-
Notifications
You must be signed in to change notification settings - Fork 4
Raspberry Pi with Let's Encrypt and SSH tunneling
Use Let's Encrypt to generate and save certificates and private keys for your custom domain directly to your Raspberry Pi's filesystem, and serve your earthstar pub over https!
- Raspberry Pi and micro SD card loaded with the latest Rasbpian image
- VPS (Virtual Private Server. I'm using a Linode at $5/mo. Other providers: Digital Ocean)
- Custom domain (or subdomain) and DNS configuration access (I'm using Gandi.net)
Create a new A record for your domain (or subdomain) and point it to the IP address of your VPS.
unfortunately you have to ssh in as root because ports 80 and 443 are considered privileged
add your public key to the allowed clients list
in /etc/SOMEWHERE LOL/sshdconfig or something
uncomment #GatewayPorts no
and change to yes
TODO:judy
https://superuser.com/a/1194856
Follow the instructions on the other wiki page: Earthstar Pub on a Raspberry Pi
New folder
npm init
, i guess
npm i greenlock-proxy --save
touch proxy.js
copy and paste sample code into proxy.js (from https://github.com/Roslovets-Inc/greenlock-proxy )
const GreenlockProxy = require('greenlock-proxy');
// Configure Let's Encrypt settings to get SSL certificate
var proxy = new GreenlockProxy({
maintainerEmail: "your@email.com", // your email
staging: true // true for testing, false for production (only after testing!)
});
// Just bind your domain to internal address - common example
proxy.register(["your.domain.com"], ["http://localhost:3333"]);
// Optional: bind another domain to another address
//proxy.register(["example.com", "www.example.com"], ["http://localhost:80"]);
// Optional: simple random balancer
//proxy.register(["balancer.example.com", "www.balancer.example.com"], ["http://localhost:81","http://localhost:82","http://localhost:83"]);
// Start proxiyng
proxy.start();
modify it to hold your email address and info
i left staging: true
for now
run it node proxy.js
ssh root@your.domain.com -R 443:localhost:443 -N
it will ask you for root's password, which you made when you created the Linode/VPS
you also have to do 80 so the Let's Encrypt authority can issue a challenge to 80
ssh root@your.domain.com -R 80:localhost:80 -N
then try to hit your.domain.com in a web browser. it should ask you a bunch of questions and ask if you want to generate staging certs.
after it works, go into proxy.js
and set staging: false
and hit your website again to generate real certs!
- ssh tunnel for port 443
- ssh tunnel for port 80 (which will redirect to https, but you need 80 open so that the Let's Encrypt servers can autorenew your cert. I don't know how this works yet.)
- the proxy server
node proxy.js
in whatever folder you made you proxy project in - the earthstar pub
./run-pub.sh
in yourmypub/
folder
- how to auto renew (gotta set up cron jobs?)
- if just using greenlock-proxy will work (i used greenlock-express first, then changed to use greenlock-proxy afterwards)