DEV Community

Cover image for Securing Your Site: Obtain an SSL Certificate with Let’s Encrypt When Your ISP Blocks Port 80
Daniel Hofman
Daniel Hofman

Posted on

Securing Your Site: Obtain an SSL Certificate with Let’s Encrypt When Your ISP Blocks Port 80

Wildcard certificates are highly beneficial because they secure all subdomains of your main domain with a single certificate. This simplifies domain management by eliminating the need to handle individual certificates for each subdomain.

DNS-01 challenge

I chose the DNS-01 challenge for validation for my homelab setup because my Internet Service Provider (ISP) blocks port 80, which is necessary for the HTTP-01 challenge. If your ISP imposes similar restrictions, the DNS-01 challenge might be your best option for obtaining an SSL certificate from Let's Encrypt.

Setting Up

First, I created a directory to store the Let's Encrypt logs:

sudo mkdir /var/log/letsencrypt/
Enter fullscreen mode Exit fullscreen mode

Then, I installed Certbot, which simplifies the SSL certificate issuance and management process:

sudo apt install certbot
Enter fullscreen mode Exit fullscreen mode

To initiate the certificate request, I ran the following command:

certbot certonly --manual
Enter fullscreen mode Exit fullscreen mode

During this setup, Certbot prompted me for an email address for important notifications and to agree to the Let's Encrypt Terms of Service.

youremail@example.com
Enter fullscreen mode Exit fullscreen mode

Once that was done, I entered my domain name in the following format to request a wildcard certificate:

*.yourdomain.com
Enter fullscreen mode Exit fullscreen mode

DNS-01 Challenge Configuration

For the DNS-01 challenge, Certbot provided me with a specific TXT record that needed to be added to my domain's DNS settings under the name:

_acme-challenge
Enter fullscreen mode Exit fullscreen mode

The record value looked something like this:

o7mU8KwvI7A1_phmxzrHOIA9jaGSOjkI-ngCRbSdhpc
Enter fullscreen mode Exit fullscreen mode

Image description

Search for your TXT record under _acme-challenge.yourdomain.com and verify that the record's value matches what you added.

It's crucial NOT to proceed with the SSL setup until this TXT record has fully propagated across DNS servers worldwide. Depending on your DNS provider, this propagation process can take anywhere from a few minutes to an hour. If you proceed too early, you will have to repeat this process.

Check DNS Propagation - Version 1

To check if the record has propagated, you can use online tools like the Google Admin Toolbox.

Image description

Check DNS Propagation - Version 2

Use this command to test for it propagated:

dig -t txt _acme-challenge.yourdomain.com
Enter fullscreen mode Exit fullscreen mode

Output of this command:

;; ANSWER SECTION:
_acme-challenge.yourdomain.com. 0 IN  TXT     "AxSzdAxR3yyJYok3KkuIRwod82Ld5MhYuH4oJ8"
Enter fullscreen mode Exit fullscreen mode

Certificate Renewal

  1. Open the crontab for editing:
sudo crontab -e
Enter fullscreen mode Exit fullscreen mode
  1. Add a line to the crontab file to schedule the task. Here, the renewal process is set to run twice daily, which is frequent enough to handle any potential issues well before the certificate's expiration. The exact timing (4:47 AM and PM in this example) is staggered to avoid peak times on Let's Encrypt's servers. When you use the --post-hook option with Certbot, it ensures that the specified command, such as restarting or reloading Nginx, only runs after a successful renewal of the certificate. This is a safeguard to prevent service disruptions in case the renewal process encounters an issue.
certbot renew --quiet --post-hook "systemctl reload nginx"
Enter fullscreen mode Exit fullscreen mode

Conclusion

Dealing with an ISP that blocks port 80 can make securing your website with an SSL certificate a bit tricky. The DNS-01 challenge comes to the rescue, providing a workaround for this hiccup. Just follow these steps, and you'll be able to get and handle an SSL certificate from Let's Encrypt without the need for port 80.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay