Hosting TransIP domain with Lego Letsencrypt on Debian
I registered a new domain with Transip.nl (transip.nl), part of my migration away from Gandi (vanwerkhoven.org) after they raised their prices (ycombinator.com) to outrageous levels.
Live DNS ¶
First step: set up a script to update the domain records to my dynamic IP. TransIP supports (transip.nl) a REST API (transip.nl) to manage your products, so I only need a script to do this.
Scripts I found:
Anti choices for me:
- tipctl (transip.eu) & transip-dyndns (github.com) —> depends on PHP, not installed
- node-transip-dns-cli (github.com) -> I don’t like npm, and why are they suggestion to run a simple script in a docker container?
- go-transip-dyndns (github.com) —> binary too big, no audit, and why would you run a simple script in docker????
Letsencrypt certificate ¶
Since I sometimes get stuck with certbot (I find the tool somewhat opaque (vanwerkhoven.org)), I was looking for an alternative and found lego. Here’s two almost (kuederle.com) identical guides (github.io) that walk you through it.
- Get lego binary (github.com) because Debian bullseye’s version does not (github.com) work (github.com)
- Get TransIP API key (transip.nl)
- Prepare folder, I stored mine in
/etc/ssl/lego
- Run for first time
TRANSIP_ACCOUNT_NAME="twerkhov" TRANSIP_PRIVATE_KEY_PATH="/etc/ssl/private/transipkey.pem" lego --accept-tos --email tim@changme.invalid --dns transip --domains yourdomain.tld.invalid --path=/etc/ssl/lego run
- Add your user to sudoers (askubuntu.com) to allow reloading nginx without needing root:
%tim ALL=NOPASSWD: /sbin/service nginx reload
- Set up cron job
30 01 01 * * TRANSIP_ACCOUNT_NAME="twerkhov" TRANSIP_PRIVATE_KEY_PATH="/etc/ssl/private/transipkey.pem" lego --accept-tos --email tim@changme.invalid --dns transip --domains yourdomain.tld.invalid --path=/etc/ssl/lego renew && sudo service nginx reload
- Update nginx virtualhost config
Certbot ¶
Alternatively, there’s a few certbot plugins that I could have used instead:
- hsmade’s certbot-dns-transip (github.com) –> why would you run a simple script in docker???? And how do I use it without docker?!?!?
- certbot-transip-dns-01-validator (github.com) –> depends on php / composer, don’t want a heavy dependency for just 1 script
- Fransik’s certbot-dns-transip (github.com) –> depends on php / composer, don’t want a heavy dependency for just 1 script
- certbot-dns-transip-simple (pypi.org) –> maybe this could work
- Jen’s certbot-dns-transip (caret.be) –> looks perfect but not maintained
#Debian #Dyndns #Gandi #Linux #Networking #Security #Server #Transip #Letsencrypt