Old long thread... I thought my question was simpler...
I run apache2 on a Raspberry Pi model B
Linux berry314 5.10.103+ #1529 Tue Mar 8 12:19:18 GMT 2022 armv6l GNU/Linux
I have ssh access and intended to use Certbot ACME client.
What system should I select?
Thanks
Hi @mgirod, and welcome to the LE community forum 
Have you looked at the acme.sh client?
You've kicked a thread from 2015, which is like, practically the beginning of Let's Encrypt.
Everything from then is probably not applicable to now any longer.
You haven't told us the OS/distro you're using, but you can probably use the "Snapd" instructions for installing Certbot.
That's the hostnamenodename of the host Rudy, "berry314", not the distribution. Try Googling it 
(It's called "nodename" in the uname man page apparently 
)
Linux kernel 5.10.103 released
Raspberry Pi OS ?
Possibly, but that specific kernel version is not listed in its release history on Wikipedia: Raspberry Pi OS - Wikipedia
Anyway, if it's Debian based, snap is an option I believe.
If not, then acme.sh may do the trick
Or one of the other ACME clients
Although I believe the armhf architecture snap should work on Raspberry Pi's.
Edit: moved the posts to a new thread, as the previous thread was ancient.
Trying to reply to several questions.
The Raspberry Pi OS version is buster (from /etc/apt/sources.list)
$ uname -s
Linux
$ uname -r
5.10.103+
$ uname -v
#1529 Tue Mar 8 12:19:18 GMT 2022
$ hostname
berry314
I started to look at certbot from the web site, and there, in the instructions, was prompted to select my 'System' from a pull-down menu. 'Linux berry' was not in the list (nor plain 'Linux').
But then, I installed certbot with apt-get.
Now so far, I failed to generate certs.
I have a dynamic IP from dyndns.
Until now, I had only a self-signed cert.
Now I bought a 'girod.fi' domain, intending to use the name berry314.girod.fi (instead of so far berry314.dyndns-pics.com)
At dyndns, I could only add a name, including the redirection.
So, I set a new name, with the redirection:
berry314.thruhere.net -> berry314.girod.fi
but I am not sure for which name to generate certs. Anyway, both fail:
root@berry314:/etc/ddclient# certbot certonly -d thruhere.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for thruhere.net
Input the webroot for thruhere.net: (Enter 'c' to cancel): /home/marc/webroot/
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. thruhere.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: 132.226.162.56: Fetching https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after connect (your server may be slow or overloaded)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: thruhere.net
Type: connection
Detail: 132.226.162.56: Fetching
https://www.oracle.com/corporate/acquisitions/dyn/: Timeout after
connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
root@berry314:/etc/ddclient# certbot certonly -d girod.fi
Saving debug log to /var/log/letsencrypt/letsencrypt.log
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for girod.fi
Input the webroot for girod.fi: (Enter 'c' to cancel): /home/marc/webroot/girod/
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. girod.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 2a03:e581:4::11: Invalid response from http://girod.fi/.well-known/acme-challenge/BYLGzzALKGIe72r8ASAn_FVm7Birw5purqRj3XSM9BM: 404
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: girod.fi
Type: unauthorized
Detail: 2a03:e581:4::11: Invalid response from
http://girod.fi/.well-known/acme-challenge/BYLGzzALKGIe72r8ASAn_FVm7Birw5purqRj3XSM9BM:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
That domain does not seem to be publicly registered:
# dig NS thruthere.net @a.gtld-servers.net.
; <<>> DiG 9.18.4 <<>> NS thruthere.net @a.gtld-servers.net.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18718
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thruthere.net. IN NS
;; AUTHORITY SECTION:
net. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1662465497 1800 900 604800 86400
;; Query time: 29 msec
;; SERVER: 2001:503:a83e::2:30#53(a.gtld-servers.net.) (UDP)
;; WHEN: Tue Sep 06 11:58:42 UTC 2022
;; MSG SIZE rcvd: 115
Sorry: typo!
tmp> dig NS thruhere.net @a.gtld-servers.net
; <<>> DiG 9.16.1-Ubuntu <<>> NS thruhere.net @a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39817
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;thruhere.net. IN NS
;; AUTHORITY SECTION:
thruhere.net. 172800 IN NS ns1.p201.dns.oraclecloud.net.
thruhere.net. 172800 IN NS ns2.p201.dns.oraclecloud.net.
thruhere.net. 172800 IN NS ns3.p201.dns.oraclecloud.net.
thruhere.net. 172800 IN NS ns4.p201.dns.oraclecloud.net.
;; ADDITIONAL SECTION:
ns1.p201.dns.oraclecloud.net. 172800 IN A 108.59.166.201
ns1.p201.dns.oraclecloud.net. 172800 IN AAAA 2600:2000:2100::c9
ns2.p201.dns.oraclecloud.net. 172800 IN A 108.59.168.201
ns2.p201.dns.oraclecloud.net. 172800 IN AAAA 2600:2000:2110::c9
ns3.p201.dns.oraclecloud.net. 172800 IN A 108.59.170.201
ns3.p201.dns.oraclecloud.net. 172800 IN AAAA 2600:2000:2120::c9
ns4.p201.dns.oraclecloud.net. 172800 IN A 108.59.172.201
ns4.p201.dns.oraclecloud.net. 172800 IN AAAA 2600:2000:2130::c9
;; Query time: 27 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Sep 06 13:14:02 IST 2022
;; MSG SIZE rcvd: 310
I'm confused [easily] ...
What does certbot certonly -d thruhere.net have to do with:
I mean, why not just do:
certbot certonly -d berry314.girod.fi
Note the very different IPs:
Name: berry314.thruhere.net
Address: 132.226.118.109
Name: berry314.girod.fi
Addresses: 2a03:e581:4::11
164.215.39.201
The confusion may be mine...
Indeed, the public name will be the berry314.girod.fi alias (NS record), but shouldn't the 'real host (the 'A' record) require the cert?
Anyway, at this point dyndns is not able to give me an IP...
Waiting for the support to help me...
Only if you intend on serving: https://real-host-name/
If not, then you don't require one.
That is how SNI works and one IP can serve many names.
Hi!
Now I got an NS record in cloudflare for berry314.girod.fi, pointing to berry314.dyndns-pics.com, which has an A record, and a dynamic IP.
But creating the certs fails:
Failed authorization procedure. berry314.girod.fi (http-01): urn:ietf:params:acme:error:dns :: DNS problem: query timed out looking up A for berry314.girod.fi; DNS problem: SERVFAIL looking up AAAA for berry314.girod.fi - the domain's nameservers may be malfunctioning
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: berry314.girod.fi
Type: None
Detail: DNS problem: query timed out looking up A for
berry314.girod.fi; DNS problem: SERVFAIL looking up AAAA for
berry314.girod.fi - the domain's nameservers may be malfunctioning
I thought the nameservers looked OK:
tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi. 0 IN A 86.44.5.225
tmp> dig NS girod.fi | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
girod.fi. 21600 IN NS opal.ns.cloudflare.com.
girod.fi. 21600 IN NS walt.ns.cloudflare.com.
tmp> dig berry314.dyndns-pics.com | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.dyndns-pics.com. 0 IN A 86.44.5.225
What can I do?
Thanks,
Marc
That doesn't look right:
nslookup -q=cname berry314.girod.fi opal.ns.cloudflare.com
berry314.girod.fi nameserver = berry314.dyndns-pics.com
You shouldn't have an NS record entry.
It should likely be a CNAME record entry.
Thanks, fixed in cloudflare.
Now from my laptop, I get:
tmp> dig berry314.girod.fi | grep -A1 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi. 0 IN A 86.44.5.225
tmp> dig cname berry314.girod.fi @opal.ns.cloudflare.com | grep -A1 'AUTHORITY SECTION'
;; AUTHORITY SECTION:
girod.fi. 3600 IN SOA opal.ns.cloudflare.com. dns.cloudflare.com. 2288240461 10000 2400 604800 3600
which matches the explanation at cloudflare:
CNAME Flattening
Cloudflare will follow a CNAME to where it points and return that IP address instead of the CNAME record. By default, Cloudflare will only flatten the CNAME at the root of your domain, which is girod.fi.
But for some reason, it doesn't propagate to the raspberry pi itself...
ddclient-3.9.1> dig berry314.girod.fi | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi. 2150 IN A 104.21.21.89
berry314.girod.fi. 2150 IN A 172.67.197.83
ddclient-3.9.1> dig cname berry314.girod.fi | grep -A1 'AUTHORITY SECTION'
;; AUTHORITY SECTION:
girod.fi. 2973 IN SOA opal.ns.cloudflare.com. dns.cloudflare.com. 2288240461 10000 2400 604800 3600
What do you mean "fixed"?
I now get:
Name: berry314.girod.fi
Addresses: 2606:4700:3037::6815:1559
2606:4700:3033::ac43:c553
104.21.21.89
172.67.197.83
Sorry, I only meant 'fixed in cloudflare':
Type Name Content Proxy status TTL
A girod.fi 164.215.39.201 Proxied Auto
AAAA * 2a03:e581:4::11 Proxied Auto
AAAA girod.fi 2a03:e581:4::11 Proxied Auto
CNAME berry314 berry314.dyndns-pics.com Proxied Auto
with the nameservers as:
Type Value
NS opal.ns.cloudflare.com
NS walt.ns.cloudflare.com
But indeed, now I get the same thing as you do:
tmp> dig berry314.girod.fi | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi. 3539 IN A 172.67.197.83
berry314.girod.fi. 3539 IN A 104.21.21.89