Cerbot, Oh My!

A few weeks ago, my Internet router died suddenly.

Not that much of an issue unless you use a custom box as a modem and you have your website hosted on it.

The server I was using for this was a Fedora Core 9 machine. I know an ancient OS.

The machine itself was not that old, I found about 4 years a cheap Intel 386 with ISA support so I replaced the really old server I had. I was able to migrate to the new box, I was running a hardware raid setup using an ISA card. Talk about making things complicated.

I initially tried using a virtual server to have things running quickly, I had a backup of the server running on a VMware workstation however, I could not make it a go for reasons that may merit another blog.

However, I had laying around my old media server, 4 Gb of ram and 500 GB of disk space. Too much space but that was the only thing I had. It only had one NIC but I found a USB to Ethernet dongle.

This time I decided to use HAproxy to present my website and blog and have proper SSL certs for each.

There are plenty of recipes if you Google them that walk you through on how to install HAproxy and use Cerbot.

However, I had some issues when implementing those solutions. Not with the methodology per se but with syntax and the usage of the Cerbot application.

My new modem is a Ubuntu server running version 20.0.4, it is a standard install running NetFilter, using NAT and dual-stack (IPv4 and IPv6).

The web and blog servers sit behind it thus running either Apache or HAproxy as a reverse proxy was a must.

After I had HAproxy up and running and testing that I could access my websites from the Internet, my attention turned to getting certs using Cerbot.

The first issue I encountered was that unless you are using one of the plugins Cerbot supports, there is no way to obtain a wilcard certificate.

The documentation also is not clear, it may look like you could in principle get a wildcard cert manually however that is not the case.

Not a big deal I would have to manually obtain certs for my sites, so I try to get a cert for my blog first it failed. The issue was the syntax I was using. The articles I read had the wrong syntax.

After some trial and error, I hit the correct syntax.

sudo certbot certonly --standalone \
--preferred-challenges http -d www.example.comĀ  \
--non-interactive --agree-tos \
--email johnsmith@example.comĀ  --http-01-port=8888

The syntax above allowed me to obtain certs for both sites.

The end result is that now I have both my website and blog using SSL certs.

Of course, you need some way of renewing the certs and attaching the renewed certs, etc. but that will be the subject of another blog hopefully.


Leave a Reply

Your email address will not be published. Required fields are marked *