nextcloudpi icon indicating copy to clipboard operation
nextcloudpi copied to clipboard

Published 20 hours ago • verified publisher icon nextcloud

Letsencrypt without Port 80 Setup

Open typxyr opened this issue 7 years ago • 18 comments

I have found a script that possibly can be ported to nextcloudpi for using letsencrypt and duckdns when port 80 is blocked by ISP. I am no coder, but I have looked through it and it looks plausible.

The script is found at https://github.com/lukas2511/dehydrated/blob/master/dehydrated

The author has a tutorial for the project/script found here.

Is there any way this is possible to integrate into the ncp config?

typxyr avatar Nov 14 '17 07:11 typxyr

thanks, that would be a big improvement for us, we could close HTTP port alltogether, and even use non conventional ports for HTTPS

somebody with time and energy to take on this?

nachoparker avatar Nov 14 '17 11:11 nachoparker

Without dehydrated, but using certbot's dns option to verify, accomplished in 7 steps doc here Comments and help to fine-tune and if possible automate very much appreciated.

ovpc avatar Nov 29 '17 10:11 ovpc

great!

let's see if we can start automating this process. If possible, it is better if we don't need to restart apache because it messes up when you fire from ncp-web. It's a minor issue but something to keep in mind.

thanks

nachoparker avatar Nov 29 '17 10:11 nachoparker

we now need someone to make these steps into a simple script, that would be eventually included in letsencrypt.sh

nachoparker avatar Dec 04 '17 14:12 nachoparker

we can add this script to the valuable resources list

https://github.com/Neilpang/acme.sh/blob/master/acme.sh

nachoparker avatar Dec 30 '17 10:12 nachoparker

acme.sh supports wildcard certificates and DNS challenge. Looking good!

nachoparker avatar May 18 '18 16:05 nachoparker

Also, seems like LE supports DNS challenge, worth investigating ofc

https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation

nachoparker avatar Jun 18 '18 12:06 nachoparker

When I return on Monday, I would like to try this project. Could you please assign it to me?

crossr1 avatar Jul 06 '18 06:07 crossr1

that's great! will you try the letsencrypt DNS challenge? or acme.sh? or both?

nachoparker avatar Jul 06 '18 10:07 nachoparker

@nachoparker - I will have to research and get back to you with the answer.

crossr1 avatar Jul 09 '18 00:07 crossr1

ALL of the above examples / scripts / procedures are to use the "DNS" challenge instead of the "HTTP" challenge. Dehydrated, like all of the other scripts for 'Letsencrypt’, has only two ways to perform the 'letsencrypt challenge’. This is determined by the ACME protocol standard.

  1. http-01: uses HTTP only - if port 80 is blocked by an ISP, then there are two options:
    • redirect the HTTP request to HTTPS using the DNS records - because the ISP is blocking port 80 (HTTP request), it never gets to the web server. So, the redirect to HTTPS must be performed before trying to send the request thru the ISP.
    • use DNS Challenge - option below
  2. dns-01: uses DNS Challenge:
    • The DNS records for the web server (host) has to be updated with a ‘TXT’ record for the challenge. This requires the website admin to have the permissions to update the DNS records for web server, usually thru the DNS provider (ie: Namecheap, duckdns, freeDNS, no-ip, spDYN, etc) Note: this does impact the DNS - ‘TXT’ is a normal DNS record for notes related to the host
    • Because the DNS record must be updated at the DNS Provider, it requires sufficient privileges to update the DNS records for the host

Reference Notes ACME is a communication protocol standard set by http://ietf.org (Internet Engineering Task Force) ACME’s standards determine the authenticity of the website thru two mechanisms:

  • http (https is NOT allowed) - https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.8.3
  • dns - https://ietf-wg-acme.github.io/acme/draft-ietf-acme-acme.html#rfc.section.8.4 ACME Protocol Clients - https://letsencrypt.org/docs/client-options/

crossr1 avatar Jul 18 '18 15:07 crossr1

The preliminary research indicates that the best approach would be:

Lexicon (aka dns-lexicon) - https://github.com/AnalogJ/lexicon

with either:

dehydrated - https://github.com/lukas2511/dehydrated acme.sh - https://github.com/Neilpang/acme.sh other script???

crossr1 avatar Jul 18 '18 15:07 crossr1

thanks Richard.

Well, lexicon seems an interesting find to modify those TXT records. There might even be some examples out there to do what we are trying to achieve.

If BASH based solutions work I am fine with that. LE is pretty slow on the pi. That being said, it is a well tested solution and I am also curious if we could make this work with LE. It seems like it supports DNS challenge

nachoparker avatar Jul 18 '18 17:07 nachoparker

I too am interested in helping. Specifically on using the dns challenge (freedns).

I am currently using freedns.afraid.org for my dns services.

Please direct me to where I can assist.

xelcho avatar Sep 10 '18 17:09 xelcho

great @xelcho! that's great!

well, @crossr1 told me that he had made some progress but I still haven't made time for a conversation about it.

let's discuss it here, Richard so we can get more input/opinions/help!

cheers

nachoparker avatar Sep 11 '18 01:09 nachoparker

https://github.com/nextcloud/nextcloudpi/wiki/How-to-get-certificate-with-Letsencrypt-using-DNS-to-verify-domain

nachoparker avatar Dec 30 '18 20:12 nachoparker

It seems this(my) wiki page is outdated now? with v1.5.1 and new letsencrypt-auto....

It also seems that letsencrypt-auto does not support the --preferred-challenges dns option. ? ;-( Which is the only way to get a certificate if NC is on an alternate port.

ovpc avatar Jan 31 '19 13:01 ovpc

there are some updates?

nictronik99 avatar May 19 '22 15:05 nictronik99