December 29, 2020

Apache with reverse proxy for nodejs website with LetsEncrypt and DNS verification

Apache with reverse proxy for nodejs website with LetsEncrypt and DNS verification

I couldn't get my website https://odlicznik.pl/ obtaining certificate with certbot both with --apache plugin and certonly option as well.

First method failed because certbot somehow couldn't find vhost in httpd-vhost.conf (which is included in httpd.conf)

certbot-3.7 --apache --apache-ctl /usr/pkg/sbin/apachectl --apache-server-root /usr/pkg/etc/httpd/
Command used
Unable to find a virtual host listening on port 80 which is currently needed for 
Certbot to prove to the CA that you control your domain. 
Please add a virtual host for port 80.
Response I got

Certonly method failed probably because nodejs didn't allow creating directories inside its root directory or for whatever reason, but .well-known directory wasn't present

66.133.109.36 - - [29/Dec/2020:14:02:57 +0100] "GET /.well-known/acme-challenge/ybRyAb2FY-Nc2hBkmtR_4EKZuvm_N68xKzCSU-b9bvY HTTP/1.1" 404 209 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I finally manage to have my cert issued with DNS chellenge instead of HTTP. This is done in few steps, first you need to issue a command:

certbot-3.7 certonly --manual --preferred-challenges dns -d odlicznik.pl
Command to use

Then you will be guided by certbot to alter your DNS with TXT record with name:

_acme-challenge.YOURDOMAIN

and some random value.

In BIND this record looks like this:

_acme-challenge.odlicznik.pl.   IN      TXT     "i0aZV-_wCJ-rmghXXsSKbUBlVDaqEAqT5JqtdTlS84Q"
TXT record 

Then you will need to change serial and reload DNS server. Wait some time depending on your TTL, and proceed. If Letsencrypt can query DNS for given record, you will have certificate issued.

Whole session below:

Saving debug log to /var/letsencrypt/log/letsencrypt.logPlugins selected: Authenticator manual, Installer NoneObtaining a new certificatePerforming the following challenges:dns-01 challenge for odlicznik.pl

NOTE: The IP of this machine will be publicly logged as having requested thiscertificate. If you're running certbot in manual mode on a machine that is notyour server, please ensure you're okay with that.
Are you OK with your IP being logged?

(Y)es/(N)o: yes

Please deploy a DNS TXT record under the name_acme-challenge.odlicznik.pl with the following value:
i0aZV-_wCJ-rmghXXsSKbUBlVDaqEAqT5JqtdTlS84Q
Before continuing, verify the record is deployed.

Press Enter to ContinueWaiting for verification...Cleaning up challenges
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:/usr/pkg/etc/letsencrypt/live/odlicznik.pl/fullchain.pemYour key file has been saved at:/usr/pkg/etc/letsencrypt/live/odlicznik.pl/privkey.pemYour cert will expire on 2021-03-29. To obtain a new or tweakedversion of this certificate in the future, simply run certbotagain. To non-interactively renew all of your certificates, run"certbot renew"
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donateDonating to EFF:                    https://eff.org/donate-le