Certificate issue

why is so f. hard to generate a single and simple certificate? i can't find a way to install certbot on my windows 10 without IIS, i can't generate it by wacs and acme.sh and i can't generate it by ssl free. i bought my domain on hostinger and host my app on vercel, i only need a simples tls certificate. can somebody help please? on ssl for free occur the error Invalid CAA Records and a i cannot add on vercel causa appears: Invalid record value: "letsencrypt.org".

Hello @Zuxo, welcome to the Let's Encrypt community. :slightly_smiling_face:

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!


I have delete it becausa there is no coomand a ran or even a output, i just can't generate my certificate. i don't have a certbot version because i didn't find a way to install it.

@Zuxo please answer the question that you can, such as My domain is

are part of the DNS Records so knowing the domain will likely help.


ok, i'm sorry.

My domain is:www.habitdigital.com.br

I ran this command: i ran nothing

It produced this output: don't have an output

My web server is (include version): hostinger for domain and vercel for code by github

The operating system my web server runs on is (include version): it runs on vercel, but mine is win10 without iis

My hosting provider, if applicable, is: vercel

I can login to a root shell on my machine (yes or no, or I don't know): yes, it is on my machine, i am the only owner of everything.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): i don't know what is means.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): still looking on web a way to install it.


It seem I am not fully understanding, can you explain the issue are facing?

Here is a list of issued certificates crt.sh | habitdigital.com.br, the latest being 2024-04-17.

It would not seem to be.


It would seem you are serving HTTP on both Port 80 and 443,
one would normally expect HTTPS to be on Port 443.


$ curl -k -Ii http://www.habitdigital.com.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Server: hcdn
Date: Thu, 18 Apr 2024 02:52:59 GMT
Content-Type: text/html
Content-Length: 161
Connection: keep-alive
Location: https://o-system-web-application.vercel.app
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: fa40a221ce95634cffdd45feda976321-bos-edge2


$ curl -k -Ii https://www.habitdigital.com.br/.well-known/acme-challenge/sometestfile
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

HTTP on Port 443 PASSes which is incorrect

$ curl -k -Ii http://www.habitdigital.com.br:443/.well-known/acme-challenge/sometestfile
HTTP/1.1 400 Bad Request
Server: hcdn
Date: Thu, 18 Apr 2024 02:53:14 GMT
Content-Type: text/html
Content-Length: 247
Connection: close
alt-svc: h3=":443"; ma=86400
x-hcdn-request-id: a0a7d8c33d32f8e87b3af65acf779f95-bos-edge1

there is a lot of records becausa i'm trying all day long but i didn't get any file yet. all ways run on error. my aplication is hosting and works with https but my app needs make a few requests to my esp8266 and it only works with a certificate

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

And to assist with debugging there is a great place to start is Let's Debug.


i don't know how you got it and how to fix it.

The domain you gave us is hosted at Vercel and looks to be working fine. It is possible that system got those certificates on your behalf when you setup your account there.

Can you explain what your esp8266 is and the problem with it? Because it looks like a wifi chip but I am not sure what kind of certificate you would need or how to install it.

Well, HTTPS to that domain was working but the IP address just changed and connections now fail. The DNS is set to a parking page. Have you fully setup your account there yet?


Just fyi ... earlier an HTTPS test showed this

curl -I https://habitdigital.com.br
HTTP/2 308
date: Thu, 18 Apr 2024 02:56:17 GMT
location: https://www.habitdigital.com.br/
server: Vercel

curl -I https://www.habitdigital.com.br
HTTP/2 200
date: Thu, 18 Apr 2024 02:56:25 GMT
etag: "cd4e0c1aa0cd255852e5a178b986ca13"
server: Vercel

esp8266 is a board used on IoT, my aplication works fine with it on local host, but when i host on vercel, the request turned in a HTTPS request and to still have a comunication, the boards needs a certificate to accept httpS requests.

update: i'm tired of searching all day and trying a lot of ways, i fixed the nameserver and it will return to work soon:

The certificate your IoT board needs then is a set of CA trusted root certificates.

It sounds like it is failing to validate the certificate it sees from your web app at that domain. Your Vercel system is fine. You need to ask the programming support team for that IoT board how to handle HTTPS.

Regular devices (like mobile phones, PCs, servers, and so on) have what is called a "trusted root store" and is included with them. Apps running on those devices that connect using HTTPS rely on those trusted roots to validate the cert they see from the service they connect to.

You need to find out how to create a trusted root store or certificate and then have your IoT app use it. Maybe you have to set that up yourself. I don't know. That info should be with your programming specs for that board. If you do need to set it up yourself you can find the Let's Encrypt roots below. ISRG Root X1 and ISRG Root X2 are the two active roots.


i will search about that tomorrow and come here to reply it, thanks for help Mike and Bruce


The key thing here is that you are trying to get a certificate to use on your own IoT web server, so that has nothing to do with your vercel hosted site. Your vercel hosted site is literally a site managed by vercel and they take care of the certificates and SSL for you because you don't have the administrative access you would require on their server to achieve that otherwise.

Your IoT board is a completely separate thing you are running locally. The IoT board will have it's own IP address or domain/subdomain name for you to access the http API you are running on it. This API running on the IoT board is what you want/need your certificate for, so ignore your main website for now.

There are a few main steps to getting and using a certificate:

  • Give your service a real domain name and point that to the IP address of the thing: e.g. iot-api-01.baitdigital.com.br pointing to the IP of the device.
  • Use an ACME client like certbot etc to order your certificate. You need to prove you control the domain you want to include on the cert, and you do that either over HTTP (running your acme client on that IP) or via DNS (creating a special TXT record in your domain DNS control panel/API) which, crucially in this case, you can do from any machine.
  • Once you have proven control of your domain you can download the certificate, which mainly consists of just a certificate file and your private key file (which is already on the machine with your acme client).

Once you have a cert, you use it with whatever service you want. Normally that means tell the service where to load the certificate file (or often the "fullchain" is best) and private key file, maybe copying the files around and configuring the service to serve requests using that certificate and usually on TCP port 443 (for HTTPS, but there are other networking protocols and service that can use certificates as well).

In your case I would suggest deciding on a subdomain for your IoT device service and using the Manual DNS option of your acme client to get a cert. This will prompt you to create a TXT record called _acme-challenge. in your DNS control panel, then you wait a minute and continue the request for the certificate. Once you have your certificate you follow the guide for whatever the service is on how to apply the certificate. That process is of course not automated , so renewals can be pain, ideally you want to automate after that.

Yes, certificates can be complex to work with. They're not simple until you've already learned how to do it and you fully understand the difference between getting a certificate and using it with a service. Lots of people do not understand the process at all.


I interpreted their comments differently but you may very well be correct


The esp8266 board works if i do an HTTP request by Google Chrome on localhost. When i push my code to vercel, the request is turned in HTTPS and the board stops responding. i've already gave CORS Policy permission but it isn't enough, some cert is required. All i want to do is get the access from my application to my board. This doesn't need to have a direct conection, if i click on a button within my application using google chrome and send the same request but HTTPS instead and the board accepts it, then my problem will be solved. that is what i believe for now.

Anyway, i guess we can solve it with certbot too. but i don't know how to install on windows 10 (without IIS).

1 Like

I thought your IoT board was initiating the HTTPS connection but now I see it was the other way around. So @webprofusion comment describes that.

I'll let him continue but I am just noting that Certbot is no longer supported on Windows. The EFF dropped support for that in Feb of this year. You may want to look at alternative ACME Clients designed for Windows such as Certify The Web (see here) or even win-acme or posh-acme (see githubs)