this post was submitted on 24 Jan 2024
23 points (96.0% liked)

Selfhosted

40041 readers
706 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Hello, I wan't to ask if anyone knows of a good alternative for certbot for acquiring ssl certificates for nginx.

Certbot isn't good anymore for me since I started using crowdsec with nginx bouncer that uses lua block's inside nginx config that cerbot can't parse, making it not work anymore.

I use nginx because it's the one I know the best and for my use case work's the best. ( Hosting both program's directly on metal and docker container's )

top 33 comments
sorted by: hot top controversial new old
[–] EddyBot@feddit.de 12 points 9 months ago (2 children)

if you are open to learn something new: Caddy webserver has a dead simple config, fetches tls certs by default for you and works with crowdsec too

[–] Voroxpete@sh.itjust.works 7 points 9 months ago (1 children)

Caddy is fantastic, incredibly easy to configure and just works out of the box beautifully.

[–] crony@lemmy.cronyakatsuki.xyz 1 points 9 months ago (1 children)

Do you have it on host or container. I'm thinking abour switching to caddy on my host and replacing nginx with it but just wan't to hear your experience with it.

[–] Voroxpete@sh.itjust.works 2 points 9 months ago

I run it in its own separate VM. Normally I use containers for everything, but Caddy being the part that's most on the outside of my network, as it were, I wanted to separate off.

[–] crony@lemmy.cronyakatsuki.xyz 1 points 9 months ago* (last edited 9 months ago) (2 children)

I'm open to using sothing like caddy or traefic, but my issue is I have a mix of packages hosted directly on system and in docker container's and as such need to proxy them all.

That's why I'm not using caddy or traefic.

Edit: rn my mix consists of about 16 diff containeraized stuff and another 4-5 not containerized stuff.

Edit2: Just now realized that they can be used on the host system's also. Would you recommend traefic or caddy?

[–] EddyBot@feddit.de 2 points 9 months ago* (last edited 9 months ago)

I'm using Caddy (sometimes in a container or most of the time as system package) as reverse proxy mostly for containers
I try to minimize non-container services but they work well with Caddy too

Traefik is a tad more complex (still nowhere near Apache2 levels though) but scales more easily espcially if you only run containers and start/stop them programatically

[–] joao@aussie.zone 2 points 9 months ago

If all was containerised, I'd recommend traefik for its impeccable container integration, but for a mix of bare metal and container services I'd go with Caddy.

[–] crony@lemmy.cronyakatsuki.xyz 7 points 9 months ago

Update: I have moved to caddy, planned a switch either way and this just pushed me to do it.

[–] viq@social.hackerspace.pl 6 points 9 months ago (1 children)
[–] 2xsaiko@discuss.tchncs.de 4 points 9 months ago

NixOS uses this, works well for me.

[–] Decronym@lemmy.decronym.xyz 5 points 9 months ago* (last edited 9 months ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CA (SSL) Certificate Authority
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
SSL Secure Sockets Layer, for transparent encryption
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #452 for this sub, first seen 24th Jan 2024, 12:25] [FAQ] [Full list] [Contact] [Source code]

[–] eskuero@lemmy.fromshado.ws 4 points 9 months ago (1 children)

You could not use the dns challenge?

[–] crony@lemmy.cronyakatsuki.xyz 1 points 9 months ago (1 children)

Requires me to add cname record's, which beats the purpose of automation honestly. Will most likelly move to caddy.

[–] brygphilomena@lemmy.world 1 points 9 months ago (1 children)

I thought acme or certbot could handle the DNS entries with an API call to your DNS provider.

It may require another plugin though. Googling some variation of certbot acme automate DNS challenge will give you a dozen tutorials.

[–] crony@lemmy.cronyakatsuki.xyz 1 points 9 months ago (2 children)

Certbot has no support for vultr dns, not even with plugins. Already check.

[–] brygphilomena@lemmy.world 1 points 9 months ago (1 children)

Is there a particular reason you are keeping your DNS there?

[–] crony@lemmy.cronyakatsuki.xyz 1 points 9 months ago (3 children)

Nice ui, and I already have a vps there. My main dns provider is namecheap but made it use vultr under the hood because of the nice ui.

[–] joao@aussie.zone 2 points 9 months ago (1 children)

Being a bit pedantic, and could be wrong, but wouldn't that make Namecheap your registrar only, which registers whatever nameservers you give it for the domain you own with the relevant gTLD entity?

[–] brygphilomena@lemmy.world 2 points 9 months ago

Fair enough, just throwing that out there as an option to move DNS somewhere that does have API access for certbot to use.

[–] constantokra@lemmy.one 1 points 9 months ago (1 children)

Switching to porkbun would make things a lot easier for you. DNS challenge is why I switched from Namecheap, and it's less expensive and considerably easier to administrate.

[–] QHC@lemmy.world 1 points 9 months ago

Namecheap API works just fine with Certbot DNS challenges for me, FWIW.

[–] solrize@lemmy.world 3 points 9 months ago

I used dehydrated for a while. It's a quite simple python script iirc. It's on github someplace.

If your domain registrar is porkbun and you use their DNS hosting, they can generate wildcard certificates for you. It is pretty convenient though a little bit scary, since they generate your key pair and retrieve the cert from letsencrypt. But, since they run your DNS, they could do almost the same thing without you even knowing.

[–] ulu_mulu@lemm.ee 3 points 9 months ago (1 children)

What CA are you getting your certificates from?

If Let's Encrypt, have you checked their alternative methods to certbot?

[–] crony@lemmy.cronyakatsuki.xyz 2 points 9 months ago (1 children)

Yea I'm using let's encrypt. Juet wanted to hear opinions from people who are probably more experienced than me.

[–] ninjan@lemmy.mildgrim.com 2 points 9 months ago

I'd say any project that's decently maintained and satisfies your use case is probably good enough. I found this that from the sound of it fits your use case: https://github.com/fffonion/lua-resty-acme

[–] possiblylinux127@lemmy.zip 3 points 9 months ago* (last edited 9 months ago) (1 children)

You don't need it to parse your config. Just set it to manual mode with a cron job. You can manually copy the certs with a short script.

[–] crony@lemmy.cronyakatsuki.xyz 1 points 9 months ago (1 children)

Hi already tried that, worked for one domain and then stopped working for every other domain.

[–] possiblylinux127@lemmy.zip 2 points 9 months ago (1 children)

Oh, I just assuming it would be one or 2 domains, my bad.

[–] crony@lemmy.cronyakatsuki.xyz 1 points 9 months ago

Yea, evem rn on the server I have about 13? or so domains, and still haven't migrated all my services over.

[–] drkt@lemmy.dbzer0.com 2 points 9 months ago
[–] tagginator@utter.online 0 points 9 months ago

New Lemmy Post: Alternative to certbot for acquiring ssl certificates to use with nginx. (https://lemmy.world/post/11122593)
Tagging: #SelfHosted

(Replying in the OP of this thread (NOT THIS BOT!) will appear as a comment in the lemmy discussion.)

I am a FOSS bot. Check my README: https://github.com/db0/lemmy-tagginator/blob/main/README.md