Adding certbot ssl certification to custom domain on surge


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

My web server is (include version): either HAProxy or Apache (I’m using surge, and apparently it can use either/or, see

The operating system my web server runs on is (include version): I don’t know

My hosting provider, if applicable, is: surge

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Note: surge doesn’t automatically support Let’sEncrypt (see, but does so for beta users, which I’ve been added to their list. Any help would be greatly appreciated; I’ve next to no experience trying to debug these kind of issues :confused:


You’re probably going to have to do manual DNS verification:

certbot certonly --manual --preferred-challenges dns -d

and setup the requested TXT records in your Google Domains DNS control panel.

Then, you will have these files:

  1. /etc/letsencrypt/live/
  2. /etc/letsencrypt/live/

Then you:

cat /etc/letsencrypt/live/ /etc/letsencrypt/live/ > /root/surge.pem
surge ssl --pem /root/surge.pem --domain

Not very automated, but unless you ditch Google Domains as your DNS host, there’s no way really to improve the workflow.

(Edit: to clarify, you cannot use HTTP-01 validation in combination with surge, because they intercept the /.well-known/acme-challenge/ requests, presumably for their own integration. So you must use DNS validation.)


Bit late to reply, but thank you very much for this, @_az, sorted it out!

closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.