Generate domain certificate Online

intellixfact · May 11, 2018, 7:11pm

It seems like the ISP is blocking the port 80 indeed.

stevenzhu · May 11, 2018, 7:13pm

Hi,

That means you can’t use http validation to obtain let’s encrypt certificates.

Can you try DNS validation? (Since that probably is the only solution for you now)

Thank you

intellixfact · May 11, 2018, 7:15pm

Here are my tests:

185.13.106.195:80 - Blocked
10.198.176.240:80 - Reachable
Thx
Askia

intellixfact · May 11, 2018, 7:16pm

I am not quite sure what you means by “Can you try DNS validation”.
Could you please ellaborate?

intellixfact · May 11, 2018, 7:18pm

You means the option “Manual Verification (DNS)” on the www.sslforfree.com?

stevenzhu · May 11, 2018, 7:23pm

Yes..

Sorry for the unclear text.

That might be the only option you can use since you can't access the file from external.

Thank you

intellixfact · May 11, 2018, 7:37pm

No worry,
BTW the TXT record means TXT/SPF Record setting in the DNS setting page right?
Is this format right?
_acme-challenge.www.intellix-fact.com=fgluM52sp-r_6lFKIRjCX7-
Thx

intellixfact · May 11, 2018, 7:39pm

Here is what I receive when clicking on the validation links:
No TXT Record Found. Make to set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain. Contact your DNS provider if unsure.

stevenzhu · May 11, 2018, 7:40pm

Hi,

It depends on the DNS provider you use…

Normally, it should be setup like this:

_acme-challenge.www.intellix-fact.com

Value:
fgluM52sp-r_6lFKIRjCX7-

Thank you

intellixfact · May 11, 2018, 7:51pm

I just have one big textfield and I am not quite sure how to format it in there.
Just to make sure: We’re talking about DNS record and NOT about NAMESERVER, right?
Thx

schoen · May 11, 2018, 11:09pm

As @sahsanu mentioned, the acme.sh client should be able to automatically set the appropriate TXT records for you, if you tell it about your DNS provider.

intellixfact · May 12, 2018, 4:50pm

Hi Seth,
I have been experimenting with the acme.sh tool I installed yesterday and this is what I get:

Installation of acme.sh: succeeded.
Ran acme.sh to “Just issue a cert”: I get 4 files in the intellix-fact.com directory

intellix-fact.com.com.conf
- intellix-fact.com.com.csr
- intellix-fact.com.com.csr.conf
- intellix-fact.com.com.key

From here I try to replace the according files in the Apache configuration with the files newly generated, but it fails to restart my apache server.
What am I doing wrong?
Thanks for helping.
Cheers,
Ahmed

danb35 · May 12, 2018, 5:17pm

You're missing one, probably indicating that the cert issuance failed. You should also have intellix-fact.com.com.cer

Although it looks like you doubled the .com FQDN ending (note that all the file names are .com.com), which would definitely explain the problem.

intellixfact · May 12, 2018, 7:30pm

Hi danb35,
Thanks for the enlightment.
Now I got the correct files set and the following error:
[Sat May 12 21:25:42 CEST 2018] Verifying:intellix-fact.com
[Sat May 12 21:25:47 CEST 2018] intellix-fact.com:Verify error:No valid IP addresses found for intellix-fact.com
[Sat May 12 21:25:47 CEST 2018] Please add '--debug' or '--log' to check more details.
[Sat May 12 21:25:47 CEST 2018] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

may I still use the generated files?
If yes which ones should be used in my apache conf file?
Cheers,
Askia

danb35

    May 12

intellixfact:
Ran acme.sh to “Just issue a cert”: I get 4 files in the intellix-fact.com directory

You’re missing one, probably indicating that the cert issuance failed. You should also have intellix-fact.com.com.cer

Although it looks like you doubled the .com FQDN ending (note that all the file names are .com.com), which would definitely explain the problem.

danb35 · May 12, 2018, 7:52pm

You should be able to.

Have you said which version of Apache you're using? You'll use the .key file in any event (it's the private key), but whether you'll use fullchain.cer (which contains both your certificate and the intermediate cert that signed your cert), or ca.cer and your own .cer file separately, is going to depend on the Apache version.

mnordhoff · May 12, 2018, 7:58pm

If it was unable to validate the name and issue a certificate, you don't have certificate files.

Did it successfully issue a certificate or not?

Was it using DNS validation or HTTP validation?

The error message was for n HTTP validation attempt which failed because intellix-fact.com has a private, 10.0.0.0/8 IP address. You have to use a public IP address or DNS validation.

jmorahan · May 12, 2018, 10:43pm

If you want to use acme.sh with freedns and without a public IP address, you should be following these instructions (linked by @sahsanu earilier) instead of the “Just issue a cert” examples.

Also note that acme.sh expects you to run --install-cert to copy the certificate and related files to their final locations, and you should use the copies (rather than the ones in the .acme.sh directory) in your Apache configuration.

intellixfact · May 13, 2018, 6:14pm

[SOLVED]
Hello together,
After many experimentation, I was able to solve this and renew the certificates using the acme.sh tool using the --dns option.
I would like to thank you all guys for your large and friendly support to solve this.
Best regards,
Askia

system · June 12, 2018, 6:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.