Let's Encrypt Without Port 80
=============================

If you're an regular reader of this
irregular phlog, you'll know that my
VPS hosting company discontinued its
OpenVZ service a few days ago, which
disrupted the circumlunar.space
XMPP service that I host, and left
me scrambling to find a new VPS.
One of my self-imposed conditions was
to find a VPS outside the United
States. I would have preferred a
server in Canada (like the old one),
but could not find one at a reasonable
price. The new one is in Germany.

My absolutely favoured solution would
have been to host the XMPP service
from home, on the raspberry pi zero w
that hosts my personal gopher site.
But that seemed near impossible. My
ISP blocks port 80 and a host of
others. Without port 80, obtaining a
Let's Encrypt certificate was a
challenge. I need the certificate to
secure the XMPP tx/rx, and also wanted
it so that I could host webdav /
caldav / cardav in the future. This
could be done with a self-signed
certificate, but getting the
certificate out to a number of people
(and having them all install it)
seemed too awkward.

After getting the new server set up, I
learned that my ISP does not block
port 443 (which is used for secure
http connections). That led me to
acme.sh[1], which provides a means to
obtain a Let's Encrypt certificate
over port 443. The remainder of this
phlog entry is in the nature of some
"how-to" notes, so that I don't forget
how to do this in the future, when I
will move the XMPP server to the
raspberry pi. Since many of you
self-host, I thought it would be great
information to share.

This all applies to a server running
Debian 9 (actually, Raspbian in my
case). I should also add that while
this setup will work well for my
purposes (dav and XMPP), it is not a
great method for serving web pages,
since there's no way (that I know of
yet) to force https, given that port
80 is blocked so the regular methods
of pushing a visitor from http to
https don't work. That means that
visitors have to enter
https://yourwebsite.com in order to
see it. Entering either
http://yourwebsite.com or
yourwebsite.com will lead them to a
dead end.


Certificates
============

acme.sh installation: various methods
are described on the official github
README.md. I used the following
method, though I know many people
cringe at the curl/sh combination:

curl https://get.acme.sh | sh

acme.sh will tell you to install a
couple of other pieces of software
that it needs to work. Make a note of
them and do it before proceeding to
the next step.

To install the certificates and make
it so that they will work with the
lighttpd web server, I cobbled
together the following script from
various sources on the internet:



#!/bin/bash

/root/.acme.sh/acme.sh --issue -d yourserver.com --alpn --force \
--cert-file      /path/to/your/server/yourserver.com/cert.pem  \
--key-file       /path/to/your/server/yourserver.com/privkey.pem  \
--fullchain-file /path/to/your/server/yourserver.com/fullchain.crt \
--capath         /path/to/your/server/yourserver.com/chain.pem

cat /path/to/your/server/yourserver.com/privkey.pem /path/to/your/server/yourserver.com/cert.pem > /path/to/your/server/yourserver.com/merged.pem



The path is simply a path to wherever
you want to store your certificates. A
typical choice would be:
/etc/letsencrypt/yourserver.com/

You can omit the --force switch if you
like. I included it in case I need to
use the script to renew in the future.

Set the permissions on those
directories (/etc/letsencrypt/ and
/etc/letsencrypt/yourserver/) in the
manner described in step 3 of this
guide:
https://www.vultr.com/docs/setup-let-s-encrypt-with-lighttpd-on-ubuntu-16-04

The final 'cat' line is lighttpd
specific, to produce the  merged
certificate lighttpd needs. I also
included instructions to acme.sh to
install all of the certificates I
thought that I might possibly need in
the future.

When you run acme.sh, it will set up a
cron job for renewal. I don't know if
it will work properly. I doubt it,
because it needs the webserver shut
down in order to work.

As noted, I want to set up various dav
servers and XMPP.


DAV Setup
=========

For the dav portion, I am using
lighttpd.

Lighttpd Setup Notes:

Lighttpd with SSL Guide:
https://www.vultr.com/docs/setup-let-s-encrypt-with-lighttpd-on-ubuntu-16-04

You won't need steps one and two.
Adapt steps three through five to your
purpose.

Lighttpd Webdav Guide:
https://www.howtoforge.com/tutorial/how-to-install-webdav-with-lighttpd-on-debian-jessie/


XMPP Setup
==========

Prosody (XMPP) Setup:

Use the official documentation.
https://prosody.im/doc

Prosody is one of the best-documented
pieces of open source software that I
have come across.


[1] https://github.com/acmesh-official/acme.sh

You are viewing proxied material from zaibatsu.circumlunar.space. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.