GetHTTPSforfree Step 4 Error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: yourfuturetosuccess.com

I ran this command: I ran these commands in Step 4 and chose Option 3. DNS Record Step 4: Verify Ownership

PRIV_KEY=./account.key; echo -n "eyJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei8zMTExMDQzMTkyLzY2ODI1MjMwMDcwMiIsImFsZyI6IlJTMjU2Iiwibm9uY2UiOiIxTHhJYW9KUlJ0ZV94VFFHbmtWTUNxajdKc0I5WkVBdkl3czBZdGpOeU5fSUFUY2NrVDAiLCJraWQiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0LzMxMTEwNDMxOTIifQ." | openssl dgst -sha256 -hex -sign $PRIV_KEY

(stdin)= 899d69ed9eadd3339d42dddca55c345ff4d5bf644cdee0bf395c8366517fc379554783d55c8ec5e27db29f24694cb9c29920ce996a10cb38714ceb5af951cef47ee55b915e8865a766f25afd25044ba663ea5f868c8aa71cbba010a54745fb160e61eff52fe31a44914cfc54d7a056cdc15b3904f428470f95c36c2c1b16eed502d81ba879337ba0a9954f8a3c099f86ea3ee33e480afcddc3ae31d84a0749140209e892c8de7f0f12eb8b2b1a9012cc30e3fe4daed7edc267119c5b45b1b0ab8482fe7ea9d69fc70aee7e68cc11fa54a7c178acef7482c797d293fcceffb9fa3a88c9cd559bc179ec0cf7ac9e986d0a75d2893e6be506297b26492ae33dbcef

Challenges loaded! Choose a challenge option below.
Challenges for: ilo5-server.yourfuturetosuccess.com

Option 1 - python server Option 2 - file-based Option 3 - DNS record
How to set this DNS record:

1. Log into your domain name provider.
2. Create a new DNS record on ilo5-server.yourfuturetosuccess.com:
   Type:

TXT

Name/Host/Alias:

_acme-challenge

Value/Answer/Destination:

o-9hqV6hs61pW_3K60EDN1Y_VJbOyaNjsKDlZrMz5yE

Time to Live (TTL):

900

3. Wait until the TXT record is being served (this can take a while).

dig +short @ns.yournameserver.com _acme-challenge.ilo5-server.yourfuturetosuccess.com TXT

4. Click "I can see the TXT record..." button when you can see that new TXT record has propagated.

I waited more than an hour and didn't see the TXT Record so I forced it in Godaddy by inputing the Value and the TXT appeared in in my DNS Record in Godaddy.

Easily verify domain ownership

Need to verify ownership of your domain to connect to an external service? We've made it easier than ever.

Verify Domain Ownership

(how do I do this?)Check challenge status command:

I ran the 2 Sign challenge commands: No errors

Then when I clicked on Check the challenge status I recieved the error below.

Error: Domain challenge failed. Please start back at Step 1. {"identifier":{"type":"dns","value":"ilo5-server.yourfuturetosuccess.com"},"status":"invalid","expires":"2026-03-11T19:16:54Z","challenges":[{"type":"dns-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/3111043192/668091815852/Isx3Ag","status":"invalid","validated":"2026-03-04T22:44:05Z","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up TXT for _acme-challenge.ilo5-server.yourfuturetosuccess.com - check that a DNS record exists for this domain","status":400}

My web server is (include version): HPE ILO5

The operating system my web server runs on is (include version): Windows Server 2016 though I'm running the GetHTTPSforfree in Windows 11.

My hosting provider, if applicable, is: Not sure.

I can login to a root shell on my machine (yes or no, or I don't know): Don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I'm using Godaddy DNS Management.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not using certbot. I'm using Git Bash

Hopefully all this makes sense and any help is always appreciated.

Eddie

If you want to install the certificate on your Windows Server, then the best option would be to install an ACME client directly on it, e.g. https://certifytheweb.com/

It has DNS support for GoDaddy, but be aware, the GoDaddy API is available only to customers with 10+ domains. Alternatively, you may use e.g. acme-dns | Certify The Web Docs and set a CNAME record instead.

Thanks Patryk,

I've been using Certifytheweb for a couple years. I use it for an SSL Certificate used to secure Anywhere Access via web browser. I wish I could use it to create an SSL for ILO5 if it was possible I don't know how to go about doing that. I don't have Certify Certificate Manager installed. I also don't have 10 domains so it looks like I won't be able to use it anyways in my case. What I liked about GetHTTPSforfree is that it has step by step instructions on how to create a free SSL Certificate. I don't know the first thing about how to use acme-dns and would require step by step instructions on how to use it to create an SSL Certificate specifically to install in my ILO5 Server. In the past I have created the ILO5 CSR and had my own Internal Windows Server CA sign it and I would mannually install it on the ILO5 Server and it worked great for a while but when it came time to renew it everything worked the same as before but now the web browser doesn't trust it, so it says it's not secure and I have installed the CA Certificate and SSL Certificate into the Trusted Certificate Authority Store and the web browser still doesn't trust the SSL Certificate regardless of what web browser I use to access ILO5. Clearing the web browser cookies and cache does not help either. And purchasing an SSL that would have to be paid every renewal time to secure my ILO5 Server is a last resort.

Now that I'm recalling things, I remember when I was following the step by step instructions for setting up Certifytheweb for the first time on my server, the instructions directed me to go to Godaddy to obtain the API key and I only had 2 Domains at the time and I did get the API key details. You saying that 10 domains were needed triggered my memory, I'm not doubting what you said I'm just saying that I do physically have the API Key details from Godaddy If that helps in anyway. In any case I still have no knowlege on how to go about using ACME Client to generate an SSL Certificate for ILO5.

Best regards,

Eddie

OK, now I see. The ILO is embedded out-of-band management. Yeah, that will complicate getting certificate for. I suppose the best is to simply use a self-signed cert and set an exception in your browser. Alternatively, if the ILO provides API, you might try writing an installation script for the Certifytheweb (or other) client to use (next-level difficulty).

GoDaddy's 10 domain limitation is quite new (April 2024). If they don't suit you, why not transfer/delegate your domains to someone else? acme-dns is a convenient workaround, because instead of moving whole domain, you just move validation record.

CertifyTheWeb has a standalone listener that maybe could be used and avoid the DNS API. Their docs and community are great resources for details. Windows port handling is more flexible than linux systems and CTW takes advantage of that.

I know it has various options for "deploy" which can include just exporting to files for use in systems that need that. Or, coordinate the Windows trust store.

The CTW author often shows up here but probably best if you work with them directly.

HTTPforFree is a manual process. The industry is moving towards shorter lived certs and manual processes will become even more cumbersome. LE will start this soon so an automated option is far better. See: Shorter Certificate Lifetimes and Rate Limits - Let's Encrypt

I have no idea if my ILO5 provides an API or not. I've never had to make any exceptions in my web browser before so I don't even know how to.I usually use MS Edge for the ILO5 though it's probably not the best browser to use. All I know is that in the past I have had ILO5 generate a CSR wich is required, then I copied and pasted the base -64-encoded info my CA using Microsoft Certificate Services and the CA would sign it and issue the certificate, all I had to do then is login into ILO5 and import the trusted SSL cert, the ILO5 would then reset and when it came back online I would have a secured web browser to access ILO5. Now, performing the same process the web browser does not trust the SSL signed by my internal CA anymore and I have researched for hours trying to resolve the issue with no success.

I don't think iLO has an API, but there's a Python tool to interact with it, including deploying certificates:

I use it in a tool I adapted for this purpose:

I have python-hpilo. Unfortunately i'm at the crawl stage on using it and have not found any thorough step by step guides to generating an ILO5 SSL Cert that my web browser will trust. If you're aware of any step by step guides please send it to me.

Best regards,

Eddie

No, I'm not aware of any step-by-step guides. My tool (linked above, which is an adaptation of someone else's work) automates it pretty well, though. In general, the process looks like this:

• Use hpilo to obtain a CSR from the iLO controller
• Use an ACME client of your choice to have Let's Encrypt sign that CSR
• Use hpilo to deploy that cert to the iLO controller.

The first step can be done just once, as that CSR can be reused, but the second and third need to be done regularly. That means, in effect, that you'd need to use a different DNS host, so that you can automate those updates.

When I use Python to try to access my ILO using this command # Replace 'ilo_ip', 'username', and 'password' with your iLO details

ilo = hpilo.Ilo('ilo_ip', 'username', 'password')

I get this NameError: name 'hpilo' is not defined. Like I said before I'm at the crawl stage on using this tool.

That's probably a missing import statement in your Python code, though I don't use hpilo that way; I use it as a standalone command-line tool.

I guess maybe I don't have Python hpilo, I have Python 3.14, that's not the same thing?

No, I didn't miss anything in the coding. If I'm not mistaken I think hpilo needs to be installed into Python seperatelty and I don't know how to do that. All I see for example codes are Redhat, Fedora and Linux and I don't use or know how to use any of those applications.

Yes, I'd expect so. Its docs seem to address this:

But I don't know how to install it seperately. I'll have to research it. I'm hoping someone here already knows how to install hpilo into Pyhton and could send me the instructions and save me a lot of time not having to research it. Believe me, I'm not lazy when it comes to researching but I already lost a lot of time just trying to use GetHTTPSforfree with no success.

Best regards,

Eddie

If the docs (at the link I gave) don't answer the question, perhaps the maintainers of that software can. I'm afraid I don't have any further information on that, because (as I said) I don't use hpilo as a python library.

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

I have verified that Python-hpilo is installed in Python. So, can someone please tell me what Shell do I use for the BASH Commands below? Is it, Python, Gitbash, Powershell or something else?

PS C:\Users> pip list
Package Version

acme 5.3.1
certbot 5.3.1
certbot-dns-desec 1.3.2
certifi 2026.2.25
cffi 2.0.0
charset-normalizer 3.4.4
ConfigArgParse 1.7.1
configobj 5.0.9
cryptography 46.0.5
decorator 5.2.1
distro 1.9.0
dnspython 2.8.0
idna 3.11
josepy 2.2.0
jsonpatch 1.33
jsonpath-rw 1.4.0
jsonpointer 3.0.0
parsedatetime 2.6
pip 26.0.1
ply 3.11
pycparser 3.0
pyOpenSSL 25.3.0
pyRFC3339 2.1.0
python-hpilo 4.4.3
python-ilorest-library 7.0.0.0
pywin32 311
requests 2.32.5
setuptools 82.0.0
six 1.17.0
urllib3 2.6.3
PS C:\Users\

To install an SSL certificate into iLO 5 using the python-hpilo library, you must first generate a Certificate Signing Request (CSR) from the iLO, sign it with your Certificate Authority (CA), and then import the signed certificate. The hpilo library includes command-line tools that facilitate this process.
The process requires the hpilo_cli command-line utility, which is installed as part of the Python hpilo package.

Prerequisites

• The python-hpilo library and its CLI tools installed (pip install hpilo).
• The iLO IP address, username, and password.
• Access to a Certificate Authority (CA) that can sign your CSR.

Installation Steps

1. Generate the CSR using hpilo_cli: Run the following command, replacing the placeholders with your specific details. This command triggers the iLO to generate a new CSR internally and displays it.

   bash

   hpilo_cli -l <user> -p <password> <ilo_ip> certificate_signing_request country=US state=FL locality=Grant organization=ExampleOrg organizational_unit=IT common_name=[ilo5.example.com](http://ilo5.example.com)
   
   

   • Note: The first time you run this, the iLO will start generating the CSR, which can take a few minutes (up to 10). You may need to wait and re-run the command until the CSR content is returned in the output.
   • Copy the full CSR output, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.

2. Sign the CSR with your Certificate Authority (CA): Take the generated CSR and submit it to your organization's CA (e.g., using openssl or your CA's web interface) to obtain a signed X.509 certificate in PEM format.

3. Import the signed certificate using hpilo_cli: Once you have the signed certificate file (e.g., ilo.crt), use the import_certificate command to upload it to the iLO.

   bash

   hpilo_cli -l <user> -p <password> <ilo_ip> import_certificate certificate="$(cat ilo.crt)"
   
   

   • The $(cat ilo.crt) command reads the content of your certificate file into the command. The file should be in PEM format, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.

4. iLO Reset: After the import, iLO will prompt you to confirm the request and reset to apply the new certificate. The new trusted certificate will be in use only after the iLO reset.