Open bari86 opened 2 years ago
Thanks for the suggestion @bari86
A few points of clarification, also per our Discord discussion:
Firstly, SlickStack is HTTPS-only meaning that HSTS is hardcoded in our Nginx configuration and any HTTP requests are force redirected to the HTTPS version of the website too. Port 80 is enabled only for the Nginx "catch all" server block.
Next is that there should be no need to disable the Cloudflare proxy during Certbot verification... the way SlickStack installs Nginx defaults to using self-signed OpenSSL certificates. Even if you choose Let's Encrypt in ss-config
it will still install OpenSSL to Nginx temporarily, to allow Certbot to verify the domain via self-signed HTTPS (this is for brand new installations only... for sites already loading fine over SSL there's less to worry about).
The Cerbot webroot verification works fine, as per my ongoing tests. However, on brand new SlickStack servers, for some reason the ss-install
needs to be run twice in order to for Certbot to verify the domain... I'm not sure why (yet), but I suspect it's something to do with IPv6 and/or Cloudflare.
Lastly, SlickStack defaults to using DNS verification for Certbot when WP Multisite is enabled in ss-config
... we did this to avoid scenarios in Multisite networks such as customers coming and going, messing up their domain settings, file permissions and security issues with shared public root folders, and such. We were also planning on trying to get wildcard support working and multi-domain verification, but for now it seems to be too difficult to address.
I provide this background for Googlers and to explain that yes, we can consider supporting DNS verification for normal (single site) SlickStack servers, but it shouldn't be "necessary" per se.
Here's a DNS solution with the acme.sh client and Cloudflare API:
We started playing with the acme client (we even have a bash script for it already) but never got around to testing it... I'm not sure how many options we want to maintain in SlickStack for Let's Encrypt.
Hi, Please put in SSL DNS verification in SS. The problem I faced is I usually setup the domain and enable Cloudflare proxy immediately before installing SS in the server. I will never off proxy therefore the only way to get SSL verified is via DNS. Even if I off proxy to get initial SSL, then on proxy, after 3 month I need to off and renew the SSL again which is a bit of hassle as I have lots of website. This is for single WP, not multisite.