Created: 2022-04-06 19:33:55 -0700 Modified: 2022-04-06 19:46:35 -0700
(kw: letsencrypt, let’sencrypt)
Basic setup with a cloud VMSection titled Basic setup with a cloud VM
I ran these instructions when I wanted to set up https:// and wss:// servers on a GCP VM. They come from here. It involves CertBot. This should not take a long time to set up as long as you follow the instructions and know how to let Let’s Encrypt hit your machine without the firewall stopping it.
- sudo apt install snapd
- Restart your session (I killed all screen windows)
- sudo snap install core
- sudo snap install hello-world
- sudo snap install core; sudo snap refresh core
- sudo snap install —classic certbot
- sudo ln -s /snap/bin/certbot /usr/bin/certbot
- sudo certbot certonly —standalone
- Try with —test-cert first so you don’t blow through your rate limit of 5/hour
- It will automatically start its own webserver to serve the well-known challenge file (something like http://example.com/.well-known/acme-challenge/j-krWDwSwXmVk2OeCrNZyAYHXZO0y_u7Ul7OjOmkhns). Do not try serving this yourself! CertBot will handle it for you. If it can’t connect, then you may have to open firewall ports, change iptables, change your nginx configuration, etc. This is why you should use “—test-cert” at first, but remove the flag once you’ve confirmed it works.
- From here, you’ll get cert.pem and key.pem files in /etc/letsencrypt (check the output of CertBot to see exactly where they were put). You can easily use these to start an https:// server, even for websockets (see this example. Note that I didn’t have to handle “upgrade” events at all for the April Fool’s 2022 code, although I don’t have it anymore since I only wrote it on the VM that I terminated).
TroubleshootingSection titled Troubleshooting
UNABLE_TO_GET_ISSUER_CERT_LOCALLYSection titled UNABLE_TO_GET_ISSUER_CERT_LOCALLY
This happens when the certificate doesn’t chain to a trusted authority. In other words, you almost certainly tried using a —test-cert certificate when you meant to use a production one.