In order to be able to use the webroot
plugin for
certbot and automatically renew the Let's
Encrypt certificate for libravatar.org
, I
had to put together an Apache config that would do the following on port 80:
- Let
/.well-known/acme-challenge/*
through on the bare domain (http://libravatar.org/
). - Redirect anything else to
https://www.libravatar.org/
.
The reason for this is that the main
Libravatar service listens on
www.libravatar.org
and not libravatar.org
, but that cerbot needs to
ascertain control of the bare domain.
This is the configuration I ended up with:
<VirtualHost *:80>
DocumentRoot /var/www/acme
<Directory /var/www/acme>
Options -Indexes
</Directory>
RewriteEngine on
RewriteCond "/var/www/acme%{REQUEST_URI}" !-f
RewriteRule ^(.*)$ https://www.libravatar.org/ [last,redirect=301]
</VirtualHost>
The trick I used here is to make the redirection RewriteRule
conditional
on the requested file (%{REQUEST_URI}
) not existing in the /var/www/acme
directory, the one where I tell certbot to drop its temporary files.
Here are the relevant portions of /etc/letsencrypt/renewal/www.libravatar.org.conf
:
[renewalparams]
authenticator = webroot
account =
[[webroot_map]]
libravatar.org = /var/www/acme
www.libravatar.org = /var/www/acme
I recently moved my dynamic DNS hostnames from dyndns.org (now owned by Oracle) to No-IP. In the process, I moved all of my hostnames under a sub-domain that I control in case I ever want to self-host the authoritative DNS server for it.
Creating an account
In order to use my own existing domain, I registered for the Plus Managed
DNS service and provided my top-level
domain (fmarier.org
).
Then I created a support ticket to ask for
the sub-domain feature. Without that, No-IP expects you to delegate your
entire domain to them, whereas I only wanted to delegate *.dyn.fmarier.org
.
Once that got enabled, I was able to create hostnames like machine.dyn
in
the No-IP control panel. Without the sub-domain feature, you can't have dots
in hostnames.
I used a bogus IP address (e.g. 1.2.3.4
) for all of the hostnames I
created in order to easily confirm that the client software is working.
DNS setup
On my registrar's side, here are the DNS records I had to add to delegate
anything under dyn.fmarier.org
to No-IP:
dyn NS ns1.no-ip.com.
dyn NS ns2.no-ip.com.
dyn NS ns3.no-ip.com.
dyn NS ns4.no-ip.com.
dyn NS ns5.no-ip.com.
Client setup
In order to update its IP address whenever it changes, I installed inadyn on each of my machines:
apt install inadyn
I added the following to /etc/inadyn.conf
:
provider default@noip.com {
username = johndoe
password = Password1!
hostname = machinename.dyn.fmarier.org
checkip-server = fmarier.org
checkip-path = /whats-my-ip.shtml?machinename
}
and set the following in /etc/default/inadyn
:
RUN_DAEMON="yes"
before restarting the service:
systemctl restart inadyn.service
Note that I am using setup my own lightweight IP address echoing
service to get
the external IP address, but using the default server seems to work fine
too. In that case, there's no need to set the checkip-server
and
checkip-path
variables.
Since I use logcheck, I also
created a new /etc/logcheck/ignore.d.server/local-inadyn
file with the
following content:
^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ inadyn[[[:digit:]]+\]: Starting DynDNS client : inadyn.$
^(\w{3} [ :[:digit:]]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ inadyn[[[:digit:]]+\]: In-a-dyn version [0-9.]+ -- Dynamic DNS update client.$
Testing
To test that the client software is working, wait 6 minutes (there is an internal check which cancels any client invocations within 5 minutes of another), then run it manually:
inadyn --once --force --foreground --loglevel=debug
The IP for that machine should now be visible on the No-IP control panel and in DNS lookups:
dig +short machinename.dyn.fmarier.org