Apache with reverse proxy for nodejs website with LetsEncrypt and DNS verification
I couldn't get my website https://odlicznik.pl/ obtaining certificate with certbot both with --apache plugin and
certonly option as well.
First method failed because certbot somehow couldn't find vhost in httpd-vhost.conf (which is included in httpd.conf)
Certonly method failed probably because nodejs didn't allow creating directories inside its root directory or for whatever reason, but .well-known directory wasn't present
126.96.36.199 - - [29/Dec/2020:14:02:57 +0100] "GET /.well-known/acme-challenge/ybRyAb2FY-Nc2hBkmtR_4EKZuvm_N68xKzCSU-b9bvY HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
I finally manage to have my cert issued with DNS chellenge instead of HTTP. This is done in few steps, first you need to issue a command:
Then you will be guided by certbot to alter your DNS with TXT record with name:
and some random value.
In BIND this record looks like this:
Then you will need to change serial and reload DNS server. Wait some time depending on your TTL, and proceed. If Letsencrypt can query DNS for given record, you will have certificate issued.
Whole session below:
Saving debug log to /var/letsencrypt/log/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneObtaining a new certificatePerforming the following challenges:dns-01 challenge for odlicznik.pl NOTE: The IP of this machine will be publicly logged as having requested thiscertificate. If you're running certbot in manual mode on a machine that is notyour server, please ensure you're okay with that. Are you OK with your IP being logged? (Y)es/(N)o: yes Please deploy a DNS TXT record under the name_acme-challenge.odlicznik.pl with the following value: i0aZV-_wCJ-rmghXXsSKbUBlVDaqEAqT5JqtdTlS84Q Before continuing, verify the record is deployed. Press Enter to ContinueWaiting for verification...Cleaning up challenges IMPORTANT NOTES: Congratulations! Your certificate and chain have been saved at:/usr/pkg/etc/letsencrypt/live/odlicznik.pl/fullchain.pemYour key file has been saved at:/usr/pkg/etc/letsencrypt/live/odlicznik.pl/privkey.pemYour cert will expire on 2021-03-29. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew all of your certificates, run"certbot renew" If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donateDonating to EFF: https://eff.org/donate-le