Generate domain certificate Online


#1

Hello Everyone,
We’re running into huge troubles when using the command-line certbot to renew our certificat.
Question: Is there a way to generate the certificate ONLINE and then download them to the file system over SSH perhaps?
Best regards,
Askia


#2

Hi,

Yes, you can use sslforfree.com or zerossl.com and generate certificates. (However you still need to complete verifications)

Thank you


#3

A different from using a client like Certbot is that the renewal can’t be automated, so you’ll have to repeat the process manually every time before your certificate expires.


#4

Hi stevenzhu,
Thanks for the tip.
I just tried this but I come to the step where I have to verify the links generated just before downloading the certificates and whet I uploads the files to the server and then click on the links it says:
Your connection is not secure

www.intellix-fact.com uses an invalid security certificate. The certificate expired on Thursday, May 10, 2018 2:30 AM. The current time is Friday, May 11, 2018 6:26 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

And then when I click on download the certificates:

Domain “www.intellix-fact.com” challenge3 failed. Response from “https://acme-v02.api.letsencrypt.org/acme/challenge/R6_dGo2evOhERa3_6l8av8KKawWPvN6eqzlJotvfazE/4598974340” was:

Error: No valid IP addresses found for www.intellix-fact.com

Full Error: { “type”: “http-01”, “status”: “invalid”, “error”: { “type”: “urn:ietf:params:acme:error:unknownHost”, “detail”: “No valid IP addresses found for www.intellix-fact.com”, “status”: 400 }, “url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/R6_dGo2evOhERa3_6l8av8KKawWPvN6eqzlJotvfazE/4598974340”, “token”: “UHRHlCL67myBg_wDukjNr9te5Ug9j_afuAJuuAnAW18”, “validationRecord”: [ { “url”: “http://www.intellix-fact.com/.well-known/acme-challenge/UHRHlCL67myBg_wDukjNr9te5Ug9j_afuAJuuAnAW18”, “hostname”: “www.intellix-fact.com”, “port”: “80” } ] }


#5

Hi Schoen,
Does this means that I have to generate a NEW certificate every time before it expires?
If yes I tried this as well, but I keep getting the following problem:
Domain: www.intellix-fact.com
Type: unknownHost
Detail: No valid IP addresses found for www.intellix-fact.com

Domain: intellix-fact.com
Type: unknownHost
Detail: No valid IP addresses found for intellix-fact.com

Thanks for your help.
Cheers,
Askia


#6

Hi,

You are using an internal IP address as the IP on DNS (10.198.176.240), hense all machines outside the network can’t visit your website.

Can you please use a external IP than your internal?

Thank you


#7

Yes, but certbot renew can do this for you automatically when the verification problems are solved and can run unattended from cron.

Because of the nature of this problem, using a tool like ZeroSSL won’t necessarily make the process easier.


#8

Hi Stevenzhu,
Yes I just changed to my external IP of my router (185.13.106.195) and now I cannot even reach the website.
Cheers,
Askia


#9

Did you do the port forwarding correctly?

Thank you


#10

Hi Seth,
So I changed the IP of the domain to the external IP (185.13.106.195) and here is what I get:
Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for intellix-fact.com
http-01 challenge for www.intellix-fact.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (intellix-fact.com) from /etc/letsencrypt/renewal/intellix-fact.com.conf produced an unexpected error: Failed authorization procedure. intellix-fact.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://intellix-fact.com/.well-known/acme-challenge/v1DpbZe7ILyCqtOn1Y23dlEpX7jWns0E7vOzht-Eif8: Timeout during connect (likely firewall problem), www.intellix-fact.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.intellix-fact.com/.well-known/acme-challenge/NbNk3MWUlLYxDpsUnetFxlbA0i85uXqQwghWfRaFEM0: Timeout during connect (likely firewall problem). Skipping.

Domain: intellix-fact.com
Type: connection
Detail: Fetching
http://intellix-fact.com/.well-known/acme-challenge/v1DpbZe7ILyCqtOn1Y23dlEpX7jWns0E7vOzht-Eif8:
Timeout during connect (likely firewall problem)

Domain: www.intellix-fact.com
Type: connection
Detail: Fetching
http://www.intellix-fact.com/.well-known/acme-challenge/NbNk3MWUlLYxDpsUnetFxlbA0i85uXqQwghWfRaFEM0:
Timeout during connect (likely firewall problem)

Now I just double-checked that ALL ports (80 and 443) are open by running firewall-cmd --list-ports and confirmed that they are open.

Cheers.
Askia


#11

I checked again and all is set correctly. This port forwarding worked for long time before yesterday anyway.
Cheers.
Askia


#12

Hi @intellixfact,

Your domain is still pointing to a private address:

$ dig @ns1.afraid.org intellix-fact.com +short
10.198.176.240

$ dig @ns2.afraid.org intellix-fact.com +short
10.198.176.240

$ dig @ns3.afraid.org intellix-fact.com +short
10.198.176.240

$dig @ns4.afraid.org intellix-fact.com +short
10.198.176.240

And it is not possible to connect to your server using the real ip and port 80:

$ curl -ikL -m20 http://185.13.106.195/.well-known/acme-challenge/test
curl: (28) Connection timed out after 20000 milliseconds

#13

yes I cannot reach the website when I set it to 185.13.106.195. and if I set it to 10.198.176.240 I can reach it. This is what I cannot figure out why?
I think the solution would be a way to generate the certificate files online and then download them to the file system.
Cheers,
Askia


#14

Hi,

Is you ISP blocking port 80 of the IP?

Can you try to visit this website on your network?
ifconfig.co

Thank you


#15

Hi @intellixfact,

As you are using freedns.afraid.org as your DNS provider, you could use acme.sh client and the dns challenge instead of http. acme.sh client supports freedns so you could even automate it.

Cheers,
sahsanu


#16

Hi,
Yes I can reach the site http://ifconfig.co/ and it shows that the port 8080 is reachable.
Cheers,
Askia


#17

It doesn’t matter if port 8080, 2525, or 8675309 are reachable, what matters is whether port 80 is reachable. If not, you won’t be able to validate your domain ownership in this way.


#18

Hi,

What about port 80 and your IP?

Is that match to the IP you updated to DNS?

Thank you


#19

what does the acme.sh does?
Do I need to modify it before running it?
Do I need root privs to run it?
Thanks.
Askia


#20

Indeed, I just tested it:
http://ifconfig.co/port/80
Result:

ip “185.13.106.195”
port 80
reachable false

So now I’ll set it back to the IP 10.198.176.240 an see what happens.
Thx
Askia