Posts: 28
Threads: 4
Joined: Dec 2015
Thanks: 1
Given 3 thank(s) in 2 post(s)
Hi, I'm implementing Let's Encrypt in my daemon script to manage cuberite and I've a doubt:
I use the webroot command to let letsencrypt create the challenge inside the webadmin folder.
My doubt is how can I modify the http server so that challenge file can be accesed, is inside a hidden folder called .well-known
Does the http server that cuberite use support access to that hidden folder using GET ? if not if someone knows a workaround I'll be glad to hear it.
I'will open an issue if I can't solve this. I thought it may be interested to have let's encrypt certificates in cuberite.
Thanks.
Posts: 6,485
Threads: 176
Joined: Jan 2012
Thanks: 131
Given 1075 thank(s) in 852 post(s)
Cuberite does indeed support plain file serving, although it might get removed or changed one day because it feels hacky to me.
Whatever you put in your server folder, inside the webadmin/files subfolder, will be server at the root of the webserver. Folders are observed. Therefore, if you put the challenge file to (Server)/webadmin/files/.well-known/<challengefilename>, it will be accessible as http(s)://yourserver.com/.wellknown/<challengefilename> . Is this enough to support letsencrypt?
Posts: 204
Threads: 6
Joined: Oct 2015
Thanks: 23
Given 17 thank(s) in 16 post(s)
No. It would appear unter http(s):yourserver.com:port/.wellknown and that is not enough. Letsencrypt requires port 80/443 because these ports require root to bind to. That way they ensure the certificate issuer has root access to the server the domain is running under (that way they make sure not anyone who gets a user account there can issue certificates)
A better way would be just running the letsencrypt client normally, add read access to the key and so on for the user cuberite is running as (with ACL) and symlink the certificate/key (=to the live directory). That way you only have to make sure the ones in live are not outdated and can use them with as many stuff as you want to but still doesn't allow globally readable key
Posts: 28
Threads: 4
Joined: Dec 2015
Thanks: 1
Given 3 thank(s) in 2 post(s)
I will give it a try , i was putting the challenge under /webadmin/ not /webadmin/files/ that's the problem, right now I'm not worried about root or permissions, as i do run all commands as root and cuberite is also running under root, not my main concern at the moment.
I can bind it to port 80 running root as you stated, but right now I've the server at home, and just a port fowarding from 80 to 8080 is enough to get it working without changing the port.
I'll let you know if i make progress , apart from that I've another problem running letsencrypt-auto from within a bash script, don't know why it behaves differently than running it directly.
Thanks.
Posts: 28
Threads: 4
Joined: Dec 2015
Thanks: 1
Given 3 thank(s) in 2 post(s)
Is working fine, changing the webroot to /webadmin/files/ make it work, and the certificate is working fine.
I'll go with the automation of the renewal process and cleaning the code a bit. Will post the update once is working.
Thanks.