In the nginx reverse proxy (see post 19)
The nginx
will then always do:
So, it really matters not what you put there (in the nginx
).
For added visualization, try:
http://your.outside.IP/
My external IP shows nginx default and that's fine.
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working. Further configuration is required.
For online documentation and support please refer to nginx.org.
Commercial support is available at nginx.com.
Thank you for using nginx.
The contents of:
http://192.168.1.106
was expected.
There must be more to the nginx
config [that you have NOT shown].
In nginx I created one config file for all vhosts.
#---subdomain---
server {
server_name subdomain.example.com;
location / {
proxy_pass http://192.168.1.106;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = subdomain.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name subdomain.example.com;
return 404; # managed by Certbot
}
#---subdomain2---
server {
server_name subdomain2.example.com;
location / {
proxy_pass http://192.168.1.106;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com-0001/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com-0001/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = subdomain2.example.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name subdomain2.example.com;
return 404; # managed by Certbot
}
Now everything works great.
I would still like to automate the certificate renewal process. However, I use a DNS server freenom.
Freenom has an API but I'm not a programmer, so I can't create a script to automate the process.
Glad to hear that but I tend to disagree.
That -0001
generally indicates a problem.
Please show the output of:
certbot certificates
And also the file:
/etc/letsecnrypt/renewal/EXAMPLE.COM.conf
I'm sorry, but in the config and log files I rewrite my real domain, eaxmple.com.
Certificate Name: example.com-0001
Domains: *.example.com
Expiry Date: 2022-04-03 10:31:15+00:00 (VALID: 84 days)
Certificate Path: /etc/letsencrypt/live/example.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com-0001/privkey.pem
Certificate Name: example.com
Domains: example.com www.example.com
Expiry Date: 2022-03-19 17:59:53+00:00 (VALID: 70 days)
Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/example.com/privkey.pem
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/example.com-0001
cert = /etc/letsencrypt/live/example.com-0001/cert.pem
privkey = /etc/letsencrypt/live/example.com-0001/privkey.pem
chain = /etc/letsencrypt/live/example.com-0001/chain.pem
fullchain = /etc/letsencrypt/live/example.com-0001/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = 45c8bc5977a3aaddfc232bb2161c9305
pref_challs = dns-01,
authenticator = manual
manual_public_ip_logging_ok = True
server = https://acme-v02.api.letsencrypt.org/directory
The first cert is good for all names that end with ".example.com
" [not for good for example.com
].
The second cert is only good for example.com
and www.example.com
.
So, if that is how you use them, then continue to do so.
The first does require renewal via DNS authentication.
Which means, in order to automate the renewal, it will need an ACME client that includes an DNS API plugin for the DSP (DNS Service Provider) used.
The second can be easily renewed via HTTP authentication.
So...
Does the ACME client support that DSP?
[if not, then you may need to switch to another ACME client that does]
I installed this plugin in the new LXC. It works well and the certificate was automatically renewed via the DNS-01 challenge.
I've used the update so far
sudo certbot --nginx
only HTTP-01 Challenge
How to make HTTP-01 and DNS-01 updated automatically now?
If by update
you mean renew
, then use:
sudo certbot renew
That means if I use it
sudo certbot renew
both HTTP-01 and DNS-01 challenges will work ?
DNS-01 challenges require the use of DNS API that can update the DNS zone automatically.
If that was used during the cert issuance, then it can be reused during the renewal.
If the DNS settings were done manually, then certbot can't renew them automatically (without further manual assistance).
Then my statement remains true.
[and can be used by ALL future readers]
Thank you friends, I'll try it tomorrow.
You might need to wait a few days (or weeks) until the cert(s) are ready to be renewed.
Look at:
certbot certificates
[to better understand when a renewal would be needed]
I want to build a new reverse proxy server.
It now works on a Debian 10 LXC. The new server will be debian 11. I don't want to do everything since again.
I installed it on the old servers like this
sudo apt-get install certbot -y python-certbot-nginx -y
When I want to use certbot-dns-freenom, I have to install it ?
sudo pip install certbot certbot-dns-freenom python-certbot-nginx
I have 10 domains on my reverse proxy, which obtains LE certificates.
If I didn't use the DNS challenge (http challenge only) then everything worked very well.
I used this command for the test
sudo certbot renew --dry-run
After the plugin is installed
sudo pip install certbot certbot-dns-freenom
I tried manual dry-renew
sudo certbot certonly -a certbot-dns-freenom:dns-freenom --certbot-dns-freenom:dns-freenom-credentials /home/gusto1/credentials.ini --certbot-dns-freenom:dns-freenom-propagation-seconds 300 -d "*.example.com" -m admin@example.com --agree-tos -n --dry-run
result
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugin legacy name certbot-dns-freenom:dns-freenom may be removed in a future version. Please use dns-freenom instead.
Plugins selected: Authenticator certbot-dns-freenom:dns-freenom, Installer None
Cert not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for *.example.com
Performing the following challenges:
dns-01 challenge for example.com
doLogin: Login successfully.
setRecord: Record added successfully
Waiting 300 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges
delRecord: Record deleted successfully
IMPORTANT NOTES:
- The dry run was successful.
Now that I use it
sudo certbot renew --dry-run
The domains with the http-01 challenge are fine, but the dns-01 challenge is a failed
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
Failed to renew certificate example.com-0001 with error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.')
I want all certificates, including dns-01 challenge, to be renewed automatically.
Redo that entire long command but just without the --dry-run
option. That resets the renewal conf files so that renew --dry-run
and renew
work.
Note this will recreate your live certs so make sure you will not reach any rate limits. You did not provide your domain name so I could not check that.
It works great now, thank you