About software, technology and random things


Getting a Let’s Encrypt Certificate Through DNS Challenge With Cloudflare


A couple of days ago one of my subdomains' SSL certificates expired.

Instead of paying for a renewal, I decided to have a first look at getting a free certificate from the Let's Encrypt Certificate Authority.

The ideal way would have been to set up a mechanism that would allow for an automatic certificate renewal, so I would not have to do it myself every 3 months. That is the maximum amount of time Let's Encrypt's certificates are valid for. However, in this case this was more easily said than done. The service I intend to use the certificate with is running on a shared IP and listening on a non-standard HTTPS port because the standard ports for HTTP and HTTPS are already used for something else. This prevented me from utilizing all HTTP / HTTPS based challenges to verify the hostname ownership which is an essential part of the Let's Encrypt certificate signing process.

After some searching I found a great solution that would enable me to do a somewhat half-automated, half-manual approach:

lukas2511's dehydrated ACME client in conjunction with kappataumu's Let's Encrypt Cloudflare hook.

This Shell-based ACME client allows the user to get a Let's Encrypt certificate using the dns-01 challenge. That way, you only have to create a DNS record (containing a generated value) in order to verify your ownership of the hostname instead of uploading content to the webserver. The DNS record can be created and deleted automatically through the Cloudflare hook if that is what you are using for your DNS record management.

The instructions for both the ACME client as well as the hook are pretty straightforward, so I recommend reading those if you are interested in trying this approach.

These are the changes I made in the config file (just as an example):

  • Set "http-01" as the CHALLENGETYPE (explanation below):
  • Set "rsa" as the KEY_ALGO:
  • Add environment variables with config for the Cloudflare hook script at the end:
    export [email protected]'
    export CF_KEY='1234567890abcdef1234567890abcdef'
    export CF_DEBUG=true

When attempting to execute dehydrated for the first time, it asks you to accept the terms. You can do that by simply entering this command:

$ ./dehydrated --register --accept-terms

Now you might have wondered why I set the CHALLENGETYPE to "http-01" instead of "dns-01"? So that we could accept the terms without any problems; "dns-01" gave me the following error: "ERROR: Challenge type dns-01 needs a hook script for deployment... can not continue."

The command I used to generate the certificates specified the challenge type "dns-01" explicitly anyway:

$ ./dehydrated -c -d -t dns-01 -k hooks/cloudflare/

The first challenge attempt failed for me, but the execution went on to retry and ultimately finished successfully.

Afterwards, you can find the certificate files in the subdirectory "certs/".

I installed and executed the software in a local Linux virtual machine without any problems and then copied the certificate files over to the destination server manually. Technically I could have just done this on the production system as well, but I did not feel like saving my Cloudflare API credentials on it. It will be interesting to see how annoying the steps are going to get after a couple of repetitions. Maybe in time some other solution will have come around.

Hopefully this was a helpful recommendation for you.

Thanks for reading!


iPhone Mail Push Notification without App and for free

Hey guys!

It's been a little while and I've come to own an iPhone now 🙂

One thing that frankly bothered me a little was the fact that apparently you can't have your mail show up automatically (especially with that nifty little badge with the number of new mails in the main menu) if you

  • have a mail account on a server that doesn't bring Apple Push Notifications
  • and you don't want to let your Mail app check on your mails periodically.

The best solution would of course be Push Notifications. But how would you do that without having to buy an extra app (and risking a trust-wise questionable third party to get your login details) and/or registering on such a website that creates an e-mail address for you, maybe even in exchange for subscription fees?

Actually, the latter part gave me the solution itself. As it says on the Wikipedia page for Push e-mail (iPhone/iPod touch section), Yahoo! Mail supports Push Notification - even for free accounts!

So what can we do with that?

We can set up a separate account at Yahoo Mail that will exclusively handle the e-mails we want to be Push Notified about. And in conjunction with appropriate mail filter rules we can redirect e-mails to our actual e-mail account(s) to the new Yahoo Mail address.

On the iPhone/iPod touch we keep the actual, old e-mail account as it is and create a new one (Setting => Mail, Contacts, Calendars => Add Account) for the Yahoo Mail address. We choose of course Yahoo Mail and enter the correct details. You can leave the Outgoing Mail Server settings as they are.

Now, why do we keep the actual account on the phone and why would we leave the Outgoing Mail Server settings on Yahoo settings if we wanted to keep that Yahoo address hidden from everyone else (and also replying with another e-mail address would be mildly confusing to the person who wrote to you).

Well, personally, I just use the Yahoo account as a pure Push Notification service. I see the number of new mails in the badge on the top right corner of the Mail app icon, I navigate to the Yahoo inbox folder, delete the mails (maybe clear it altogether), navigate back to my main mail account and read (and reply to) the new mails from there.

You get my point?

Hopefully that's of good use to you. For me, it saves me the trouble of having to buy an app which I'm probably not going to like completely 🙂

PS: If you run into trouble on Yahoo Mail with having all your forwarded mail dumped into the spam folder, set up some rules to move mails with "To: [email protected]" into the inbox folder. That should take care of it.

%d bloggers like this: