Nginx: Difference between revisions

Line 287:

We can also have a private server running in our local network (including VPN), that isn't reachable from the internet, but that still can get valid Let's Encrypt certificates that are accepted in a browser.

1. We have to '''modify DNS such that our domain''' like <code>myhost.org</code> '''resolves to the local IP address of our private server''' and port 80 and 443 have been opened. [https://www.youtube.com/watch?v=qlcVx-k-02E See this video tutorial] for an example on how to do that.

1. We have to '''modify DNS such that our domain''' like <code>myhost.org</code> '''resolves to the local IP address of our private server''' and port 80 and 443 have been opened. [https://www.youtube.com/watch?v=qlcVx-k-02E See this video tutorial] for an example on how to do that. Hint: You might need to '''add an exception to your router''' (definitely on Fritzboxes), because resolving to local IP address is usually blocked to prevent '''"DNS rebind attacks"'''.

2. We have to setup the Let's Encrypt NixOS ACME services such that it uses an API token in a secrets file ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to prove from our server that we own the domain. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers (it supports a lot) and therefore we have to provide the token(s) in that library's secrets file format.

2. We have to setup the Let's Encrypt NixOS ACME services such that it uses an '''API token in a secrets file''' ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to '''prove from our server that we own the domain'''. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers (it supports a lot) and therefore we have to provide the token(s) in that library's secrets file format.

In the example we use Hetzner as our "dnsProvider" that only needs a single API token environment in our secrets file:

Line 296:

</syntaxhighlight>Other [https://carjorvaz.com/posts/setting-up-wildcard-lets-encrypt-certificates-on-nixos/ DNS providers need like OVH] require more environment variables.

See the section "Credentials" on what you have to specify in the secrets file: https://go-acme.github.io/lego/dns/hetzner/

See the section "'''Credentials'''" on what you have to specify in the secrets file: https://go-acme.github.io/lego/dns/hetzner/

See Hetzner guide on how to get an API token for its "DNS console": https://docs.hetzner.com/dns-console/dns/general/api-access-token/

Line 350:

</syntaxhighlight>

This will set up nginx to serve files for example.org, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning your server ~~must not~~ be exposed to the internet) and will configure systemd timers to renew the certificate if required.

This will set up nginx to serve files for example.org, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning '''your server doesn't need to be exposed to the internet''', which is great for self-hosting) and will configure systemd timers to renew the certificate if required.

== Troubleshooting ==

@@ Line 287: / Line 287: @@
 We can also have a private server running in our local network (including VPN), that isn't reachable from the internet, but that still can get valid Let's Encrypt certificates that are accepted in a browser.
-. We have to '''modify DNS such that our domain''' like <code>myhost.org</code> '''resolves to the local IP address of our private server''' and port 80 and 443 have been opened. [https://www.youtube.com/watch?v=qlcVx-k-02E See this video tutorial] for an example on how to do that.
+. We have to '''modify DNS such that our domain''' like <code>myhost.org</code> '''resolves to the local IP address of our private server''' and port 80 and 443 have been opened. [https://www.youtube.com/watch?v=qlcVx-k-02E See this video tutorial] for an example on how to do that. Hint: You might need to '''add an exception to your router''' (definitely on Fritzboxes), because resolving to local IP address is usually blocked to prevent '''"DNS rebind attacks"'''.
-. We have to setup the Let's Encrypt NixOS ACME services such that it uses an API token in a secrets file ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to prove from our server that we own the domain. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers (it supports a lot) and therefore we have to provide the token(s) in that library's secrets file format.
+. We have to setup the Let's Encrypt NixOS ACME services such that it uses an '''API token in a secrets file''' ([https://github.com/ryantm/agenix secrets for a server can be conveniently and securely deployed in NixOS with agenix]; just follow the tutorial) against our DNS provider to '''prove from our server that we own the domain'''. This way our server doesn't need to be exposed and reachable from the internet. NixOS ACME uses the [https://go-acme.github.io/lego/ LEGO library] to communicate to DNS providers (it supports a lot) and therefore we have to provide the token(s) in that library's secrets file format.
 In the example we use Hetzner as our "dnsProvider" that only needs a single API token environment in our secrets file:
@@ Line 296: / Line 296: @@
 </syntaxhighlight>Other [https://carjorvaz.com/posts/setting-up-wildcard-lets-encrypt-certificates-on-nixos/ DNS providers need like OVH] require more environment variables.
-See the section "Credentials" on what you have to specify in the secrets file: https://go-acme.github.io/lego/dns/hetzner/
+See the section "'''Credentials'''" on what you have to specify in the secrets file: https://go-acme.github.io/lego/dns/hetzner/
 See Hetzner guide on how to get an API token for its "DNS console": https://docs.hetzner.com/dns-console/dns/general/api-access-token/
@@ Line 350: / Line 350: @@
 </syntaxhighlight>
-This will set up nginx to serve files for example.org, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning your server must not be exposed to the internet) and will configure systemd timers to renew the certificate if required.
+This will set up nginx to serve files for example.org, automatically request an ACME SSL Certificate using a "DNS-01" challenge (meaning '''your server doesn't need to be exposed to the internet''', which is great for self-hosting) and will configure systemd timers to renew the certificate if required.
 == Troubleshooting ==