I've put together some stuff how to obtain Let's Encrypt SSL certificates for wug domains.
- You need the
setup_acme_challenge script from the ctwug-dns-script repository.
- Debian/ubuntu/raspian based host with the following software:
certbot (see installation here.)
curl command tools installed with
sudo apt-get install dnsutils curl
- The host needs internet access (to contact the Let's Encrypt validator).
- If you are looking to get a certificate for
something.ctwug.za.net that needs to resolve to the wug IP of the host you are running this on.
- Make sure that the host is using wug DNS only (i.e. 172.18.1.1).
How to get a certficate for a domain
The domain could be
something.mynode.ctwug.za.net or it could be
something.ctwug.za.net as long as those addresses resolve to the wug IP address of the host in question.
- Firstly install the requirements above.
- Make sure the script is executable:
chmod +x /home/spin/source/ctwug-dns-script/setup_acme_challenge
- Run the following command:
sudo certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /home/spin/source/ctwug-dns-script/setup_acme_challenge -d server1.bath.ctwug.za.net
/home/spin/source/ctwug-dns-script/setup_acme_challenge with path where you stored your script. Use the full path.
server1.bath.ctwug.za.net with the domain you are looking for a cert. You need to run this from a machine with Wug IP that match that domain.
The above makes a DNS record update and waits for the DNS record to propagate to
18.104.22.168 before finishing. It can take some time to finish. Maybe even 20min to 40min.
This should create a certificate valid for 90 days. It should automatically renew (don't move the
setup_acme_challenge script) 30 days before the script expires. This assumes you installed
certbot in the normal way.
Once done you should end with a certifcate in the supplied location. You can then reference it in your nginx site config for example:
# This section redirects port http/80 to https/443 permanently
rewrite ^ https://$server_name$request_uri? permanent;
listen 443 ssl;
# Other configuration below
How does this work?
The script calls a custom API I created. This API verifies that the calling IP is the same as the host which you are trying to update. Then it creates a special
TXT dns record called
_acme-challenge.server1.bath.ctwug.za.net (or whatever domain you request). This contains a unique value provided by
certbot. Using this Let's Encrypt are able to certify that you control the said domain and are then willing to provide a certificate to you. (Even if this site is not on the internet!)
That's it! Please do not over do it as you could exaust the attempts for the whole
ctwug.za.net domain if you request to many times.