I don't see anything in those firewall rules that would suggest that stopping it would fix anything.
do you mean the linux netstat ?? In freebsd it is sockstat
can any one suggest anything. ? even an alternative to cerbot? A reminder the server is running on FressBSD. Severall of the diagnostic attempts were apparently linux based
So there is no hope for me using certbot??
Something needs to change for things to work.
The problem is we can't find what that something is.
I'm not sure that changing the ACME client will fix anything.
[I don't think your `certbot` is *broken*]
You could try using acme.sh
cant find acme.sh. Guess this will teach me. leave a working system alone
Where did you look? If you type acme.sh into the address bar of a web browser you will wind up at the project Github page.
I looked in my server... Oh fun another application to install
Thanks for taking time to respond. Remember I was able to break letsencrypt. Along those lines I managed to install [FILE]acme/FILE] from from github but it didn't execute. Yes I changed all the permissions and ownership I Tried again and installed from ports (I am running [File]FreeBSD[/File]
ok they forced me back to basis which I think Is where t problem is.
I have three domains hosted on one server. I am running Apache Dovecot and Postfix. I have the usual suspect in DNS wait FTP, WWW for each domain.. Do I have to include all 9 domains in the CSR/. This story of an out og right field question so please bare with me
the issue is with the options. "t" definately not liked. This is also out of left field. do alll of the virtual hosts have to be functioning?
Forget for a moment trying to get certificate to work. Get your domains working over http on TCP port 80, ensuring that they are accessible from any country using something like https://www.geopeeker.com/
Then try your certificate stuff again.
Iced that. Running web server with all domains. Back to the %%* certificates
So the reason you need a certificate at all is because modern browsers, apps and operating systems require trusted connections to servers (e.g. your website). This in turn requires that your domains are real, and your service domain name can be validated by a public Certificate Authority (e.g. Let's Encrypt) so they can issue you a certificate (and you can become trusted, as far as your servers domain identity goes anyway).
wandjbrewery.com : this domain is made up and has not yet been registered, if you intend to use it register it with a real domain registrar (e.g. Cloudflare etc) now, you can't use it in a certificate because it cannot be validated by the CA. If you cannot use it yet, don't try to include it in your certificate because it will fail to validate.
Domain validation can either be done by connecting to your server and getting an expected response (via HTTP validation, or the less common tls-alpn-01) or by publishing a challenge response to your domains DNS for each identifier you want to include (DNS validation). If you try to use HTTP validation (as per your original post) but block incoming requests then you risk also blocking http validation checks. Better to block specific countries if you need to. If your server cannot do HTTP (plain text over TCP port 80) at all then you cannot use it to serve HTTP challenge responses.
Regarding certbot etc, these tools are just things that talk to the CA (Let's Encrypt) and try to help simplify the process, but all they're really doing is telling the CA you want a single cert for x.com; www.x.com; y.com etc then the CA asks it/you to prove you control those domains (by answering an HTTP challenge or a DNS challenge), and tools like Certbot then try to help with automatically answering the challenges as well.
If validation works then the CA can issue you a cert, which is just a structured file associated with your domain(s) with a "public key" (number) which matches the "private key" (secret numbers+algorithm) you already have stored on your machine.
To actually use a cert you generally have a certificate file (or more likely a "full chain" file which is a chain of certificates leading back to the CAs own certificate), and your private key file. Your web server will have documentation on how these files are normally referred to (the chain file and the private key) and usually there is also some config you can set to say which domains that part of the config relates to (e.g. Servername,Serveralias), which port it will listen on for https (usually 443) etc.
This last part (pointing at the right files and enabling tls/https) is something Certbot tries to help with (through the apache and nginx installers) but you can optionally just do it yourself and it's worth understanding the config for that part if you are serious about working with webservers in the future. Understanding that config will empower you to working with TLS enabled services outside of just webservers, and it will allow you to unpick problems by simply looking at the config you have,
along the way of beating my head against the wall. I made a typo. (fat fingers and poor vision). That is supposed to be wandjbrewers.com which while, a place holder, works and resolves. I actually forget how I broke this whole mess. I am trying to improve something in SSL and dropped a nuke.
Anyway. II went back and reconfigured Apache ran Certbot and got this
`> 1: kasdivi.com
2: www.kasdivi.com
3: theoceanwindow.com
4: www.theoceanwindow.com
5: wandjbrewers.com
6: www.wandjbrewers.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2,3,4,5,6
Requesting a certificate for kasdivi.com and 5 more domains
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).Unable to restart apache using ['apachectl', 'graceful']
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).Unable to restart apache using ['apachectl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Ok I think this is where I started. Apaches running and response to Apache was running before I ran Cerbot. Thoughts. I know I have messed this up the why I was trying to get a clean slate
Ensure that both Apache and certbot are up-to-date.
ok. I THINK I updated Apache. Before I run Certbot. I make sure that apache is running. New error which appear tp be apache related isnew Certbot error which I Imagine has to do with with Apache is
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
1: kasdivi.com
2: www.kasdivi.com
3: theoceanwindow.com
4: www.theoceanwindow.com
5: wandjbrewers.com
6: www.wandjbrewers.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for kasdivi.com and 5 more domainsCertbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: kasdivi.com
Type: connection
Detail: 209.160.65.133: Fetching http://kasdivi.com/.well-known/acme-challenge/Ad6DOZmscgTZuCdEvkpxSPnWUHAqH732IocvI9vXckI: Connection refusedDomain: theoceanwindow.com
Type: connection
Detail: 209.160.64.187: Fetching http://theoceanwindow.com/.well-known/acme-challenge/EJrlEFT-r84YMMYZBg7OI3jJTF0ZA7voDsFTYy6Jo-U: Connection refusedDomain: wandjbrewers.com
Type: connection
Detail: 209.160.65.133: Fetching http://wandjbrewers.com/.well-known/acme-challenge/cE734YtlKNtR6ipdKyfoULiauUknh_4ihmbfwkffKuw: Connection refusedDomain: www.kasdivi.com
Type: connection
Detail: 209.160.65.133: Fetching http://www.kasdivi.com/.well-known/acme-challenge/KPtuS_bzyVtpqAZm-T-sCwKyCLnvQmXuhHhuUaorRc0: Connection refusedDomain: www.theoceanwindow.com
Type: connection
Detail: 209.160.64.187: Fetching http://www.theoceanwindow.com/.well-known/acme-challenge/TaS_0wZXp1nuT2w-Jb0Z16tHfwkxtuDgptZazt7N5SM: Connection refusedDomain: www.wandjbrewers.com
Type: connection
Detail: 209.160.65.133: Fetching http://www.wandjbrewers.com/.well-known/acme-challenge/xdpqyuc3JWZP2ucr68RnJ2Fh6h56LF-8sTdXnlrfoOQ: Connection refusedHint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.
Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).Unable to restart apache using ['apachectl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details
Apache issue now?
Both: Yes and No.
-
Yes, there is an "
Apache" issue:
certbotis unable to use theApacheplugin to controlApache -
No, the "Connection refused" errors are NOT [likely]
Apacherelated
Also, I see two different IPs [is that expected?]:
actually the server has three ips
As to the rest I have no idea what there would be a connection issue. and I am unsure as to what apache plugin you are referring to
Let me restate that I know what there is a connection issue.
type: connection
Detail: 209.160.65.133: Fetching http://kasdivi.com/.well-known/acme-challenge/Ad6DOZmscgTZuCdEvkpxSPnWUHAqH732IocvI9vXckI: Connection refused
There is no .well-known directory. I looked for it as root so it should show
While running certbot, some questions may have come up, like:
How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)
3: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
4: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-4] then [enter] (press 'c' to cancel):
If you were to pick "#1", then certbot would be using an Apache plugin.
If certbot was able to create the directory, it would also delete it after use.
Meaning: It would only be there while certbot is running.
If certbot was unable to create the directory, then it may be having issues with the plugin in use.