Letsencrypt - Adding Subdomains on Freedombox
My setup: Raspberry Pi 3B/ Raspbian GNU/Linux 10 (buster) and FreedomBox version 20.5.
(NOTE: the following is all part or a greater effort to get a TURN server running with Riot/Matrix and NextCloud Talk. As I understand it I need two secured subdomains to set up STUN and TURN!)
SOLUTION SUMMARY
To add subdomain names to a existing Letsencrypt certificate on a Freedombox the following commands worked for me.
Install the Apache server certbot connector:
sudo apt install python3-certbot-apache
Then add the subdomain names to the existing domain’s Letsencrypt certificate:
`sudo certbot --apache --expand -d domainname.com -d subone.domainname.com -d subtwo.domainname.com`
Example:
`sudo certbot --apache --expand -d mydomain.ddnsfree.com -d turn.mydomain.ddnsfree.com -d stun.mydomain.ddnsfree.com`
BACKGROUND AND EXTENDED STEPS
I basically pieced together the above commands that I needed from these two pages (I have given a full explanation of the steps I went through with Freedombox to get set this up below):
The steps I followed
NOTE: I have used my test domain and subdomain names below, obviously these need to be changed for your domain and subdomain names.
Domain Name and DDNS Setup
-
set up a DDNS client. In my case I used the DDNS function on my DD-WRT router. But the built in Freedombox DDNS client can be used just as well;
-
set up the home router port forwarding to the Freedombox machine on the local network.
Freedombox Configuration
- get Letsencrypt certificate for the domain name, System > Letsencrypt – see screenshot below
Add Subdomains to Letsencrypt Certificate
sudo apt install python3-certbot-apache
NOTE: initially got the error message: certbot: error: unrecognized arguments: --apache2 and discovered I had to when running the command below and then discovered that I had to install the python3-certbot-apache package, as above!`*
-
run the following Letsencrypt command to add the subdomains to the existing domain certificate:
sudo certbot --apache --expand -d mydomain.ddnsfree.com -d turn.mydomain.ddnsfree.com -d stun.mydomain.ddnsfree.com
I then had to make a number of selections based on the following output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for stun.mydomain.ddnsfree.com
http-01 challenge for turn.mydomain.ddnsfree.com
Waiting for verification...
Cleaning up challenges
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/50-freedombox
Output from 50-freedombox:
Let's Encrypt calling deploy hook for FreedomBox: Domains: 'mydomain.ddnsfree.com turn.mydomain.ddnsfree.com stun.mydomain.ddnsfree.com' Lineage: '/etc/letsencrypt/live/mydomain.ddnsfree.com'
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
We were unable to find a vhost with a ServerName or Address of turn.mydomain.ddnsfree.com.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: freedombox-tls-site-macro.conf | | HTTPS | Enabled
2: freedombox-tls-site-macro.conf | | HTTPS | Enabled
3: 000-default.conf | | | Enabled
4: default-ssl.conf | | HTTPS | Enabled
5: 000-default-le-ssl.conf | mydomain.ddnsfree | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-5] then [enter] (press 'c' to cancel): 5
NOTE: I chose option 5 (as can be seen above)
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
We were unable to find a vhost with a ServerName or Address of stun.mydomain.ddnsfree.com.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: freedombox-tls-site-macro.conf | | HTTPS | Enabled
2: freedombox-tls-site-macro.conf | | HTTPS | Enabled
3: 000-default.conf | | | Enabled
4: default-ssl.conf | | HTTPS | Enabled
5: 000-default-le-ssl.conf | Multiple Names | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-5] then [enter] (press 'c' to cancel): 5
NOTE: I chose option 5 (as can be seen above)
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
NOTE: I chose option 2 (as can be seen above)
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains:
https://mydomain.ddnsfree.com, https://turn.mydomain.ddnsfree.com, and
https://stun.mydomain.ddnsfree.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=mydomain.ddnsfree.com
https://www.ssllabs.com/ssltest/analyze.html?d=turn.mydomain.ddnsfree.com
https://www.ssllabs.com/ssltest/analyze.html?d=stun.mydomain.ddnsfree.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mydomain.ddnsfree.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mydomain.ddnsfree.com/privkey.pem
Your cert will expire on 2020-07-15. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Done!
Test the Subdomain HTTPS Connections
Test as per the suggestions in the out put above.
I can now access my Freedombox with all three domain/subdomains via HTTPS without the browser complaining.
Joy!
Please let me know if I have done anything stupid here or if this could be achieved more efficiently or leave any other comment – thanks.