Pinging @miked for potential alternatives to Port 80.
1 Like
@miked is there an option to remove port 80,443 and start over with port 8000 in https mode?
sudo certbot --nginx -d ourdomain.com --http-01-port 8000
take a look at https://bobcares.com/blog/certbot-apache-different-port/
and https://stackoverflow.com/questions/37458287/how-to-run-a-cron-job-inside-a-docker-container
and use this:
Run the following line, which will add a cron job to /etc/crontab:
SLEEPTIME=$(awk 'BEGIN{srand(); print int(rand()*(3600+1))}'); echo "0 0,12 * * * root sleep $SLEEPTIME && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null
If you needed to stop your webserver to run Certbot, you’ll want to add pre and post hooks to stop and start your webserver automatically. For example, if your webserver is HAProxy, run the following commands to create the hook files in the appropriate directory:
sudo sh -c 'printf "#!/bin/sh\nservice haproxy stop\n" > /etc/letsencrypt/renewal-hooks/pre/haproxy.sh'
sudo sh -c 'printf "#!/bin/sh\nservice haproxy start\n" > /etc/letsencrypt/renewal-hooks/post/haproxy.sh'
sudo chmod 755 /etc/letsencrypt/renewal-hooks/pre/haproxy.sh
sudo chmod 755 /etc/letsencrypt/renewal-hooks/post/haproxy.sh
Congratulations, Certbot will now automatically renew your certificates in the background.
If you are interested in learning more about how Certbot renews your certificates, see theRenewing certificates section above.
for a host side docker ha-proxy will need this config
ha-proxy.cfg:
global
daemon
maxconn 40960
tune.ssl.default-dh-param 2048
no strict-limits
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in tcp-dns
mode tcp
bind 192.168.56.25:443 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
bind 192.168.56.25:53
bind 192.168.56.25:3478 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
bind 192.168.56.25:4464 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
bind 192.168.56.25:7881 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
bind 192.168.56.25:8000
udp-lb udp-dns
dgram-bind 192.168.56.25:53
dgram-bind 192.168.56.25:3478 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
dgram-bind 192.168.56.25:50000-51000 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
dgram-bind 192.168.56.25:61000-62000 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
dgram-bind 192.168.56.25:22124 ssl crt /haproxy/certs.pem ssl-min-ver TLSv1.2
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
http-response set-header Strict-Transport-Security “max-age=16000000; includeSubDomains; preload;”
acl is_example hdr(host) -i ${JACKTRIP_HA_HOST}
use_backend ex_back if is_example
backend ex_back
balance roundrobin
option httpclose
option forwardfor
redirect scheme https code 301 if !{ ssl_fc }
proxy-requests 1
balance roundrobin
option udp-check
server s1 1.1.1.1:53 check
server s1 192.168.3.101:3478 check
server s1 192.168.3.101:50000-51000 check
server s1 192.168.3.101:61000-62000 check
server s1 192.168.3.101:22124 check
server s2 9.9.9.9:53 check
server s2 192.168.3.102:3478 check
server s2 192.168.3.102:50000-51000 check
server s2 192.168.3.102:61000-62000 check
server s2 192.168.3.102:22124 check
backend tcp-dns-backend
mode tcp
balance roundrobin
server s1 1.1.1.1:53 check
server s2 9.9.9.9:53 check
server s1 192.168.3.101:3478 check
server s2 192.168.3.102:3478 check
server s1 192.168.3.101:4464 check
server s2 192.168.3.102:4464 check
server s1 192.168.3.101:7881 check
server s2 192.168.3.102:7881 check
server s1 192.168.3.101:8000 check
server s2 192.168.3.102:8000 check
compose.yaml:
networks:
frontend:
external: false
volumes:
haproxy_certs:
external: false
services:
haproxy:
image: haproxy:2.8-alpine
ports:
- "53:53"
- "443:8000/tcp"
- "3478:3478"
- "4464:4464/tcp"
- "7881:7881/tcp"
- "22124:22124/udp"
- "50000-51000:50000-51000/udp"
- "61000-62000:61000-62000/udp"
environment:
- JACKTRIP_HA_HOST=REPLACE_WITH_FQDN
volumes:
- ./ha-proxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
- ./haproxy_certs/certs.pem:/haproxy/certs.pem:ro
command: sh -c "apk update && apk add --upgrade apk-tools && apk upgrade --available && printf '#!/bin/sh\nservice haproxy stop\n' > /etc/letsencrypt/renewal-hooks/pre/haproxy.sh && printf '#!/bin/sh\nservice haproxy start\n' > /etc/letsencrypt/renewal-hooks/post/haproxy.sh && chmod 755 /etc/letsencrypt/renewal-hooks/pre/haproxy.sh && chmod 755 /etc/letsencrypt/renewal-hooks/post/haproxy.sh && haproxy reload"
container_name: haproxy
networks:
frontend:
aliases:
- haproxy
note: LetsEncrypt with HAProxy | Servers for Hackers
just self sign:
openssl genrsa -out priv.key 4096
openssl req -new -nodes -sha256 -key priv.key -out cert.csr
openssl x509 -req -sha256 -days 3650 -in cert.csr -signkey priv.key -out cert.pem
cat priv.key >> cert.pem
JackTrip doesn’t require port 80. I believe that is only used by certbot and that is totally optional. If you have a valid cert you can just use that instead of ephemeral ones. However you get it for the studio container is fine.
that’s a problem certbot did not connect because of the faulty port 80 by ISP
they afraid about non encrypted ports and services like certbot 
in other words “computer sabotage by ISP”
I believe there are several different ways you can configure certbot to for domain validation. It’s not necessary to use http or port 80. Alternatively, you can just purchase a TLS certificate from one of the numerous vendors out there.
the purchase is right the best option … at the moment the 2nd server is linked by a free dns provider because of dynamic ip by provider … these ip updates come every 24h
and my goal was to update the dynamic ip every 12h the cert
that’s why I choose the free dns provider and let’s encrypt cert
@miked what you think about this clustered version? is that something for future?
No plans for clustered servers right now