Farmer20's picture

Thanks to TKL for simplifying the rather complicated setup of SSL on webservers.  I'm running V15.3 of the TKL Wordpress Appliance ISO:  turnkey-wordpress-15.3-stretch-amd64.iso

I read this doc on the Let's Encryption procedure:

https://www.turnkeylinux.org/docs/confconsole/letsencrypt

And I noted this warning:

"Note: Please ensure that you have your Domain nameservers correctly configured prior to running this. Failure to do so will cause the Let's Encrypt challenges to fail (so you won't get a certificate). Repeated failures may cause your server to be blocked (for a week) from further attempts."

I bolded the phrase that has me a bit worried:  Domain nameservers correctly configured

Could someone expand on what "correctly configured" means?  

Currently, my domain has been purchased. 

Browsing to www.mydomain.com redirects me to a free instance of Wordpress on their Wordpress.com site.  

And I've configured email forwarding such that emails sent to the domain are forwarded to my Gmail account.

Is this "enough of a correct configuration "for me to get my Let's Encrypt Certificate?

If not, what else do I need?

I noted that in a document relating to installing Let's Encrypt from Owncloud.com [https://doc.owncloud.com/server/admin_manual/installation/letsencrypt/using_letsencrypt.html], they said:

"Requirements & Dependencies

You require a domain name with a valid A-Record pointing back to your servers IP address. In case your server is behind a firewall, take the necessary measures to ensure that your server is accessible, worldwide, from the internet, by adding the required firewall and port forward rules."

At this moment, mydomain.com points to my Wordpress.com site.  For the certificate generation, do I need to change it to point to the IP of my firewall at home?   My future website and its WP appliance is behind my home firewall (this is the WP appliance that I want the SSL cert for).

Related to the Owncloud statement, I can port forward 80 on my home firewall to the WP appliance.   Is this good enough?   

 

 

 

Forum: 
Jeremy Davis's picture

Ok, so hopefully you've already updated Confconsole to v1.1.2. If not, please make sure that you have done that before you proceed any further... Any problems, please ask.

Regarding domain configuration; "correctly configured" means that the domain points to your TurnKey server. As per the ownCloud docs, generally an "A" record (although FWIW a "CNAME" record is ok too).

Essentially, the requirement boils down to if you shared the domain name with me, and I go to it in my browser (plain HTTP; i.e. port 80), I'll land on your TurnKey website. If that happens, then your domain is "correctly configured".

FWIW, the reason why it needs to be like that is the authentication of your ownership of the domain name is done by your server. The process goes something like this:

  • Your server contacts Let's Encrypt server and says "please can I have a cert"?
  • Let's Encrypt server replies saying: "sure, if you can prove you're who you say you are by serving this weird URL" (called a "challenge").
  • Your server then serves the challenge (weird URL) and says: "OK no problems, done".
  • Let's Encrypt then double checks the URL exists (using your domain name and the URL it told your server to server - hence why the domain needs to point to your TurnKey server). Assuming that your server is serving the challenge, then Let's Encrypt sends the certificate and all systems go! :)
  • Port forwarding 80 to the WordPress server should do the trick (although if you want HTTPS available to others, you might also want to port forward 443 too).

    Farmer20's picture

    Thank you, Jeremy!  That was a clear explanation!

    Just a suggestion but maybe other noobs like me could benefit from you simply cutting and pasting your post into your Let's Encrypt document area (maybe as an appendix so it wouldn't bore the people who already know).

    Thanks again.

    Jeremy Davis's picture

    Great suggestion! I've just added an issue to the tracker so this doesn't get forgotten...

    Add new comment