Renewal of Let's Encrypt Certificate

Questions and discussions about Indie Computing's UBOSbox
Mkdir
Posts: 6
Joined: Wed Jan 13, 2021 5:27 pm

Renewal of Let's Encrypt Certificate

Post by Mkdir »

Hello all,

I have a UBOSbox with a running nextcloud and TLS with a Let's Encrypt Certificate.
Everything worked fine but now the certificate is going to expire in some days.
What do I have to do to renew the certificate or is this done automatically?

Thanks in advance!


j12t
Posts: 196
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Renewal of Let's Encrypt Certificate

Post by j12t »

If your UBOSbox is reachable with an official domain name from the public internet, this should happen automatically.

This shows when it has / will attempt to renew, or if any problems have occurred.

Code: Select all

sudo systemctl status certbot.timer
Mkdir
Posts: 6
Joined: Wed Jan 13, 2021 5:27 pm

Re: Renewal of Let's Encrypt Certificate

Post by Mkdir »

Yes, it should be reachable.

This is the output:

Code: Select all

● certbot.timer - Daily renewal of Let's Encrypt's certificates
     Loaded: loaded (/usr/lib/systemd/system/certbot.timer; disabled; vendor preset: disabled)
     Active: active (waiting) since Thu 2020-11-26 14:14:58 UTC; 1 months 22 days ago
    Trigger: Tue 2021-01-19 11:10:54 UTC; 13h left
   Triggers: ● certbot.service
Does that mean that it will renew tomorrow?
j12t
Posts: 196
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Renewal of Let's Encrypt Certificate

Post by j12t »

It should renew well in advance of the expiration.

Also consult the log files in /var/log/letsencrypt.
Mkdir
Posts: 6
Joined: Wed Jan 13, 2021 5:27 pm

Re: Renewal of Let's Encrypt Certificate

Post by Mkdir »

Hmm, I took a look at the log file and I think the reason could be that I can contact my ubosbox through IPv4 but not through IPv6.
Normally both should work.
I found out that the ubosbox does not have a global IPv6 address. However all other devices in my network have one so I guess my router is configured correctly.
Is there anything I can check within the ubosbox?
j12t
Posts: 196
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Renewal of Let's Encrypt Certificate

Post by j12t »

Hmm, we don't have a whole lot of experience with ipv6 issues, and basically none with Letsencrypt and ipv6 :-(

Is there a way of forcing it to go through ipv4, such as by temporarily only using a A record for your domain (and not a AAAA)?
Mkdir
Posts: 6
Joined: Wed Jan 13, 2021 5:27 pm

Re: Renewal of Let's Encrypt Certificate

Post by Mkdir »

There are some new things I found out:
  • I have a dual stack internet connection, so I have a public IPv4 and a public IPv6. For the connection to my server I use a myfritz account. This account always sets a DNS entry for my IPv4 and my IPv6 address. I found no way to change that behavior up to now. Does anybody know if this is possible?
  • My UBOSbox has a lot of firewall rules for IPv4 (iptables) that allow the connection to my server. These were probably set by running "ubos-admin setnetconfig client". However this is not the case for IPv6 (ip6tables). So basically every connection through IPv6 to the server is dropped. Can someone tell me the reason or knows how to fix/change this? I already tried running "ubos-admin setnetconfig client" again.
  • Certbot seems to prefer the IPv6 DNS entry for the renewal of the certificate. That is probably why it does not work because no connection through IPv6 can be established to my server.
Thanks in advance for your help and time!
j12t
Posts: 196
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Renewal of Let's Encrypt Certificate

Post by j12t »

IPv6 hadn't gotten as much attention on UBOS as it probably deserves ...

However, there is new code that should resolve your issue for the client netconfig. If you are willing to try it:

* Get git and build tools: sudo pacman -S git base-devel
* Get new code: git clone https://github.com/uboslinux/ubos-admin.git
* Development branch: git checkout develop
* Allow unsigned code installs: item 9 on https://ubos.net/docs/developers/settin ... container/
* Build and install: cd ubos-admin/ubos-admin ; makepkg -f -i
* Set the netconfig again: sudo ubos-admin setnetconfig client

A reboot may be necessary. If you try it, could you report back?
Mkdir
Posts: 6
Joined: Wed Jan 13, 2021 5:27 pm

Re: Renewal of Let's Encrypt Certificate

Post by Mkdir »

Worked like a charm :)
  • Got a global IPv6 now
  • Server is now reachable under IPv6
  • Certificate could be renewed (On the last valid day :) )
Thanks for the great support!

There is only one question/topic left from my side:
If I understood right I now use a development release of ubos-admin. Does this change anything regarding updates or working with the UBOSBox?
Will this IPv6 function be implemented in the normal release? If yes, how can I change back to the normal release then?
j12t
Posts: 196
Joined: Tue Dec 12, 2017 9:17 pm
Contact:

Re: Renewal of Let's Encrypt Certificate

Post by j12t »

Hey, sometimes code works on the first try :-)

Generally it's not recommended to mix and match rebuilding random packages and the official packages, because all sorts of bad things can happen. In this case, the changed that were made to ubos-admin were entirely localized, and I've been running this same mix myself without problems, so it was worth risking.

Right now, ubos-admin update will downgrade you to the official package of ubos-admin. Once this version has been promoted from develop into master, and marched through the various release channel, you will automatically receive it as part of the regular ubos-admin update.

In other words, you need to do nothing, except re-install your develop version after each ubos-admin update before it has made it into the green release channel.
Post Reply