ISP Blocking Port 80 SSL Certificate Solution

I found a much better option using dynu.com by koying here Add-on: Dynu DNS (alternative to DuckDNS)

I’m sharing my solution for getting an SSL certificate on Debian 10 even though your ISP is blocking port 80.

First install Certbot and acme-dns-certbot option. Instructions here:

Sign up for a free DDNS account here https://www.dynu.com/
Create a sub domain there.

Debian command line run: certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.yourdynusubdomain -d yourdynusubdomain

Certbot will ask you to create a CNAME record like this: Please add the following CNAME record to your main DNS zone: _acme-challenge.yourdynusubdomain CNAME d2ebfc9d-d5a9-49e1-ad2-173cd919fe7a.auth.acme-dns.io.

At dynu.com go to DNS Records and add the CNAME record Certbot gave you. Put _acme-challenge as the node name, select Type CNAME, and put d2ebfc9d-d5a9-49e1-ad2-173cd919fe7a.auth.acme-dns.io (the URL Certbot gives you). No period on the end.

I also had to copy the SSL files to /usr/share/hassio/homeassistant because of permision problems.

And add
http:
ssl_certificate: fullchain.pem
ssl_key: privkey.pem

to configuration.yaml

I tried to use duckdns.org but they only had the option to add a TXT DNS record. I was happy to find https://www.dynu.com/

This method is called ‘DNS-challenge’, which is also supported by the default ‘Let’s Encrypt’ add-on :wink:
In contradiction to the commonly used ‘http-challenge’, the dns-challenge does not require any port open, however, it does require and private key, which can be generated when registering your dns-name, provided the provider supports it, this is the list of supported dns providers:


dns-azure
dns-cloudflare
dns-cloudxns
dns-digitalocean
dns-directadmin
dns-dnsimple
dns-dnsmadeeasy
dns-gehirn
dns-google
dns-hetzner
dns-linode
dns-luadns
dns-njalla
dns-nsone
dns-ovh
dns-rfc2136
dns-route53
dns-sakuracloud
dns-netcup
dns-gandi
dns-transip
dns-inwx