Choose N when I was asked to agree with your IP being logged

My domain is:

weeby.store

I ran this command:

sudo certbot certonly --manual --preferred-challenges=dns --email @.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d weeby.com -d *.weeby.store

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Obtaining a new certificate

Performing the following challenges:

dns-01 challenge for weeby.store

dns-01 challenge for weeby.com


NOTE: The IP of this machine will be publicly logged as having requested this

certificate. If you're running certbot in manual mode on a machine that is not

your server, please ensure you're okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: N

Cleaning up challenges

Must agree to IP logging to proceed

My web server is (include version):
apache

The operating system my web server runs on is:

ubuntu 20

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.27.0

Hi ,, I have accidentally choose N , when I was asked to agree with your IP being logged

later on ,, when I try to execute the command again I got the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None

Obtaining a new certificate

Performing the following challenges:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

please any help?

thank you

3 Likes

Welcome to the Let's Encrypt Community, Mansour :slightly_smiling_face:

I'm noticing a mismatch here:

weeby.com
*.weeby.store

Before we continue, are you sure you weren't meaning to certify these instead:

weeby.store
*.weeby.store

Your certbot version is quite ancient and should be updated if possible. What OS version is installed on your webserver?

Do you really need a wildcard (*.) certificate? Most people don't. Not using a wildcard usually simplifies the process considerably.

3 Likes

Hi @griffin

thank you for your reply , regarding the OS version it is:

Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic

yes , the .com was the wrong type as I was copying the the command from the internet , the right one is .store

however, I have managed to fix the issue by only including *.weeby.store

so the correct command for me was:

sudo certbot certonly --manual --preferred-challenges=dns --email @.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.weeby.store
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for weeby.store


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.weeby.store with the following value:

ktFbNbVgUCSaMXbTwItbP21NpeaMPKVCLcN0_I8Ew8M

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/weeby.store/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/weeby.store/privkey.pem
    Your cert will expire on 2021-10-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

with that being said , I have also generate other certificate for the main weeby.store with the following command:

sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: weeby.store


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for weeby.store
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.


Congratulations! You have successfully enabled https://weeby.store

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=weeby.store


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/weeby.store-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/weeby.store-0001/privkey.pem
    Your cert will expire on 2021-10-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

now I'm facing one issue, any subdomains would not be serve with this SSL Certificate, the browser ( Safari) is giving a warning message ( this connection is not private )

it might be error with the apache config ??

4 Likes

yes , I'm serving a web Saas Service so I would provide clients with SSL

3 Likes

Many people each week come here trying to do what you are attempting. Here's the challenge:

Even if you certify the subdomains, whether this works depends upon how your clients are connecting. They can't just CNAME their personal websites to your subdomains because your certificate won't contain their domain names. As long as they will just be using your subdomains directly, we can make this work.

You will need a wildcard A record in your DNS and a wildcard ServerName in Apache (or individual server names). The wildcard ServerName is a catchall for non-existent/generic subdomains.

4 Likes

Your certificate should cover both weeby.store and *.weeby.store.

4 Likes

With some very creative rewrite rules...
One could receive:
http://some-other.site
[which CNAMEs to this site - IP only]
and rewrite that as and redirect to:
https://some-other-site.this.site/
OR
https://this.site/some-other.site/

But that is something for a completely different forum to discuss/resolve.

Naturally, this won't save us from:
https://some-other.site/
[to which this site has no cert for]

3 Likes

This is the correct command:

sudo certbot certonly --cert-name weeby.store --manual --preferred-challenges dns -d "weeby.store,*.weeby.store"

It will ask you to deploy two unique _acme-challenge.weeby.store TXT records.

Certificate history of weeby.store:

https://crt.sh/?q=weeby.store

4 Likes

Hi @griffin

yes , they would just signup and pick up any subdomain from their choice

3 Likes

now I'm facing the first issue :slight_smile:

sudo certbot certonly --cert-name weeby.store --manual --preferred-challenges dns -d "weeby.store,*.weeby.store"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator manual, Installer None


You are updating certificate weeby.store to include new domain(s):

  • weeby.store

You are also removing previously included domain(s):

(None)

Did you intend to make this change?


(U)pdate cert/(C)ancel: U

Renewing an existing certificate

Performing the following challenges:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

you mentioned previously that I'm running a quite ancient version , but it says it is the latest version ?

3 Likes

Go here and follow the instructions to install the snap version of certbot:

Make sure to follow them exactly! You must remove your old version(s) as instructed.

The current issue you are facing is a known BUG in your certbot version.

4 Likes

DO NOT SKIP STEP #4
[the punishment for which can be severely extreme - LOL]

4 Likes

thank you
from my understanding, I should follow the wildcard instructions? or the default one

4 Likes

The default one. Don't issue a certificate though. Just install then post the output of certbot --version

2 Likes

There's no special "wildcard" version of certbot. They just change the instructions by adding a plugin check on step 1, which is not needed here.

2 Likes

lol

core 16-2.51.1 from Canonical✓ installed

snap "core" has no updates available

Hopefully I don't get punished

4 Likes

That's the core. What about certbot --version ?

4 Likes

Step 4 is removing old versions, which @rg305 correctly identified as critical. You're probably looking at the wildcard instructions though. :upside_down_face:

4 Likes

great !!

I was far away from the latest version

now:

certbot --version

certbot 1.17.0

3 Likes

Beautiful! :partying_face:

Now, once more, with feeling:

5 Likes