Well, the duration – for me -was not short. It was about two weeks of living in Google.\u00a0<\/p>\r\n\r\n\r\n\r\n
Here’s the setup: I have a couple of servers in my DMZ that I want share out. Some places do not let web traffic out on non-standard ports (i.e., TCP 80 and 443) so I wanted to share out the two servers on my single IP address. As I like to try different things, I decided on using nginx instead of Apache HTTPD. (I like both – some things in nginx seem a little more organized…) Setting up nginx as a reverse proxy – no problem at all!\u00a0<\/p>\r\n\r\n\r\n\r\n
Of course, I am – within reason, see my post on HTTPS everywhere<\/a> – in agreement with encryption. Thus, Let’s Encrypt was next on the list. With my other static web servers (using Apache HTTPD) no problem; good old certbot is brain dead easy.<\/p>\r\n\r\n\r\n\r\n Not with a reverse proxy (I also tried Apache HTTPD without luck) – at least for me. Repeated 404 errors… “not authorized”… Arrrgggg… Google university was of no help – all the same basic instructions. Same error.\u00a0<\/p>\r\n\r\n\r\n\r\n Until…\u00a0<\/p>\r\n\r\n\r\n\r\n I found this<\/a> post on StackExchange by\u00a0ph4r05<\/a>. Basically, I had to use a\u00a0manual verification with the manual plugin. This meant adding a TXT record to my DNS server.\u00a0<\/p>\r\n\r\n\r\n\r\n To do this:<\/p>\r\n\r\n\r\n\r\n This will give the response:<\/p>\r\n\r\n\r\n\r\n Of course, the value will change for you (and it will change each time you do a manual validation). Once you get that key you will need to go into your (publicly accessible!) DNS server with a TXT record of:<\/p>\r\n\r\n\r\n\r\n (or however your DNS server enter it).<\/p>\r\n\r\n\r\n\r\n You then have to\u00a0wait<\/em> until Google’s name servers (8.8.8.8 or 8.8.4.4) updates. This took under 5 minutes for me. Once that is done (you can check with the linux dig command for propagation) hit ENTER. You will then have to put in your nginx site config the paths to the Let’s Encrypt certificates;e.g.,:<\/p>\r\n\r\n\r\n\r\n Restart nginx – and Bob’s your uncle.<\/p>\r\n\r\n\r\n\r\n Hopefully, someone else will find this post and it will save some time.<\/p>\r\n","protected":false},"excerpt":{"rendered":" Well, the duration – for me -was not short. It was about two weeks of living in Google.\u00a0 Here’s the setup: I have a couple of servers in my DMZ that I want share out. Some places do not let … Continue reading certbot -d YOUR_FQDN_SERVER_NAME --manual --preferred-challenges dns certonly<\/code><\/pre>\r\n\r\n\r\n\r\nPlease deploy a DNS TXT record under the name\r\n_acme-challenge.YOUR_FQDN_SERVER_NAME with the following value:\r\n\r\n667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc\r\n\r\nOnce this is deployed,\r\nPress ENTER to continue<\/code><\/pre>\r\n\r\n\r\n\r\n_acme-challenge.YOUR_FQDN_SERVER_NAME TXT\u00a0667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc<\/pre>\r\n\r\n\r\n\r\n
\/etc\/letsencrypt\/live\/YOUR_SITE_NAME\/fullchain.pem\/
\/etc\/letsencrypt\/live\/YOUR_SITE_NAME\/pivkey.pem<\/pre>\r\n\r\n\r\n\r\n