My domain is:
[redacted]
I ran this command:
certbot --apache -d [redacted] --preferred-challenges tls-sni --staging
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
My web server is (include version):
apache2 (Apache/2.4.29)
The operating system my web server runs on is (include version):
Ubuntu Server 18.04.1 LTS
Certbot version:
0.23.0
My hosting provider, if applicable, is:
DNS Hosting: noip (https://www.noip.com/)
I own and have physical connection to the web-server.
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
Issue Summary
I am hosting my server behind a residential ISP that blocks port 80. I can access http using port 8080 if desired. Port 443 however is not blocked at all.
I am using a free DNS service from https://www.noip.com/ to get my domain name [redacted]. This service does not allow me to create DNS TXT records.
My server is currently accessible, and is using a self-generated temporary certificate.
Previously, I was running my web-server on a raspberry pi and was able to successfully setup a certificate for it using the certbot tool. The certificate was re-issued half a year ago. I don't remember the exact process I used to get the original certificate, since it has been a few years since the original certificate was issued.
I decided to upgrade to a slightly more powerful server. I setup apache in the same way and "replaced" the raspberry pi server. However, I am having trouble getting certbot to successfully complete a challenge.
Here's where I'm at:
- I cannot use http-01 challenge since port 80 is blocked. I tried creating another DNS domain using noip to redirect port 80 to 443, but certbot complained about the redirection. Certbot also can't use alternate http ports, it only uses port 80 as far as I know.
- I cannot use the dns-01 challenge since I cannot create DNS TXT records with noip.
- I am trying to get the tls-sni-01 challenge to work, but I'm getting the error issued above. I've also tried manual and standalone authenticators, but they error in similar ways.
I've read that the tls-sni-01 was disabled due to a security concern a long time ago. Has it been re-enabled? If so, where is my issue coming from? If not, why is the documentation still showing it as a valid challenge (https://certbot.eff.org/docs/challenges.html).
Any tips or suggestions would be greatly appreciated, thanks!