Creating new cert where one previously doesn't exist


#1

Hi, I’m trying to create a certificate for a domain that has a certificate which currently appears to be broken. It was issued by startcom as a free multi-domain certificate, but it appears to not be recognized properly by letsencrypt.

Is it possible to create a certificate for a domain which does not currently have one at all? i’d like to disable the existing (broken) certificate entirely and just create a new one using letsencrypt.

I have access to the nameserver and webserver for this domain. The webserver system is too old to support the letsencrypt software, so we are trying to create the certificate from a remote host on the same network.

I’m attempting to run the certbot script on a fedora25 system on the same network.

Please fill out the fields below so we can help you better.

My domain is: guardiandigital.com

I ran this command:
certbot certonly

It produced this output:

My operating system is (include version):
fedora25

My web server is (include version):
apache-2.2.14

My hosting provider, if applicable, is:
We’re the provider. I have full write access to the documentroot, but the system doesn’t support python or other tools necessary to run certbot locally.

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Let’s Encrypt needs to verify ownership / control of the domain, so it checks your domain - it doesn’t check some other remote host (otherwise you could obtain a certificate for almost any domain.

I’d suggest using the DNS-01 challenge if you can’t run anything on the server. Alternatively you could use the “manual” challenge, and copy the verification tokens to the real web server (or do that automatically via script ).


#3

Yes, understood. I was attempting to configure the certbot script to run against the domain from another host since it’s not possible to run it on the web host directly.

This is what I needed, thanks.


#4

You’re welcome. :slight_smile:

Alternatively, you could use the GetSSL client (I’m biased as I wrote it). It’s designed to run on one server though and place tokens, and certificates, automatically on a different server via SSH/SFTP.


#5

Typically only --manual will work this way. Otherwise, Certbot assumes it’s running on your web server (at which all of the names you’re requesting a certificate for are pointed). If this assumption is wrong, you may see an error like the one you saw. (It can also occur if Certbot is otherwise unable to reconfigure Apache on the web server, for example because of an Apache configuration that Certbot can’t parse correctly.)


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.