December 29, 2020

Apache with reverse proxy for nodejs website with LetsEncrypt and DNS verification

Apache with reverse proxy for nodejs website with LetsEncrypt and DNS verification

I couldn't get my website obtaining certificate with certbot both with --apache plugin and certonly option as well.

First method failed because certbot somehow couldn't find vhost in httpd-vhost.conf (which is included in httpd.conf)

certbot-3.7 --apache --apache-ctl /usr/pkg/sbin/apachectl --apache-server-root /usr/pkg/etc/httpd/
Command used
Unable to find a virtual host listening on port 80 which is currently needed for 
Certbot to prove to the CA that you control your domain. 
Please add a virtual host for port 80.
Response I got

Certonly method failed probably because nodejs didn't allow creating directories inside its root directory or for whatever reason, but .well-known directory wasn't present - - [29/Dec/2020:14:02:57 +0100] "GET /.well-known/acme-challenge/ybRyAb2FY-Nc2hBkmtR_4EKZuvm_N68xKzCSU-b9bvY HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +"

I finally manage to have my cert issued with DNS chellenge instead of HTTP. This is done in few steps, first you need to issue a command:

certbot-3.7 certonly --manual --preferred-challenges dns -d
Command to use

Then you will be guided by certbot to alter your DNS with TXT record with name:


and some random value.

In BIND this record looks like this:   IN      TXT     "i0aZV-_wCJ-rmghXXsSKbUBlVDaqEAqT5JqtdTlS84Q"
TXT record 

Then you will need to change serial and reload DNS server. Wait some time depending on your TTL, and proceed. If Letsencrypt can query DNS for given record, you will have certificate issued.

Whole session below:

Saving debug log to /var/letsencrypt/log/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneObtaining a new certificatePerforming the following challenges:dns-01 challenge for

NOTE: The IP of this machine will be publicly logged as having requested thiscertificate. If you're running certbot in manual mode on a machine that is notyour server, please ensure you're okay with that.
Are you OK with your IP being logged?

(Y)es/(N)o: yes

Please deploy a DNS TXT record under the with the following value:
Before continuing, verify the record is deployed.

Press Enter to ContinueWaiting for verification...Cleaning up challenges
Congratulations! Your certificate and chain have been saved at:/usr/pkg/etc/letsencrypt/live/ key file has been saved at:/usr/pkg/etc/letsencrypt/live/ cert will expire on 2021-03-29. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew all of your certificates, run"certbot renew"
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: to EFF: