My domain is: oleum.net
I ran this command:
sudo certbot certonly --webroot
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): oleum.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oleum.net
Input the webroot for oleum.net: (Enter ‘c’ to cancel): /var/www/oleum.net/
Waiting for verification…
Challenge failed for domain oleum.net
http-01 challenge for oleum.net
Cleaning up challenges
Some challenges have failed.
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Note A record updated at 1and1 this afternoon, several hours ago. I can ssh in with key from a machine on a different fixed IP using sshusername@oleum.net so it looks like domain name is resolving to the ip address
My web server is (include version):
apache2
The operating system my web server runs on is (include version):
ubuntu 20.0.4 LTS
My hosting provider, if applicable, is:
hosted on fixed ip on network behind a linksys router
DMZ enabled and running ufw (ebabled but disabled when tested)
I can login to a root shell on my machine (yes or no, or I don’t know):
user elevated (sudo)
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.7.0
Yes something has definitely changed
I got a green on the lets debug page initially. I took firewall down for a while. Previously I’d only opened apache and ssh on a different port with key login only, now I get a bunch of red
Well I took down firewall and STARTED apache. Connected and…
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): oleum.net
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for oleum.net
Input the webroot for oleum.net: (Enter ‘c’ to cancel): /var/www/oleum.net/html
Waiting for verification…
Cleaning up challenges
Subscribe to the EFF mailing list (email: oleum@oleum.net).
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/oleum.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/oleum.net/privkey.pem
Your cert will expire on 2020-11-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”
If you like Certbot, please consider supporting our work by:
firewall made no difference, it was because I had apache2 down, I think.
UFW is up now, get a green on the lets debug page.
I’ll be back in a few months if it wont renew
Now how do I test if it works?
So all is good I believe, except I’m not sure where these files have to go and what I need in my /etc/apache2/sites-available/my.site.conf file to enable them to be discovered.
Ive looked round a while , though someone might know and save me a lot of time/
TIA
I am not exactly sure of all of the idiosyncrasies of your configuration. Am I correct in assuming that you used certonly because you didn't want certbot to try to enable https and install your cert for you? If not, you could use certbot install.
have a look at a2ensite and a2dissite commands; they come with an Apache install and enable/disable sites.
The idea is that you can have multiple sites in conf/sites-available and enable them by symlinking to conf/sites-enabled.
I tend to use this quite often nowadays, even after thinking that I am a one-site-per-person type of guy
The certificates+keys go in the letsencrypt-installed directories and your Apache conf (my-site.conf or whatever you call it) references them.
I also find it a bit annoying that letsencrypt needs http (for cert-renewal) in order to enable https (someone correct me if I am wrong) - I use a cronjob to remap 80 to my apache for cert-renewal and to another server during daytime.
Anyway, my ionos firewall has port 80 open all the time.