greenlock (lets'encrypt) with express and port forwarding

Question

I am trying to set up letsencrypt (now greenlock apparently) for port forwarding with express.

I had this first issue that I solved with:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 3443

The issue is that, now, I get:

Fetching certificate for 'xxx' to use as default for HTTPS server...
[acme-v2] handled(?) rejection as errback:
Error: connect ECONNREFUSED 127.0.1.1:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1126:14)
Error loading/registering certificate for 'xxx':
Error: connect ECONNREFUSED 127.0.1.1:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1126:14) {
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '127.0.1.1',
  port: 80
}

My app is like that right now:

require("greenlock-express")
    .create({
    server: "https://acme-staging-v02.api.letsencrypt.org/directory",
        email: "xxx@gmail.com", // The email address of the ACME user / hosting provider
        agreeTos: true, // You must accept the ToS as the host which handles the certs
        configDir: "~/.config/acme/", // Writable directory where certs will be saved
        communityMember: true, // Join the community to get notified of important updates
        telemetry: true, // Contribute telemetry data to the projec
    store: require('greenlock-store-fs'),
    approveDomains: ['xxx.xxx.xxx'],
        // Using your express app:
        // simply export it as-is, then include it here
        app: require("../app.js")

        //, debug: true
    })
    .listen(3000, 3443);

Apparently I cannot use ports 80 and 443 with nodeJS, but I cannot either use any other port with greenlock... What is the workaround?

Answer 1

I'm the author of Greenlock.

Let's Encrypt vs Greenlock

Let's Encrypt is a brand name of the EFF for their Free SSL service.

Greenlock is the brand name I use for my JavaScript client to their service.

I changed the name when they began pursuing a trademark for Let's Encrypt.

Video Tuts

If you follow the Greenlock QuickStart, you cannot fail. :)

• Free SSL with Greenlock (Let's Encrypt v2 for Node.js) - Part 1 (QuickStart)

Also, an oldie, but a goodie:

• The 15-Minute Guide to Secure VPS Access (for the Paranoid)

Keep It Stupid-Simple

• VPS
• netcap
• systemd

On a normal VPS (such as Digital Ocean , Linode , Vultr , or Scaleway ), where the disk is persistent, use "netcap". This will allow a non-root user to bind to privileged ports:

sudo setcap 'cap_net_bind_service=+ep' $(which node)

TADA! Now you can run node./server.js --port 80 as a normal user!

Aside :

You can also use systemd to stop and start your service. Since systemd is sometimes a pita, I wrote a wrapper script in Go that makes it really easy to deploy node projects:

# Install
curl https://rootprojects.org/serviceman/dist/linux/amd64/serviceman -o serviceman
chmod +x ./serviceman
sudo serviceman /usr/local/bin

# Use
cd ./my/node/project
sudo serviceman --username $(whoami) --cap-net-bind add npm start

or, if your server isn't called 'server.js' (de facto standard), or extra options:

cd ./my/node/project
sudo serviceman --username $(whoami) --cap-net-bind add node ./my-server-thing.js -- --my-options

All that does is create your systemd file for you with sane defaults. I'd recommend you check out the systemd documentation as well, but it is a bit hard to grok and there are probably more confusing and otherwise bad tutorials than there are simple and otherwise good tutorials.

Don't use AWS / EC2 unless you're an expert

I responded to that question you mentioned: https://stackoverflow.com/a/58388665/151312

It'll probably get a bunch of downvotes from AWS die-hards... but:

Don't use AWS. Use a VPS.

I really like Digital Ocean and Vultr .

Also, there are Greenlock DNS-01 plugins for both of those. That will make your life real easy.

HTTP-01 vs DNS-01 validation

The default validations for Greenlock MUST go over HTTP on port 80. That's part of the spec. They CANNOT go over HTTPS, or over any other port.

However, if you need SSL / TLS for private networking (which is probably not your issue), you can use DNS-01 plugins. As mentioned above, it's really simple to integrate with Digital Ocean, Vultr, and a number of others:

• acme-dns-01-digitalocean
• acme-dns-01-vultr

There are about a dozen different plugins. You don't have to use them except for wildcard domains and private networking, but if you think managing the DNS and your VPS in the same place would be a benefit to you, I highly recommend using DNS-01 instead of HTTP-01.

Port forwarding is a no go

Don't port-forward unless you're an expert and you know what you're doing and why. You're gonna have a hard time and things aren't going to work as you expect.

How do you become an expert... lots of ways (and it's not hard )... but, as I understand it, it isn't really going to help you achieve your most immediate goal.

Sorry I can't be more helpful than that, but it's a big topic.