Let's Encrypt on NAT VPS

How would you guys setup/automate getting a Let’s Encrypt SSL cert on a NAT VPS? Seems alternative ports ain’t easy (at least not with certbot). :thinking:

Most folks will sign up for a free CloudFlare and point it to their IPv6 for a free IPv4 proxy, then just have it use the CF passthrough.

If you’re an IPv4 NAT only, you’re kind of screwed since HAProxy is getting less usable with OVZ7.

4 Likes

Use DNS authentication. If your DNS is hosted with namesilo there is a namesilo-letsencrypt script on github that does it for you. I use it and it’s slightly nuts that it takes 1/2 hour to run (does 2 operations with a 15 minute wait after each one to let the DNS change go up on namesilo) but it works ok. I just start it and check on it later. It’s just sitting there during that time, not burning cpu or anything.

If you use porkbun they can generate entire wildcard domain and private key for you through their client area. That sounds kind of lame (they have the private key) but consider that whoever runs your DNS can always do that, even if they don’t advertise/offer it to you like porkbun does…

2 Likes

HAProxy works with my OpenVZ7. :wink:

Well NanoKVM has HAProxy and most of the other LES Providers do also.
Otherwise the last only option would be services such as Cloudflare.

1 Like

I’m learning to use NAT ipv4 thanks to @mikho . I tested nginx and lighttpd on my LES in Singapore last night. I only changed the AAAA DNS records for my domain so it’s only serving under ipv6.

I used: certbot-auto I’m not sure how it differs from certbot

Alas. I have not touched any ipv4 ports. I do everything via ipv6. Sorry I can’t be of more help. I will likely face this same issue when I sort out ipv4 ports for my servers.

Good luck. Report back with any findings.

Cheers.

1 Like

Since Solus hasn’t included it in the versions that support OpenVZ7, only 50% of the LES providers use HAProxy. :wink:

What exactly, precisely has Solus not included?
The HAProxy addon was custom, wasn’t it? it should run fine?

From what I’ve read on the LES forum the function will be removed and not available on the OVZ7 installs.

The reason for it? You have to ask Ant.

@mikho “The haproxy service will no longer function, given that this only supported http only and not https this will not be a great loss and alternatives will be explored.”

Well, that does not sound resonable.
I said in the forums that I am willing to provide him a working https config but he never replied.

Its just another foreach that puts one entry more for each http entry, such work.

Hey, that was too simple … :wink:

It seems kind of retro of Letsencrypt but it doesn’t seem to support ipv6 and AAAA records for domain checking. I wonder if that is on purpose or if they might someday fix it.

Most of the time I don’t know how things work. I just keep following paths of instructions and error messages, and sometimes I luck out and things work. Then I tinker. Then they break. Then I panic.

Don’t Panic.

3 Likes

Don’t we all? :grin:

1 Like

Well Ant replied, I gave him a working config, likely you will see soon working https at LES.

1 Like

No.

1 Like

@holyballs are unbreakable.

1 Like

3 Likes

Mrvm (of LowendSpirit) has a working https :wink:

1 Like

Maybe I’m misunderstanding what you’re saying but my LetsEncrypt certs are via ipv6.

1 Like