💾 Archived View for zaibatsu.circumlunar.space › ~visiblink › phlog › 20200417 captured on 2021-12-03 at 14:04:38.
-=-=-=-=-=-=-
Let's Encrypt Without Port 80 ============================= If you're an regular reader of this irregular phlog, you'll know that my VPS hosting company discontinued its OpenVZ service a few days ago, which disrupted the circumlunar.space XMPP service that I host, and left me scrambling to find a new VPS. One of my self-imposed conditions was to find a VPS outside the United States. I would have preferred a server in Canada (like the old one), but could not find one at a reasonable price. The new one is in Germany. My absolutely favoured solution would have been to host the XMPP service from home, on the raspberry pi zero w that hosts my personal gopher site. But that seemed near impossible. My ISP blocks port 80 and a host of others. Without port 80, obtaining a Let's Encrypt certificate was a challenge. I need the certificate to secure the XMPP tx/rx, and also wanted it so that I could host webdav / caldav / cardav in the future. This could be done with a self-signed certificate, but getting the certificate out to a number of people (and having them all install it) seemed too awkward. After getting the new server set up, I learned that my ISP does not block port 443 (which is used for secure http connections). That led me to acme.sh[1], which provides a means to obtain a Let's Encrypt certificate over port 443. The remainder of this phlog entry is in the nature of some "how-to" notes, so that I don't forget how to do this in the future, when I will move the XMPP server to the raspberry pi. Since many of you self-host, I thought it would be great information to share. This all applies to a server running Debian 9 (actually, Raspbian in my case). I should also add that while this setup will work well for my purposes (dav and XMPP), it is not a great method for serving web pages, since there's no way (that I know of yet) to force https, given that port 80 is blocked so the regular methods of pushing a visitor from http to https don't work. That means that visitors have to enter https://yourwebsite.com in order to see it. Entering either http://yourwebsite.com or yourwebsite.com will lead them to a dead end. Certificates ============ acme.sh installation: various methods are described on the official github README.md. I used the following method, though I know many people cringe at the curl/sh combination: curl https://get.acme.sh | sh acme.sh will tell you to install a couple of other pieces of software that it needs to work. Make a note of them and do it before proceeding to the next step. To install the certificates and make it so that they will work with the lighttpd web server, I cobbled together the following script from various sources on the internet: #!/bin/bash /root/.acme.sh/acme.sh --issue -d yourserver.com --alpn --force \ --cert-file /path/to/your/server/yourserver.com/cert.pem \ --key-file /path/to/your/server/yourserver.com/privkey.pem \ --fullchain-file /path/to/your/server/yourserver.com/fullchain.crt \ --capath /path/to/your/server/yourserver.com/chain.pem cat /path/to/your/server/yourserver.com/privkey.pem /path/to/your/server/yourserver.com/cert.pem > /path/to/your/server/yourserver.com/merged.pem The path is simply a path to wherever you want to store your certificates. A typical choice would be: /etc/letsencrypt/yourserver.com/ You can omit the --force switch if you like. I included it in case I need to use the script to renew in the future. Set the permissions on those directories (/etc/letsencrypt/ and /etc/letsencrypt/yourserver/) in the manner described in step 3 of this guide: https://www.vultr.com/docs/setup-let-s-encrypt-with-lighttpd-on-ubuntu-16-04 The final 'cat' line is lighttpd specific, to produce the merged certificate lighttpd needs. I also included instructions to acme.sh to install all of the certificates I thought that I might possibly need in the future. When you run acme.sh, it will set up a cron job for renewal. I don't know if it will work properly. I doubt it, because it needs the webserver shut down in order to work. As noted, I want to set up various dav servers and XMPP. DAV Setup ========= For the dav portion, I am using lighttpd. Lighttpd Setup Notes: Lighttpd with SSL Guide: https://www.vultr.com/docs/setup-let-s-encrypt-with-lighttpd-on-ubuntu-16-04 You won't need steps one and two. Adapt steps three through five to your purpose. Lighttpd Webdav Guide: https://www.howtoforge.com/tutorial/how-to-install-webdav-with-lighttpd-on-debian-jessie/ XMPP Setup ========== Prosody (XMPP) Setup: Use the official documentation. https://prosody.im/doc Prosody is one of the best-documented pieces of open source software that I have come across. [1] https://github.com/acmesh-official/acme.sh