Notifications
Letsencrypt

LetsEncrypt

Let's Encrypt is a non-profit certificate authority that provides free SSL/TLS certificates to enable HTTPS (secure HTTP) for websites. HTTPS encrypts data transmitted between a user's browser and the website, ensuring privacy and security. Let's Encrypt aims to make the web a safer place by removing barriers to obtaining and deploying SSL/TLS certificates. Their certificates are trusted by all major browsers and are valid for 90 days, encouraging automation and regular certificate renewal. Let's Encrypt uses an automated process called ACME (Automated Certificate Management Environment) to verify domain ownership and issue certificates, making it easy for website owners to secure their sites

To generate SSL certificates using Let's Encrypt and Certbot on macOS, especially when utilizing a VPN like Tailscale, the ACME DNS challenge (dns-01) is a recommended method. Using the DNS-01 challenge is particularly useful when using services like Tailscale because it doesn't require direct access to the server via standard ports, which may be blocked or routed differently under VPN configurations. This method purely relies on DNS verification, making it robust for varied network setups.

Step 1

Install certbot using homebrew

brew install certbot

Step 2

Run certbot using a dry-run to make sure your setup is correct

sudo certbot certonly --manual -d "yourdomain.com" \
  --preferred-challenges=dns --email youremail@gmail.com \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos --dry-run

Step 3

Run certbot without dry-run

sudo certbot certonly --manual -d "yourdomain.com" \
  --preferred-challenges=dns --email youremail@gmail.com \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos

Step 4

Certbot is currently awaiting your DNS update. Once you've completed the update, it may take several minutes for the changes to propagate before Certbot can verify against it.

To proceed, you'll need to create a new DNS record. The record type should be TXT, with the name "_acme-challenge" (without any dots after it). The DNS system will automatically append the dot notation when reading the record. For the value, you'll input the output value generated by Certbot.

The value will look similiar to this below: eB9CwQ4ThMZdg4EiQ7fPiW2Hg6yZimijL0YWhEAmUcX

Step 5

Press enter on the terminal where Certbot is active. If your DNS configuration is correct, you'll see a similar message as shown below. Afterwards, move your certificates to a location where Nginx can access them. Congratulations, your domain name is now secured, enabling you to receive images along with Apple Push Notifications.

- Successfully received certificate.
    Certificate is saved at: /etc/letsencrypt/live/yourdomain.com/fullchain.pem
    Key is saved at:         /etc/letsencrypt/live/yourdomain.com/privkey.pem
    This certificate expires on 2024-xx-xx.
DockerMosquitto