Raspberry-Pi 3 B+ support

PhilipPeake · May 20, 2018, 4:20pm

I need to obtain certificates for R-Pi 3 B+ instances. Note, this is NOT for web servers, in fact ports 80 and 443 will not be available from these, so I need to do DNS verification.

However, the certbot version available from the repository is 0.10, and doesn’t support DNS, only web verification…

The website indicates that there is a repository available with up to date versions … but that doesn’t work. Looking up debian 9 stretch, we find:

apt-get -t stretch-backports install certbot
Reading package lists… Done

E: The value ‘stretch-backports’ is invalid for APT::Default-Release as such a release is not available in the sources

Is an up to date version planned for this platform?

jmorahan · May 20, 2018, 4:25pm

If you’re using raspbian, I don’t think stretch-backports is available, but you should be able to use certbot-auto - go to https://certbot.eff.org and select “Debian (other)” as your operating system, then follow the instructions.

If you do use certbot-auto with DNS-01 then you may also find this helpful.

PhilipPeake · May 20, 2018, 4:38pm

That has no support for DNS verification. It wants a file placed in a webserver.
There is no webserver, and ports 80/443 are not available externally.

No --prefered-challenges option

jmorahan · May 20, 2018, 4:44pm

Sorry, I should have been more clear: follow the installation instructions there certbot-auto does support DNS verification and the --preferred-challenges option, it’s just not mentioned on that page. The second link in my post (which I added in afterwards) has information about how to use certbot-auto with DNS verification.

schoen · May 20, 2018, 4:51pm

I would also mention that people have had some good results using some non-Certbot clients on Raspberry Pis

in case you don’t find a convenient Certbot installation method.

PhilipPeake · May 20, 2018, 4:52pm

I don’t see it…

./certbot-auto --help

certbot-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. The most common SUBCOMMANDS and flags are:

obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near
expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for

–apache Use the Apache plugin for authentication & installation
–standalone Run a standalone webserver for authentication
–nginx Use the Nginx plugin for authentication & installation
–webroot Place files in a server’s webroot folder for authentication
–manual Obtain certificates interactively, or using shell script
hooks

-n Run non-interactively
–test-cert Obtain a test certificate from a staging server
–dry-run Test “renew” or “certonly” without saving any certificates
to disk

manage certificates:
certificates Display information about certificates you have from Certbot
revoke Revoke a certificate (supply --cert-path)
delete Delete a certificate

manage your account with Let’s Encrypt:
register Create a Let’s Encrypt ACME account
–agree-tos Agree to the ACME server’s Subscriber Agreement
-m EMAIL Email address for important account notifications

More detailed help:

-h, --help [TOPIC] print this message, or detailed help on a topic;
the available TOPICS are:

all, automation, commands, paths, security, testing, or any of the
subcommands or plugins (certonly, renew, install, register, nginx,
apache, standalone, webroot, etc.)

schoen · May 20, 2018, 4:53pm

The --preferred-challenges option for DNS authentication would mainly only be available with --manual.

jmorahan · May 20, 2018, 5:00pm

certbot-auto --help doesn’t list all the options available, just a summary of the most common ones. Try certbot-auto --help all for the full list, or certbot-auto --help manual for just the options relevant to the manual plugin (which is the only one that both works with DNS-01 and is available by default with certbot-auto).

Do read https://id-rsa.pub/post/certbot-auto-dns-validation-with-lexicon/ though, especially if you don’t want to have to renew manually every couple of months.

Or as @schoen suggested, consider using another ACME client - for example acme.sh is known for having good DNS support, and is quite lightweight which might also be important on something like a Raspberry Pi.

Patches · May 20, 2018, 7:29pm

You have to enable backports to be able to use it:

https://backports.debian.org/Instructions/

Debian Backports are built against Debian's official ARMv7 build and not the unofficial Raspbian ARMv6 build, so they are not officially compatible. But they usually work just fine with the Raspberry Pi version 2 or later, since these do have an ARMv7 processor.

I haven't got my hands on a 3B+ yet, but certbot from backports on stretch runs fine on the original 3B.

PhilipPeake · May 20, 2018, 7:43pm

Yep. did that. That was the error message after doing that.

Patches · May 20, 2018, 7:46pm

When you run sudo apt-get update, do you see it download metadata files related to stretch-backports? Does it report any warnings or errors?

PhilipPeake · May 20, 2018, 8:13pm

Interesting …
I tried it again, to capture the output to paste here, and guess what?
It worked … and installed certbot 0.23

I wonder if someone fixed something? (Because I changed nothing …)

Anyway, I am now a happy camper - at least on this topic. There are still a ton of things that I want for my project, with no packages … and most of those won’t build …

Maybe I was mistaken thinking Raspbian was a real distro…

Patches · May 20, 2018, 8:43pm

Maybe there was an error when you ran apt-get update before or you missed that step of the instructions.

I find Raspbian to be the path of least resistance whenever I want to take advantage of the unique hardware capabilities of the Pi. Generic distros have gotten a lot better as of late about supporting all GPIO/I2C/etc functions and peripherals of these computers but they’ll always be a step behind the distribution the hardware makers actually work on.

If you’re just using it for things you would use a x86 server for you will indeed probably be happier with your favorite operating system. Most generic Linux distros and BSDs (and even a stripped down version of Windows) run on version 2 or later Pis, but 3B+ support might be lacking or require the newest or even a pre-release since it is so new.

system · June 19, 2018, 8:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.