The operating system my web server runs on is (include version): Ubuntu 16.04
My hosting provider, if applicable, is: AWS Route 53
I can login to a root shell on my machine (yes or no, or I donât know): yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel): NA
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youâre using Certbot): certbot 0.31.0
Additional Information:
I am getting this error when I try to generate the certificate using above mentioned command from machine pointed by test-projects.me but if I remove the subdomain and run this command to generate certificate only for test-projects.me it doesnât give any error.
certbot certonly --standalone -n --dry-run --agree-tos --no-eff-email --preferred-challenges http -m email -d test-projects.me --redirect --keep
Similarly it works if I generate certificate for mail.test-projects.me from itâs own machine.
So the main issue is I canât generate domain and subdomain certificate in a single command from the main domain machine.
Also, I am able to ssh to both the machines pointed by my domains.
If you want to use http-validation, then Certbot must be able to create the validation files, Letsencrypt checks these. That's not directly possible if both domain names have different ip addresses (not pointing to the same server certbot is running).
No I don't but Since there is a rate limit applicable to generation of certificates. With this way I can register upto 5000 domains per week as state here:
If you have a lot of subdomains, you may want to combine them into a single certificate, up to a limit of 100 Names per Certificate . Combined with the above limit, that means you can issue certificates containing up to 5,000 unique subdomains per week.
Though I am not sure if the same rate limit is applicable if I generate certificate for each subdomain on it's own machine?
Thank you for your instant reply. I understood my mistake but I am not clear on the solution you mentioned to create a redirect. Can you elaborate on it some more.
I tried to run the command this way after reading about webroot
Thank you for clarifying that.
I would still want to know what am I doing wrong with my previous approach. So if you could help me with that, it would be great
Using HTTP validation to get certificates for test-projects.me and mail.test-projects.me requires that requests to http://test-projects.me/.well-known/acme-challenge/xxxxxxxxxx and http://mail.test-projects.me/.well-known/acme-challenge/yyyyyyyyyy respond with the required data.
The Certbot webroot plugin requires that you already have a web server running.
If youâre getting a âconnection refusedâ error, there probably isnât a web server running, or maybe itâs being blocked by a firewall, or thereâs port forwarding involved and thereâs an issue with the setup.
To use HTTP validation for a website hosted on another server, you could configure the web server on that server to reverse proxy or redirect the requests to the first server. Or set up something like NFS. Or some ACME clients support copying files to another server. (Certbot doesnât have something built in, but you could write a hook.)
Since youâre using Route 53, the simpler solution would be to install the Certbot Route 53 DNS plugin and use DNS validation.
However, you would still have to script something to copy the certificates to the other computer, reload any daemons using them, etc.
Itâs simpler to have each server issue its own certificates.