Certbot with nip.io or xip.io

houami · January 8, 2021, 10:28am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://3-18-215-34.nip.io:3080

I ran this command:
when i run the certbot command
certbot certonly --manual --preferred-challenges=dns --agree-tos --manual-public-ip-logging-ok --email someemail@gmail.com -d "dsag.tk, *.dsag.tk"

It produced this output:
it asks me to create the _txt record

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: nip.io

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

now how do i make sure this works since i dont host nip.io

sahsanu · January 8, 2021, 10:37am

Hello @houami,

You can't. You have no control to create/modify dns records on nip.io so you can't use dns validation to issue the cert for your "domain" but you can use http validation to get the cert.

Cheers,
sahsanu

rg305 · January 8, 2021, 10:57am

Those are two completely different domains.

If you need a wildcard cert for dsag.tk you need to control that DNS zone.
[not the DNS zone of your ISP/HSP]

JuergenAuer · January 8, 2021, 10:57am

Hi @houami

your command says, you want to create a certificate with "dsag.tk, *.dsag.tk".

So it's unrelevant that you use https://3-18-215-34.nip.io:3080

ns-1333.awsdns-38.org is one of your name servers - see dsag.tk - Make your website better - DNS, redirects, mixed content, certificates - the name server part.

There you have to create the two required TXT records `_acme-challenge.dsag.tk' - two entries with the same domain name, but different values.

sahsanu · January 8, 2021, 11:13am

@rg305 @JuergenAuer seems op already issued a wildcard certificate 2 hours ago for domain dsag.tk:

CRT ID      CERT TYPE   DOMAIN (CN)  KEY ALG      VALID FROM             VALID TO               EXPIRES IN  SANs
3895697558  Final cert  dsag.tk      RSA 2048bit  2021-Jan-08 08:23 UTC  2021-Apr-08 08:23 UTC  89 days     *.dsag.tk 
                                                                                                            dsag.tk

@houami, could you please clarify whether you want to issue a cert for 3-18-215-34.nip.io domain? Because you already issued one for dsag.tk.

houami · January 8, 2021, 4:17pm

how do i use the http validation for certbot?

houami · January 8, 2021, 4:20pm

yes when i tried with this domain 3-18-215-34.nip.io, i was not sure how to get past the dns validation step as the certbot gave the command to add the TXT record.

certbot certonly --manual --preferred-challenges=dns --agree-tos --manual-public-ip-logging-ok --email somemail@gmail.com -d " 3-18-215-34.nip.io, *. 3-18-215-34.nip.io"

This was the command i initially used

houami · January 8, 2021, 4:21pm

I wanted to issue the cert for 3-18-215-34.nip.io. but im stuck with the validation part

rg305 · January 8, 2021, 4:22pm

You can't get a DNS validated cert for a domain that you don't control the DNS zone.
[that is not your domain]

Use the named cert you already have.

houami · January 8, 2021, 4:22pm

this is the domain i want to use
3-18-215-34.nip.io
I am not sure how to validate this as it asks me to add TXT record

sahsanu · January 8, 2021, 4:58pm

certbot certonly --webroot -w /var/www/example -d 3-18-215-34.nip.io

Where /var/www/example is the root path (document root) used by 3-18-215-34.nip.io in your web server.

sahsanu · January 8, 2021, 5:08pm

I forgot to say that nip.io is not included in the public suffix list so it will be hard to issue your cert because it could reach the rate limits (a lot of people is trying to issue their own certificates).

houami · January 8, 2021, 7:10pm

i mistakenly terminated the instance without testing..
so from your last comment.
you mean to say its not possible to issue the cert for nip.io domains and how do you validate.
that was the problem i had before

sahsanu · January 8, 2021, 7:24pm

I'm not saying it isn't possible but it will be hard because there are hundreds of persons using nip.io and this domain is not included in Public Suffix List so that means Let's Encrypt will apply the rate limits to the certs created using the domain nip.io and you know, a limit of 50 certificates per week and hundreds of persons trying to issue a cert for their sub domain... it is complicated to find an available slot and get your cert.

system · February 7, 2021, 7:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to configure nip.io wildcard DNS for any IP Address Help	3	2531	March 7, 2023
LetsEncrypt Certbot Not detecting IP Help	6	600	March 29, 2021
DNS issue with split domain Help	11	1193	March 26, 2021
Certificate for IP addresses or hostname Help	2	1138	August 14, 2022
No-ip DNS and certbot Help	10	10057	May 19, 2021

Certbot with nip.io or xip.io

Related topics