proxy70

Let's Encrypt Without Port 80
=============================

If you're an regular reader of this 
irregular phlog, you'll know that my 
VPS hosting company discontinued its 
OpenVZ service a few days ago, which 
disrupted the circumlunar.space 
XMPP service that I host, and left 
me scrambling to find a new VPS. 
One of my self-imposed conditions was 
to find a VPS outside the United 
States. I would have preferred a 
server in Canada (like the old one), 
but could not find one at a reasonable 
price. The new one is in Germany.

My absolutely favoured solution would 
have been to host the XMPP service 
from home, on the raspberry pi zero w 
that hosts my personal gopher site. 
But that seemed near impossible. My 
ISP blocks port 80 and a host of 
others. Without port 80, obtaining a 
Let's Encrypt certificate was a 
challenge. I need the certificate to 
secure the XMPP tx/rx, and also wanted 
it so that I could host webdav / 
caldav / cardav in the future. This 
could be done with a self-signed 
certificate, but getting the 
certificate out to a number of people 
(and having them all install it) 
seemed too awkward. 

After getting the new server set up, I 
learned that my ISP does not block 
port 443 (which is used for secure 
http connections). That led me to 
acme.sh[1], which provides a means to 
obtain a Let's Encrypt certificate 
over port 443. The remainder of this 
phlog entry is in the nature of some 
"how-to" notes, so that I don't forget 
how to do this in the future, when I 
will move the XMPP server to the 
raspberry pi. Since many of you 
self-host, I thought it would be great 
information to share.

This all applies to a server running 
Debian 9 (actually, Raspbian in my 
case). I should also add that while 
this setup will work well for my 
purposes (dav and XMPP), it is not a 
great method for serving web pages, 
since there's no way (that I know of 
yet) to force https, given that port 
80 is blocked so the regular methods 
of pushing a visitor from http to 
https don't work. That means that 
visitors have to enter 
https://yourwebsite.com in order to 
see it. Entering either 
http://yourwebsite.com or 
yourwebsite.com will lead them to a 
dead end.


Certificates
============

acme.sh installation: various methods 
are described on the official github 
README.md. I used the following 
method, though I know many people 
cringe at the curl/sh combination:

curl https://get.acme.sh | sh

acme.sh will tell you to install a 
couple of other pieces of software 
that it needs to work. Make a note of 
them and do it before proceeding to 
the next step.

To install the certificates and make 
it so that they will work with the 
lighttpd web server, I cobbled 
together the following script from 
various sources on the internet:



#!/bin/bash

/root/.acme.sh/acme.sh --issue -d yourserver.com --alpn --force \
--cert-file      /path/to/your/server/yourserver.com/cert.pem  \
--key-file       /path/to/your/server/yourserver.com/privkey.pem  \
--fullchain-file /path/to/your/server/yourserver.com/fullchain.crt \
--capath         /path/to/your/server/yourserver.com/chain.pem

cat /path/to/your/server/yourserver.com/privkey.pem /path/to/your/server/yourserver.com/cert.pem > /path/to/your/server/yourserver.com/merged.pem



The path is simply a path to wherever 
you want to store your certificates. A 
typical choice would be:
/etc/letsencrypt/yourserver.com/

You can omit the --force switch if you 
like. I included it in case I need to 
use the script to renew in the future.

Set the permissions on those 
directories (/etc/letsencrypt/ and 
/etc/letsencrypt/yourserver/) in the 
manner described in step 3 of this 
guide: 
https://www.vultr.com/docs/setup-let-s-encrypt-with-lighttpd-on-ubuntu-16-04

The final 'cat' line is lighttpd 
specific, to produce the  merged 
certificate lighttpd needs. I also 
included instructions to acme.sh to 
install all of the certificates I 
thought that I might possibly need in 
the future.

When you run acme.sh, it will set up a 
cron job for renewal. I don't know if 
it will work properly. I doubt it, 
because it needs the webserver shut 
down in order to work.

As noted, I want to set up various dav 
servers and XMPP.


DAV Setup
=========

For the dav portion, I am using 
lighttpd.

Lighttpd Setup Notes:

Lighttpd with SSL Guide:
https://www.vultr.com/docs/setup-let-s-encrypt-with-lighttpd-on-ubuntu-16-04

You won't need steps one and two. 
Adapt steps three through five to your 
purpose.

Lighttpd Webdav Guide:
https://www.howtoforge.com/tutorial/how-to-install-webdav-with-lighttpd-on-debian-jessie/


XMPP Setup
==========

Prosody (XMPP) Setup:

Use the official documentation. 
https://prosody.im/doc

Prosody is one of the best-documented 
pieces of open source software that I 
have come across.


[1] https://github.com/acmesh-official/acme.sh