Skip to content
This repository has been archived by the owner on Apr 28, 2022. It is now read-only.

Raspberry Pi with Let's Encrypt and SSH tunneling

Judy Tuan edited this page Apr 30, 2021 · 7 revisions

Use Let's Encrypt to generate and save certificates and private keys for your custom domain directly to your Raspberry Pi's filesystem, and serve your earthstar pub over https!

Assemble materials.

  • Raspberry Pi and micro SD card loaded with the latest Rasbpian image
  • VPS (Virtual Private Server. I'm using a Linode at $5/mo. Other providers: Digital Ocean)
  • Custom domain (or subdomain) and DNS configuration access (I'm using Gandi.net)

Wherever you manage your domain's DNS records

Point the domain to your VPS

Create a new A record for your domain (or subdomain) and point it to the IP address of your VPS.

On your VPS

vps basic setup

unfortunately you have to ssh in as root because ports 80 and 443 are considered privileged

add your public key to the allowed clients list

Allow GatewayPorts

in /etc/SOMEWHERE LOL/sshdconfig or something uncomment #GatewayPorts no and change to yes

TODO:judy

https://superuser.com/a/1194856

On your Raspberry Pi itself

Install earthstar-pub

Follow the instructions on the other wiki page: Earthstar Pub on a Raspberry Pi

Create a proxy server on your Pi

New folder

npm init, i guess

npm i greenlock-proxy --save

touch proxy.js

copy and paste sample code into proxy.js (from https://github.com/Roslovets-Inc/greenlock-proxy )

const GreenlockProxy = require('greenlock-proxy');

// Configure Let's Encrypt settings to get SSL certificate
var proxy = new GreenlockProxy({
    maintainerEmail: "your@email.com", // your email
    staging: true // true for testing, false for production (only after testing!)
});

// Just bind your domain to internal address - common example
proxy.register(["your.domain.com"], ["http://localhost:3333"]);


// Optional: bind another domain to another address
//proxy.register(["example.com", "www.example.com"], ["http://localhost:80"]);

// Optional: simple random balancer
//proxy.register(["balancer.example.com", "www.balancer.example.com"], ["http://localhost:81","http://localhost:82","http://localhost:83"]);

// Start proxiyng
proxy.start();

modify it to hold your email address and info

i left staging: true for now

run it node proxy.js

SSH tunnel from your Pi to your VPS

ssh root@your.domain.com -R 443:localhost:443 -N

it will ask you for root's password, which you made when you created the Linode/VPS

you also have to do 80 so the Let's Encrypt authority can issue a challenge to 80

ssh root@your.domain.com -R 80:localhost:80 -N

then try to hit your.domain.com in a web browser. it should ask you a bunch of questions and ask if you want to generate staging certs.

after it works, go into proxy.js and set staging: false and hit your website again to generate real certs!

Processes you need to leave running

  • ssh tunnel for port 443
  • ssh tunnel for port 80 (which will redirect to https, but you need 80 open so that the Let's Encrypt servers can autorenew your cert. I don't know how this works yet.)
  • the proxy server node proxy.js in whatever folder you made you proxy project in
  • the earthstar pub ./run-pub.sh in your mypub/ folder

Unknowns

  • how to auto renew (gotta set up cron jobs?)
  • if just using greenlock-proxy will work (i used greenlock-express first, then changed to use greenlock-proxy afterwards)