Page 1 of 1

Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Sun Feb 16, 2020 7:01 am
by johnfredhandy
Not being a system administrator, I am not familiar with the details for setting up HTTPS for applications like Gitea, git, etc. Dietpi installation automates use of letencrypt for the supported web browesers. I do not know how to add support for Gitea or Git to use HTTPS. I have looked at the obvious places to see how to enable HTTPS for Gitea, but what I have tried has not worked. I am asking for an expert on this to graciously help us all out.
Thank you,
John Handy

Re: Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Sun Feb 16, 2020 8:25 pm
by Joulinar
Hi,

you can use letencrypt to generate your certificates. You would need to have one of the DietPi offered web server installed. Once you have created certs using letencrypt, you can adjust Gitea settings to point to the letencrypt cert.

I guess you would need to adjust the app.ini file by changing the 4 values

Code: Select all

CERT_FILE        = /etc/letsencrypt/live/example.org/fullchain.pem
KEY_FILE         = /etc/letsencrypt/live/example.org/privkey.pem
PROTOCOL         = https
ROOT_URL         = https://example.org:3000/
letencrypt always will store the cert within a specific folder and you would need to adjust your application to point to it.

Re: Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Mon Feb 17, 2020 1:57 am
by johnfredhandy
Thank you much for your quick reply.

Alas, it still does not work. The SSL certs work for the lightpd web and for owncloud, but not for gitea with the :3000 added to the URL. Is there something else I need to do with my router or DDNS service? I have forwarded ports 3000, 3080 and of course 443, 80, and 22.

Thank you,
John Handy

Re: Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Mon Feb 17, 2020 2:03 am
by Joulinar
did you checked the Gitea Service log if there are error messages? I tested it this evening and for me https was working fine on Gitea.

Re: Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Mon Feb 17, 2020 7:13 am
by johnfredhandy
This is located at the end of the gitea.log file:

2020/02/16 22:00:14 ...s/graceful/server.go:55:NewServer() Starting new server: tcp:0.0.0.0:3000 on PID: 11281
2020/02/16 22:00:14 ...s/graceful/server.go:107:ListenAndServeTLS() [E] Failed to load https cert file /etc/letsencrypt/live/jfhprivate.ddns.net/fullchain.pem for tcp:0.0.0.0:3000: open /etc/letsencrypt/live/jfhprivate.ddns.net/fullchain.pem: permission denied
2020/02/16 22:00:14 cmd/web.go:204:runWeb() [C] Failed to start server: open /etc/letsencrypt/live/jfhprivate.ddns.net/fullchain.pem: permission denied
2020/02/16 22:00:14 cmd/web.go:206:runWeb() HTTP Listener: 0.0.0.0:3000 Closed
...
The protections:
root@HandyDietPi:/etc/letsencrypt/archive/jfhprivate.ddns.net# ls -ltr
total 16
-rw------- 1 root root 3272 Feb 14 23:19 privkey1.pem
-rw-r--r-- 1 root root 3916 Feb 14 23:19 fullchain1.pem
-rw-r--r-- 1 root root 1647 Feb 14 23:19 chain1.pem
-rw-r--r-- 1 root root 2269 Feb 14 23:19 cert1.pem

I do not know the user under which gitea runs. Maybe it needs write access?
Thank you!
John

Re: Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Mon Feb 17, 2020 9:01 am
by Joulinar
Hi,

you can use the extrem easy way

Code: Select all

chmod -R 777 /etc/letsencrypt

Re: Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Fri Feb 21, 2020 9:30 pm
by johnfredhandy
That worked. However, is it best practice to open the restrictions on all of the letsencrypt files? How did this get messed up, since it was a fresh install?

Thank you

Re: Better support for letsencrypt HTTPS settings for all dietpi software

Posted: Fri Feb 21, 2020 9:48 pm
by Joulinar
Hi,

there was nothing messed up. gitea is running on a total different user account that than the letsencrypt certificate was created. You could now fix the access for the gitea user explicitly or you do 777. As I said, 777 is the easiest an fastes way. You are free to adjust folder permissions on your needs.