Then my statement remains true.
[and can be used by ALL future readers]

gusto1 · January 10, 2022, 6:18pm

Thank you friends, I'll try it tomorrow.

rg305 · January 11, 2022, 12:07am

You might need to wait a few days (or weeks) until the cert(s) are ready to be renewed.

Look at:
certbot certificates
[to better understand when a renewal would be needed]

gusto1 · January 26, 2022, 7:55pm

I want to build a new reverse proxy server.
It now works on a Debian 10 LXC. The new server will be debian 11. I don't want to do everything since again.
I installed it on the old servers like this

sudo apt-get install certbot -y python-certbot-nginx -y

When I want to use certbot-dns-freenom, I have to install it ?

sudo pip install certbot certbot-dns-freenom python-certbot-nginx

gusto1 · January 27, 2022, 2:43pm

I have 10 domains on my reverse proxy, which obtains LE certificates.
If I didn't use the DNS challenge (http challenge only) then everything worked very well.
I used this command for the test

sudo certbot renew --dry-run

After the plugin is installed

sudo pip install certbot certbot-dns-freenom

I tried manual dry-renew

sudo certbot certonly -a certbot-dns-freenom:dns-freenom   --certbot-dns-freenom:dns-freenom-credentials /home/gusto1/credentials.ini   --certbot-dns-freenom:dns-freenom-propagation-seconds 300   -d "*.example.com"   -m admin@example.com   --agree-tos -n --dry-run

result

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugin legacy name certbot-dns-freenom:dns-freenom may be removed in a future version. Please use dns-freenom instead.
Plugins selected: Authenticator certbot-dns-freenom:dns-freenom, Installer None
Cert not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for *.example.com
Performing the following challenges:
dns-01 challenge for example.com
doLogin: Login successfully.
setRecord: Record added successfully
Waiting 300 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
delRecord: Record deleted successfully

IMPORTANT NOTES:
 - The dry run was successful.

Now that I use it

sudo certbot renew --dry-run

The domains with the http-01 challenge are fine, but the dns-01 challenge is a failed

Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Failed to renew certificate example.com-0001 with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')

I want all certificates, including dns-01 challenge, to be renewed automatically.

MikeMcQ · January 27, 2022, 3:11pm

Redo that entire long command but just without the --dry-run option. That resets the renewal conf files so that renew --dry-run and renew work.

Note this will recreate your live certs so make sure you will not reach any rate limits. You did not provide your domain name so I could not check that.

gusto1 · January 27, 2022, 5:19pm

It works great now, thank you