A little misleading. "nosudo" eventually requiring sudo?

[archae0pteryx]

Am I naive?

[aydun]

You don't need sudo if you use the '-f' or '--file-based' option. That creates a file in your existing webserver. You might need to change your .htaccess to allow access to the specified directory

[jflattery]

So do you just run the python command without sudo?

STEP 4: You need to run this command on staff.example.com (don't stop the python command until the next step).

sudo python -c "import BaseHTTPServer; \ h = BaseHTTPServer.BaseHTTPRequestHandler; \ h.do_GET = lambda r: r.send_response(200) or r.end_headers() or r.wfile.write('____'); \ s = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), h); \ s.serve_forever()"

[aydun]

No, you don't run that command but use your existing webserver.

Part of the validation is to retrieve a file from your web server. If you do have sudo you can run that one-line command to handle the validation request. If you don't have sudo, when you run sign_csr.py command, add the '-f' option. That eventually tells you to create a file with a specific name and content and make that available via a specified URL on your existing web server. After the validation is successful you can remove the file.

[brentonstrine]

Where do I put the --file-based flag? When I tried to run the python script with it

$ python sign_csr.py --public-key --file-based user.pub domain.csr > signed.crt

it said:

sign_csr.py: error: argument -p/--public-key: expected one argument

So then I removed the --public-key since it's expecting only one argument.

python sign_csr.py --file-based user.pub domain.csr > signed.crt

and then it said:

sign_csr.py: error: argument -p/--public-key is required

[aydun]

user.pub needs to follow --public-key (it's saying the public key is stored in a file called user.pub) so try:

$ python sign_csr.py --file-based --public-key user.pub domain.csr > signed.crt

[berot3]

but still, wouldn't it be possible to use another port instead of port 80? just some random high port. that might make it possible to run it without sudo?

edit: sorry, just saw you wrote that here: #67 (comment)

so why not make it default?

[aydun]

When Let's Encrypt does the validation, it connects to your server on port 80 to retrieve the challenge. You can't change which port it connects to. There are several ways to do that:

1. stop your normal webserver on port 80 and run the temporary one: python command above. This requires sudo to use port 80
2. use your normal webserver on port 80: --file-based option
3. run the temporary server (python command) on a high port AND configure your normal port 80 webserver to redirect/proxy the challenge request to the temporary server: as described in #67 (comment)

[d3v-null]

This took a bit of digging for me to get, perhaps this should be more obvious in the readme, since I would imagine most people would be using this repo because they don't have root on their webserver.

[diafygi]

If you use the --file-based option, and you have the ability to point port 80 to a particular folder without sudo, you can just copy and paste the file into your website's folder.