Certbot with nip.io or xip.io

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://3-18-215-34.nip.io:3080

I ran this command:
when i run the certbot command
certbot certonly --manual --preferred-challenges=dns --agree-tos --manual-public-ip-logging-ok --email someemail@gmail.com -d "dsag.tk, *.dsag.tk"

It produced this output:
it asks me to create the _txt record

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: nip.io

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

now how do i make sure this works since i dont host nip.io

Hello @houami,

You can't. You have no control to create/modify dns records on nip.io so you can't use dns validation to issue the cert for your "domain" but you can use http validation to get the cert.

Cheers,
sahsanu

Those are two completely different domains.

If you need a wildcard cert for dsag.tk you need to control that DNS zone.
[not the DNS zone of your ISP/HSP]

Hi @houami

your command says, you want to create a certificate with "dsag.tk, *.dsag.tk".

So it's unrelevant that you use https://3-18-215-34.nip.io:3080

ns-1333.awsdns-38.org is one of your name servers - see https://check-your-website.server-daten.de/?q=dsag.tk - the name server part.

There you have to create the two required TXT records `_acme-challenge.dsag.tk' - two entries with the same domain name, but different values.

@rg305 @JuergenAuer seems op already issued a wildcard certificate 2 hours ago for domain dsag.tk:

CRT ID      CERT TYPE   DOMAIN (CN)  KEY ALG      VALID FROM             VALID TO               EXPIRES IN  SANs
3895697558  Final cert  dsag.tk      RSA 2048bit  2021-Jan-08 08:23 UTC  2021-Apr-08 08:23 UTC  89 days     *.dsag.tk 
                                                                                                            dsag.tk

@houami, could you please clarify whether you want to issue a cert for 3-18-215-34.nip.io domain? Because you already issued one for dsag.tk.

1 Like

how do i use the http validation for certbot?

yes when i tried with this domain 3-18-215-34.nip.io, i was not sure how to get past the dns validation step as the certbot gave the command to add the TXT record.

certbot certonly --manual --preferred-challenges=dns --agree-tos --manual-public-ip-logging-ok --email somemail@gmail.com -d " 3-18-215-34.nip.io, *. 3-18-215-34.nip.io"

This was the command i initially used

I wanted to issue the cert for 3-18-215-34.nip.io. but im stuck with the validation part

You can't get a DNS validated cert for a domain that you don't control the DNS zone.
[that is not your domain]

Use the named cert you already have.

this is the domain i want to use
3-18-215-34.nip.io
I am not sure how to validate this as it asks me to add TXT record

certbot certonly --webroot -w /var/www/example -d 3-18-215-34.nip.io

Where /var/www/example is the root path (document root) used by 3-18-215-34.nip.io in your web server.

I forgot to say that nip.io is not included in the public suffix list so it will be hard to issue your cert because it could reach the rate limits (a lot of people is trying to issue their own certificates).

i mistakenly terminated the instance without testing..
so from your last comment.
you mean to say its not possible to issue the cert for nip.io domains and how do you validate.
that was the problem i had before

I'm not saying it isn't possible but it will be hard because there are hundreds of persons using nip.io and this domain is not included in Public Suffix List so that means Let's Encrypt will apply the rate limits to the certs created using the domain nip.io and you know, a limit of 50 certificates per week and hundreds of persons trying to issue a cert for their sub domain... it is complicated to find an available slot and get your cert.

1 Like