Mirror of forum.nim-lang.org

11403 :: How to serve acme-challenge file dynamically with Jester REST API?

• muhitrhn (orginal) [2024-04-09T21:19:43+02:00] view original

  Is it possible to dynamically serve the acme challenge file generated and required by certbot with rest api by jester with nim lang? I have this code

  get "/.well-known/acme-challenge/@challenge":
        writeFile(getCurrentDir() / @"challenge", @"challenge")
        sendFile getCurrentDir() / @"challenge"
  Run

  which works if used with browser but doesn’t work with certbot

---

• enthus1ast (orginal) [2024-04-10T11:07:20+02:00] view original

  I would let your webserver handle those requests, nginx for example. When you use nginx then you could even use certbot's nginx plugin.

  Anyhow, those challenges must be served via http not https.

---

• muhitrhn (orginal) [2024-04-11T04:37:43+02:00] view original

  I want to automate the process of renewing the certificate. But to do that, I don't think there's any other way other than generating the file dynamically like I tried above right?

---

• treeform (orginal) [2024-04-11T04:59:31+02:00] view original

  Using certbot with nginx is pretty automatic and easy. https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/

  Making your own certbot like tool sounds really hard.

---

• muhitrhn (orginal) [2024-04-11T06:20:41+02:00] view original

  Here's my nginx setup -

  
  server {
          client_max_body_size 64M;
          listen 80;
          server_name sub.mydomain.com;
          
          location / {
                  proxy_pass             http://127.0.0.1:3000;
                  proxy_read_timeout     60;
                  proxy_connect_timeout  60;
                  proxy_redirect         off;
                  
                  # Allow the use of websockets
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection 'upgrade';
                  proxy_set_header Host $host;
                  proxy_cache_bypass $http_upgrade;
          }
  
  }
  Run

  How can I make it work with automatic certbot register and renew?

---

• PMunch (orginal) [2024-04-11T07:22:23+02:00] view original

  Have you seen this? https://peterme.net/setting-up-a-nim-server-for-dummies.html#reverse-proxy-and-https. It outlines how to set up Nim with Nginx and certbot.

---

• jackhftang (orginal) [2024-04-15T11:46:44+02:00] view original

  Aside from installing certbot nginx plugin, I have been using plain nginx server to serve ACME challenge on Arch linux for many years. All I do is to bare an empty directory (e.g. /srv/certbot) for nginx to serve static files and ask certbot to save the challenge response to that directory.

  
  server {
    listen 80;
    listen [::]:80;
    
    server_name sub.mydomain.com;
    
    location ^~ /.well-known/acme-challenge/ {
      default_type "text/plain";
      root /srv/certbot;
    }
    
    location / {
      return 301 https://$host$request_uri;
    }
  }
  
  server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name sub.mydomain.com;
    
    ssl_certificate     /etc/letsencrypt/live/sub.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sub.mydomain.com/privkey.pem;
    
    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass http://127.0.0.1:3000;
      
      # websocket headers
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
      proxy_set_header X-Scheme $scheme;
      
      proxy_buffering off;
    }
  }
  Run

  and use the following command for renewal.

  
  sudo certbot certonly --webroot -w /srv/certbot/ -d sub.mydomain.com
  Run

  Of course put the above in crontab and also call nginx -s reload later, otherwise nginx is still serving the old cert.

---

• jackhftang (orginal) [2024-04-15T14:28:22+02:00] view original

  minor correction.

  Of course put certbot renew in crontab and it is recommended to renew once a day and avoid to renew at XX:00 sharp to reduce surge to letsencrypt server.

---