1. General
  2. Questions
0

How can I use Lets Encrypt & Certbot with Ubooquity on Windows 10

Tom Davies 2 years ago updated by DarkShadowSwE 1 year ago 7

I can't for the life of me figure out how to convert the cert that I got from Lets Encrypt / Certbot to something usable by Ubooquity.


A long time ago I gave up trying to use HTTPS with Ubooquity on Windows 10. I tried. I read lots of things, I tried lots of things, but I clearly did not understand what I was doing. Recently I heard a colleague mention how easy it was setting up his server's certs with Lets Encrypt and automating it with Certbot. So I tried it, and it was super easy. Just downloaded Cerbot, ran the Windows installer, and before you know it, I had a legit cert for my Win 10 box... but the files that Certbot grabs for you are PEM files. Ubooquity wants a java keystore...


So I did plenty of searching and reading. Lots of instructions for Linux - next to nothing for Windows. I did try some that I found, one was manually generating a keystore with the command line. Then somehow importing your PEM into the keystore...

None of the instructions I found worked. Clearly I'm missing something. Honestly, I don't know how certs work or have much experience with them. When I need to apply them at work, I download the cert from DigiCert and follow the application instructions and they work. But there aren't really instructions for this for Ubooquity (at least not any I could find).

Can someone help by documenting this?

I can get it started:

  1. Open your web browser and go to

    https://certbot.eff.org/

  2. You'll see a large "My HTTP website is running " and a drop-down menu " on " and another drop-down menu.

  3. Use the two drop-downs. Select Other for the first one and Windows for the second.

  4. It will take you an instructions page. There's a download link there to get the certbot installed. https://github.com/certbot/certbot/releases/latest/download/certbot-beta-installer-win_amd64_signed.exe
  5. Install certbot by double-clicking the file after you download it. It will open an install wizard. Just accept the defaults and click your way through until it is finished.
  6. Halt your Ubooquity service (open it from the toolbar and click the "Stop Server And Exit" button)
  7. Halt any other web servers you might be running on your PC
  8. (You may have to briefly disable your Windows firewall for the next step. I did not, but YMMV.)
  9. Open a command prompt with admin privs (right click on it in the Start menu, select More, and select Run As Administrator)
  10. In the command prompt type: certbot certonly --standalone
  11. Note that there are two minus signs in that command.
  12. Certbot will ask you what the domain name of your server is, type it in. (Example: www.myserver.net)
  13. Certbot will grab a cert for you and save it in the default directories and even tell you what they are.
  14. Copy & Paste the info from the command prompt into Notepad and save it. You'll need that info later.
  15. Remember that certbot has scheduled a renewal of your cert just before it expires. So you shouldn't have to do anything more with certbot.

... and that's where I hit a brick wall. I don't know what to do with the PEM files that cerbot so kindly grabbed for me.

Tom Davies 2 years ago

Note for instructions above:

If your web server (Ubooquity) runs on a non-standard port (not port 80), you will likely have setup a port forward on your home network's firewall to forward incoming-from-the-internet port 80 to port 80 on the PC you're running certbot on. It uses port 80 to confirm your domain ownership and to grab the certs. It uses this for renewing the certs as well, so you will need to leave this port mapping in place in your firewall.

Sonja M Thomas 2 years ago

Give WinAcme a try. It is mainly for IIS Servers, but there is an option for a manual cert creation that you can copy and place into another server's cert location.

CAVEAT!  You either need to have port 80 accessible to your machine RUNNING WinAcme FROM the internet, or have access to the DNS server's TXT records to paste the Text authentication string that LetsEnrypt is looking for in order to very ownership and control of the domain you are trying to secure.  In all honesty it IS a VERY easy process if you take the time to read the menu options, the requirements WinAcme is looking for and have an understanding of your network, domain and servers.  If you are an "End User" and ANYTHING I said is above your head" then you need to step back, do some research and become familiar with what it is you are doing, the components and what you are putting out on to the network/internet. Not know these things CAN put you at risk for breaches, infection and trouble.

DarkShadowSwE 2 years ago

Still interested?


I cant see why you want a SSL cert unless you plan to access it from outside and from a domain?


Or do you want just a local SSL cert?


(depending on your answer there is different solutions)

Tom Davies 2 years ago

Absolutely! I'm still interested. I'm sure others are too. The main reason to have SSL is for accessing it from outside and your cert has to match your domain name or the browser will throw errors. A local or self-signed cert will still throw browser errors which most users won't understand. So if you've got friends/family that access your collection over the Internet, a good cert from a verifiable source is important.

DarkShadowSwE 2 years ago
 Yes, exactly

The cert must match the server (domain) it was requested by.

So, a little more information about your setup, is it your main computer?, is it a secondary pc?, is it on 24/7?,is it virtual or physical?
Tom Davies 1 year ago

Sorry for the long delay in replying. I missed your reply and just discovered it. Anyway, my Ubooquity is hosted on my main home PC running Win10. It is on 24/7. It's a physical box, not a virtual.

DarkShadowSwE 1 year ago

Hi Tom,

Ye, doesn't help that the notification mail ends up in the spam folder, ;)

Well, there are quite a few ways of doing it, so here are two:

1) 

Install nginx from here: https://nginx.org/en/download.html 

    You already have the certs so something similar to this in the nginx config: 

   server {
        listen       443 ssl;
        server_name  yourdomain;
        ssl_certificate      D:/nginx-1.15.6/ssl/xxxxx-chain.pem;  
        ssl_certificate_key  D:/nginx-1.15.6/ssl/xxxxxx-key.pem;  
        charset utf-8;

        location / {
          proxy_pass http://192.168.x.x:2202;
          proxy_set_header X-Forwarded-For $remote_addr;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header Host $host;
        }
    }

    Change the paths for the ssl to yours, example from here: https://dev.to/nalani/nginx-configures-free-ssl-certificate-in-windows-environment-let-s-encrypt-36b6 

    And set your IP in the proxy_pass.


2)

    Set up a no-ip or other DDNS.
    Install docker (with WSL support: https://docs.docker.com/desktop/install/windows-install/ )
    Search for SWAG in the searchbar:
    

Image 807

    Press run on "linuxserver/swag" and edit accordingly

    All config will reside in the shoosen "Volumes" folder.
    Edit "D:\SWAG\nginx\site-confs\default.conf" as needed, only need to edit the proxy_pass from above.
    ( Pick a better path than D:\SWAG, just an example, ;)  )        

    After each update to any config, restart SWAG "container"

    This will update your SSL certs automatically and add some protection like fail2ban

    More info here: https://hub.docker.com/r/linuxserver/swag

I haven't tried the docker way on my windows machine but it should work, it should be the equalent of how i run it on my linux machine.

Customer support service by UserEcho