Dear All
I’m a happy owner of a olimex-freedombox-pioneer since around 30h. So far it looks really nice, but I’m only just getting my toes wet
Installing SSL Cert
So I’m using gandi.info for my domain and using https://github.com/obynio/certbot-plugin-gandi to get a certificate (or two).
so this is what I see in the letsencrypt part of plinth:
So the cert(s) look ok. Sadly I have no clue how to install the certificate now?
in which webserver is plinth hostet? Can somebody direct me to the right bit of documentation? I will gladly try and update the wiki If i get this to work.
Thanks a lot in advance!
Information
FreedomBox version: 20.3
Hardware: Olimex A20 lime2
How did you install FreedomBox?: bought pre-installed hardware’
Dear @nkatakis
Thank for your suggestion as well as the link!
My Problem is not the DDNS part. That works.
I’m not exposing port 80 or 443 to the Internet. Instead I requested a SSL cert by DNS challenge. This works as well. I Have both a domain and a matching certificate.
I do however not know how to tell the webserver that it should serve the cert along with the website (s). Here plinth. I think this is called installing. In the picture above it says website Security is Disabled. I want to enable it. Thanks a lot for all hints and tips!
so, what actually worked for me was this:
Out of a lar I pressed “re-obtain” and lo and behold: plinth and dashboard now work with the cert that correspond to the hostname! So I did not try your suggestion.
For me the important thing is this:
if creating letsencrypt certificates (with certbot) using e.g. the DNS challange (i used [1]) then it looks like certbot (and thereby freedombox) is able to renew and install the certificate after the initial issuing. Just hit “re-obtain”. I’m pretty sure that your suggestion (replacing the self singed certs with the manually installed) would have worked as well. But i guess in that case one would have to move/copy it with each renewal?
Thanks for your help!
[1] certbot-plugin-gandi from github, link in first post.
PS: The wiki can only be edieted after writing an email to wiki@debian.org. My suggestion would be to add this to the manual (can somebody please double-check, and maybe post this if it is ok)?
8.4. Obtaining Letsencrypt certificates by modifying DNS
Currently freedombox automates getting certificates for systems that expose port 80 to the internet. If you do not want to do that but have the full control over a domain name, you can use certbot directly with one of the DNS plugins. Please refer to https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins and following.
once you get your certificate, go to system -> letsencrypt in plinth you should see that you have a valid certificate but “Web Security” will show “Disabled”. If you press the “Re-obtain” button, certbot and freedombox will work together to update and install the certificate for you! If all works as expected it even should review automatically from now on
You re saying that you re not exposing the web server ports so FreedomBox is still not managing your certificates and wont be able to renew! In order for FreedomBox to be able to obtain certificates from Lets Encrypt you need to open those ports (80, 443).
You will still need to obtain manually every time it expires if you do not expose the webserver on the Internet.
Yes.
I us gandi.net for my domain management. They offer automation using an API-Key.
I therefore ran apt-cache search gandi on my freedombox.
I found that there is python3-certbot-dns-gandi and installed it
sudo apt-get install python3-certbot-dns-gandi
sudo vi /etc/certbot-plugin-gandi/gandi.ini
and put in there
certbot_plugin_gandi:dns_api_key=APIKEY (i replaced APIKEY with my own one).
then running
certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials gandi.ini -d mysub.mydomain.info
so it looks like letsencrypt saves some stuff so that it can attempt renewals.
I assume also freedombox / plinth did not renew the cert but skipped the renewal. But it then continued to (successfully) install the cert.
Not sure I agree. If I manage to change the renewal config in such a way that it validates using the gandi plugin it should work, right? (as long as freedombox / plinth just does a “certbot renew” and nothing else fancy).
Thanks a gain for your patience I’m learning quite a bit right now!
[Edit: fixed formatting and one typo]
This will work. And it will work as it s included in the certbot functionality. But you re already managing your certificates separately of the freedobox installation!
thanks, yes i did “get” the cert manually (outside freedombox). but I had / have no clue how they are installed. so for me it was already helpful to find that tying to re-obtain will install the correctly.
Follow up to my own post in case others are trying get renewal working using certbot-plugin-gandi:
Renewal will not work with only “certbot renew -q” which is what is happening in freedombox.
In /usr/lib/systemd/system/certbot.service i changed the ExecStart line to read
ExecStart=/usr/bin/certbot renew -q -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/certbot-plugin-gandi/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory
dry-run was successfull now i hope this will also work to renew the cert once it is due. I will report back
[edit fixed formating of quote]
just quick comment to let you know that i appreciated reading your adventures with certbot…
im still trying to setup my system a bit - and because of previous-failed attempts - i have obtained (but am not currently using on this attempt) a valid LetsEncrypt certificate… i plan to migrate that certificate and will probably do something similar to what you did (manual entries) once i get further along…
