Tim's blah blah blah

Hosting TransIP domain with Lego Letsencrypt on Debian

I registered a new domain with Transip.nl (transip.nl), part of my migration away from Gandi (vanwerkhoven.org) after they raised their prices (ycombinator.com) to outrageous levels.

Live DNS

First step: set up a script to update the domain records to my dynamic IP. TransIP supports (transip.nl) a REST API (transip.nl) to manage your products, so I only need a script to do this.

Scripts I found:

  1. transip-dyndns (github.com)
  2. DvdGiessen’s Bash script (github.com)

Anti choices for me:

  1. tipctl (transip.eu) & transip-dyndns (github.com) —> depends on PHP, not installed
  2. node-transip-dns-cli (github.com) -> I don’t like npm, and why are they suggestion to run a simple script in a docker container?
  3. go-transip-dyndns (github.com) —> binary too big, no audit, and why would you run a simple script in docker????

Letsencrypt certificate

Since I sometimes get stuck with certbot (I find the tool somewhat opaque (vanwerkhoven.org)), I was looking for an alternative and found lego. Here’s two almost (kuederle.com) identical guides (github.io) that walk you through it.

  1. Get lego binary (github.com) because Debian bullseye’s version does not (github.com) work (github.com)
  2. Get TransIP API key (transip.nl)
  3. Prepare folder, I stored mine in /etc/ssl/lego
  4. Run for first time TRANSIP_ACCOUNT_NAME="twerkhov" TRANSIP_PRIVATE_KEY_PATH="/etc/ssl/private/transipkey.pem" lego --accept-tos --email tim@changme.invalid --dns transip --domains yourdomain.tld.invalid --path=/etc/ssl/lego run
  5. Add your user to sudoers (askubuntu.com) to allow reloading nginx without needing root: %tim ALL=NOPASSWD: /sbin/service nginx reload
  6. Set up cron job 30 01 01 * * TRANSIP_ACCOUNT_NAME="twerkhov" TRANSIP_PRIVATE_KEY_PATH="/etc/ssl/private/transipkey.pem" lego --accept-tos --email tim@changme.invalid --dns transip --domains yourdomain.tld.invalid --path=/etc/ssl/lego renew && sudo service nginx reload
  7. Update nginx virtualhost config

Certbot

Alternatively, there’s a few certbot plugins that I could have used instead:

  1. hsmade’s certbot-dns-transip (github.com) –> why would you run a simple script in docker???? And how do I use it without docker?!?!?
  2. certbot-transip-dns-01-validator (github.com) –> depends on php / composer, don’t want a heavy dependency for just 1 script
  3. Fransik’s certbot-dns-transip (github.com) –> depends on php / composer, don’t want a heavy dependency for just 1 script
  4. certbot-dns-transip-simple (pypi.org) –> maybe this could work
  5. Jen’s certbot-dns-transip (caret.be) –> looks perfect but not maintained

#Debian #Dyndns #Gandi #Linux #Networking #Security #Server #Transip #Letsencrypt