Installing a SSL Certificate manually

Dear All
I’m a happy owner of a olimex-freedombox-pioneer since around 30h. So far it looks really nice, but I’m only just getting my toes wet :wink:

Installing SSL Cert
So I’m using gandi.info for my domain and using https://github.com/obynio/certbot-plugin-gandi to get a certificate (or two).
so this is what I see in the letsencrypt part of plinth:

So the cert(s) look ok. Sadly I have no clue how to install the certificate now?
in which webserver is plinth hostet? Can somebody direct me to the right bit of documentation? I will gladly try and update the wiki If i get this to work.
Thanks a lot in advance!

Information

  • FreedomBox version: 20.3
  • Hardware: Olimex A20 lime2
  • How did you install FreedomBox?: bought pre-installed hardware’

You should probably check out the dynamic DNS section of the FreedomBox manual.
I believe it covers your use case.

Dear @nkatakis
Thank for your suggestion as well as the link!
My Problem is not the DDNS part. That works.
I’m not exposing port 80 or 443 to the Internet. Instead I requested a SSL cert by DNS challenge. This works as well. I Have both a domain and a matching certificate.
I do however not know how to tell the webserver that it should serve the cert along with the website (s). Here plinth. I think this is called installing. In the picture above it says website Security is Disabled. I want to enable it. Thanks a lot for all hints and tips!

You can move your obtained certs in
/etc/ssl/private/ssl-cert-snakeoil.key
/etc/ssl/certs/ssl-cert-snakeoil.pem

and restart all the services or better reboot the box.

If you re not exposing your services on the public internet though you could keep using the auto generated self signed ones.

so, what actually worked for me was this:
Out of a lar I pressed “re-obtain” and lo and behold: plinth and dashboard now work with the cert that correspond to the hostname! So I did not try your suggestion.
For me the important thing is this:
if creating letsencrypt certificates (with certbot) using e.g. the DNS challange (i used [1]) then it looks like certbot (and thereby freedombox) is able to renew and install the certificate after the initial issuing. Just hit “re-obtain”. I’m pretty sure that your suggestion (replacing the self singed certs with the manually installed) would have worked as well. But i guess in that case one would have to move/copy it with each renewal?
Thanks for your help!
[1] certbot-plugin-gandi from github, link in first post.

PS: The wiki can only be edieted after writing an email to wiki@debian.org. My suggestion would be to add this to the manual (can somebody please double-check, and maybe post this if it is ok)?

8.4. Obtaining Letsencrypt certificates by modifying DNS

Currently freedombox automates getting certificates for systems that expose port 80 to the internet. If you do not want to do that but have the full control over a domain name, you can use certbot directly with one of the DNS plugins. Please refer to https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins and following.
once you get your certificate, go to system -> letsencrypt in plinth you should see that you have a valid certificate but “Web Security” will show “Disabled”. If you press the “Re-obtain” button, certbot and freedombox will work together to update and install the certificate for you! If all works as expected it even should review automatically from now on

1 Like

I am a bit confused here. I think I should try to repeat the steps you went through:

  • You installed manually a certbot dynamic DNS plugin after freedombox installation
  • After that you created a certificate using the dynamic DNS plugin - How? Can you explain more?
  • Then you click reobtain in Freedombox and the cerificate was put in place(?)

I have a few objections here.

For start, Freedombox is using the webroot authenticator.

You re saying that you re not exposing the web server ports so FreedomBox is still not managing your certificates and wont be able to renew! In order for FreedomBox to be able to obtain certificates from Lets Encrypt you need to open those ports (80, 443).

You will still need to obtain manually every time it expires if you do not expose the webserver on the Internet.

Yes.
I us gandi.net for my domain management. They offer automation using an API-Key.
I therefore ran apt-cache search gandi on my freedombox.
I found that there is python3-certbot-dns-gandi and installed it

sudo apt-get install python3-certbot-dns-gandi
sudo vi /etc/certbot-plugin-gandi/gandi.ini

and put in there

certbot_plugin_gandi:dns_api_key=APIKEY (i replaced APIKEY with my own one).

then running

certbot certonly -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials gandi.ini -d mysub.mydomain.info

yes. thats what it looks like

I’m aware. I’m also surprised that this worked. To better understand what is going on, I just ran

sudo certbot renew 

Result

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mysub.mydomain.info.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mysub.mydomain.info/fullchain.pem expires on 2020-06-11 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

so it looks like letsencrypt saves some stuff so that it can attempt renewals.
I assume also freedombox / plinth did not renew the cert but skipped the renewal. But it then continued to (successfully) install the cert.

Not sure I agree. If I manage to change the renewal config in such a way that it validates using the gandi plugin it should work, right? (as long as freedombox / plinth just does a “certbot renew” and nothing else fancy).
Thanks a gain for your patience I’m learning quite a bit right now!
[Edit: fixed formatting and one typo]

This will work. And it will work as it s included in the certbot functionality. But you re already managing your certificates separately of the freedobox installation!

thanks, yes i did “get” the cert manually (outside freedombox). but I had / have no clue how they are installed. so for me it was already helpful to find that tying to re-obtain will install the correctly.

Follow up to my own post in case others are trying get renewal working using certbot-plugin-gandi:
Renewal will not work with only “certbot renew -q” which is what is happening in freedombox.
In /usr/lib/systemd/system/certbot.service i changed the ExecStart line to read

ExecStart=/usr/bin/certbot renew -q -a certbot-plugin-gandi:dns --certbot-plugin-gandi:dns-credentials /etc/certbot-plugin-gandi/gandi.ini --server https://acme-v02.api.letsencrypt.org/directory

dry-run was successfull now i hope this will also work to renew the cert once it is due. I will report back
[edit fixed formating of quote]