Let’s Encrypt, nginx and certbot – a short story

Well, the duration – for me -was not short. It was about two weeks of living in Google. 

Here’s the setup: I have a couple of servers in my DMZ that I want share out. Some places do not let web traffic out on non-standard ports (i.e., TCP 80 and 443) so I wanted to share out the two servers on my single IP address. As I like to try different things, I decided on using nginx instead of Apache HTTPD. (I like both – some things in nginx seem a little more organized…) Setting up nginx as a reverse proxy – no problem at all! 

Of course, I am – within reason, see my post on HTTPS everywhere – in agreement with encryption. Thus, Let’s Encrypt was next on the list. With my other static web servers (using Apache HTTPD) no problem; good old certbot is brain dead easy.

Not with a reverse proxy (I also tried Apache HTTPD without luck) – at least for me. Repeated 404 errors… “not authorized”… Arrrgggg… Google university was of no help – all the same basic instructions. Same error. 

Until… 

I found this post on StackExchange by ph4r05. Basically, I had to use a manual verification with the manual plugin. This meant adding a TXT record to my DNS server. 

To do this:

certbot -d YOUR_FQDN_SERVER_NAME --manual --preferred-challenges dns certonly

This will give the response:

Please deploy a DNS TXT record under the name
_acme-challenge.YOUR_FQDN_SERVER_NAME with the following value:

667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc

Once this is deployed,
Press ENTER to continue

Of course, the value will change for you (and it will change each time you do a manual validation). Once you get that key you will need to go into your (publicly accessible!) DNS server with a TXT record of:

_acme-challenge.YOUR_FQDN_SERVER_NAME TXT 667drNmQL3vX6bu8YZlgy0wKNBlCny8yrjF1lSaUndc

(or however your DNS server enter it).

You then have to wait until Google’s name servers (8.8.8.8 or 8.8.4.4) updates. This took under 5 minutes for me. Once that is done (you can check with the linux dig command for propagation) hit ENTER. You will then have to put in your nginx site config the paths to the Let’s Encrypt certificates;e.g.,:

/etc/letsencrypt/live/YOUR_SITE_NAME/fullchain.pem/
/etc/letsencrypt/live/YOUR_SITE_NAME/pivkey.pem

Restart nginx – and Bob’s your uncle.

Hopefully, someone else will find this post and it will save some time.

About Mike Pelley

Let’s see… A little about me… I’ve been around information technology since 1983 with computers such as DEC Rainbows (weird machine – the standard DOS couldn’t format its own floppy disks – remember them? – and I had to format them on a friend’s IBM PC) to Radio Shack TRS-80 to Apple ][e and Apple //c in the beginning. I have programmed in 8-bit assembly language on 6502, FORTRAN and COBOL on IBM System/370 (and I still hate JCL), VAX BASIC and COBOL (and a weird and massive WordPerfect 4.0 macro) on DEC VMS (Alpha), C/C++ on Digital Unix (ALPHA), and C/C++, Perl (it may be powerful but I still hate it), PHP on Linux (Red Hat, Centos, Ubuntu, etc.). I have work with databases such as Digital RDB (later to become Oracle RDB), Oracle DBMS, Microsoft SQL Server, MySQL and PostgreSQL on VAX, Alpha, Sun and Intel. Check out my professional profile and connect with me on LinkedIn. See http://lnkd.in/nhTRZe I still think that Digital created some of the best ideas in the world: VAX clustering, DSSI disks (forerunner to SCSI) and the Alpha processor (first commercial 64-bit processor – Red Hat screamed on an Alpha!). DEC just could not seem to be able to give air conditioners away to someone lost in the Sahara Desert! VMware is one of the best ways to get the most out of an x64 server. And I have tried Oracle VM, Virtual Box and Microsoft Virtual Server. Outside of that I am a huge military history buff starting in the early 20th century. I love Ford Mustangs (my ’87 Mustang GT was awesome) and if I had the money I would have a Porsche 928S4. If I had a lot of money I would have a Porsche 911 Turbo. I also play too much AmrA 3 Exile mod. Over 5,000+ hours... I have a wonderful son, Cameron. I have a long suffering (Do you really need all that computer junk?) wife, Paula. I live in Paradise, Newfoundland and Labrador.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.