Can I use Certbot for any certification?

My web server is (include version): Apache2 version 2.4
The operating system my web server runs on is (include version):Opensuse Leap15.1

I can login to a root shell on my machine (yes or no, or I don't know):Yes

I'm using a control panel to manage my site :Yes

Client is :Certbot version=1.4.0

Can I use certbot to issue a certificate for a website that is not hosted on the same machine as the certbot? (site is hosted on a cpanel and zerossl, e.t.c not an option)

Thank you.

1 Like

Only if you can use DNS authentication.
HTTP authentication would fail; as the challenge request would try the IP of the FQDN directly.

2 Likes

Thanks a lot. Will give it a try.

Regards.

2 Likes

I used this code:

sudo certbot run --cert-name keta.com.ng -a manual --preferred-challenges dns -d keta.com.ng,www.keta.com.ng -i apache

And got the error below:

2020-10-13 17:47:52,017:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 159, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw)
File "/usr/lib/python3.6/site-packages/urllib3/util/connection.py", line 57, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib64/python3.6/socket.py", line 745, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 839, in _validate_conn
conn.connect()
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 301, in connect
conn = self._new_conn()
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 168, in _new_conn
self, "Failed to establish a new connection: %s" % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f775635a668>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
timeout=timeout
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f775635a668>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py", line 1347, in main
return config.func(config, plugins)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py", line 1093, in run
le_client = _init_le_client(config, authenticator, installer)
File "/usr/lib/python3.6/site-packages/certbot/_internal/main.py", line 610, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3.6/site-packages/certbot/_internal/client.py", line 256, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3.6/site-packages/certbot/_internal/client.py", line 43, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 809, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python3.6/site-packages/acme/client.py", line 1144, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 1094, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 533, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 646, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f775635a668>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
2020-10-13 17:47:52,025:ERROR:certbot._internal.log:An unexpected error occurred:

What exactly is Certbot moaning about please?

Thanks!

2 Likes

not too old

Try:
nslookup acme-v02.api.letsencrypt.org
ifconfig | grep -Ei 'add|inet'
curl -I4 https://acme-v02.api.letsencrypt.org/
curl -I6 https://acme-v02.api.letsencrypt.org/

4 Likes

@lestaff

Several instances of this same issue have cropped up lately. Any ideas?

3 Likes

@rg305's advice is correct. Most often this type of error "Temporary failure in name resolution" is due to a local networking problem on the subscriber's network, for instance a broken recursive resolver. That tends to show up on the /directory request because it's the first request the client makes, and necessitates a DNS lookup and TCP connection.

It's possible that our DNS provider has been serving increased errors, but for now I think the more likely answer is a series of subscriber-local network problems that have occurred closer together. Please do keep us in the loop if you continue to see higher than average examples of this type of problem!

3 Likes

Thanks for the prompt response, Jacob. :slightly_smiling_face:

Since this is out of a certificate-seeker's control, I wanted to ensure that it wasn't becoming a trend. I have not as yet seen this with my own ACME client.

1 Like

Running nslookup showed networking configuration was somehow messed up from configuring another application. That's now been corrected and was able to connect to letsencrypt api. Got the certs! Someone Apache still managed to server the right certificate with the wrong expiration date (date for another certificate in the same directory) But I wouldn't worry a bit about that because I suspect that when I renew, certbot will renew all certificates in the directory at the same time and that will consequently make them all have the same expiration. Hope now that renewal will not be just as challenging! :slightly_smiling_face:

@rg305 many thanks!

3 Likes

@griffin Thanks a lot! especially for helping to call the attention of LEstaff!

3 Likes

@jsha LE rules! Thanks!

4 Likes