Hi there,
I have setup a xrdp server on my embedded device (BBB running Ubuntu 20.04). I am trying to create the trusted certificates using certbot. Could you please help me understand the correct input for below parameters:
- Valid Email
- Valid Domain - What should be the correct domain name? What if domain name is not present? What are the alternatives to complete this process without domain name? How should I create the correct domain name for the company I am working?
- How to automate this certification installation on windows/ubuntu trying to connect remote desktop using rdp client?
- I observed below error messages while creating the certificate -
sudo certbot certonly --standalone -d rdp.example.com (this is for exercise purpose)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): chougulemrudula@gmail.com
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf. You must agree
in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
(A)gree/(C)ancel: A
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: y
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "rdp.example.com": The ACME server refuses to issue a certificate for this domain name, because it is forbidden by policy
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Please provide your valuable input/ suggestions to create the trusted certificates.
Thanks,
Mrudula
1 Like
Welcome to the Let's Encrypt Community! 
Are you truly trying to acquire a certificate for rdp.example.com?
4 Likes
Hi griffin,
Thanks for your reply.
I am trying to understand how to create trusted certificate using certbot and how this works for my setup. If it works well, I will plan to create staging and production license.
What should be the correct domain name. I tried couple of options, but it gives below errors:
sudo certbot certonly --standalone --staging -d copeland.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): mrudula.patil@copeland.com
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf. You must agree
in order to register with the ACME server at
https://acme-staging-v02.api.letsencrypt.org/directory
(A)gree/(C)ancel: A
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for copeland.com
Waiting for verification...
Challenge failed for domain copeland.com
http-01 challenge for copeland.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
-
The following errors were reported by the server:
Domain: copeland.com
Type: unauthorized
Detail: 2606:4700:4408::6812:22c8: Invalid response from
https://www.copeland.com/.well-known/acme-challenge/7tiupifhcz9b9qiwllh99a23azgo0iguqufqedl0yhk:
404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
-
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Please share correct domain name/ test domain name using that i should be able to create the certificates to verify the setup.
Appreciate your suggestions/ input.
Thanks,
Mrudula
First, is copeland.com the domain name for your xrdp server? Because that domain is currently proxied at Cloudflare. Getting a cert for the Origin server behind Cloudflare's CDN takes special care.
And, in your first post you used rdp as an example subdomain. I don't see any A or AAAA records for rdp.copeland.com which you use for access to a server if that's its domain.
It is difficult to give advice without specific info about your setup.
Personally this feels like a better problem to ask at an xrdp forum. It sounds more like you are not sure how to setup your xdrp server and the cert failure is just one symptom of that general problem.
5 Likes
Thanks for the information.
I am new to this. I would want to create trusted certificate using certbot. I would be integrating the same on the xrdp server. The xrdp server is running on the embedded device and there is no domain as such. I am trying to understand how to create the trusted certificates and integrate the same with xrdp server so when user tries to connect to embedded device using remote desktop connection on windows, he should be automatically certify the connection and there is no need to manually import the certificates.
Please share your thoughts and correct guidelines and procedure to create the trusted certificates.
Thanks,
Mrudula
I am not an xrdp expert. But, I did some reading and I don't think a certificate is used on its server. It looks to use ssh and keys which are a different thing.
I saw some mention of using a client cert to add extra authentication. But, you should not use Let's Encrypt certs for client auth. In fact, the Client EKU is being removed from Let's Encrypt certs very soon. See: Ending TLS Client Authentication Certificate Support in 2026 - Let's Encrypt
Even if an xrdp server could use a certificate for connections if it does not have domain name associated with it you would need to get a cert for its IP address. Let's Encrypt only last month started issuing certs for IP addresses and Certbot does not yet support them. You'd have to use a different ACME Client. Certs for IP addresses only have a lifetime of 6+ days so need to be renewed often. For an embedded device you should also have backup certs in case of problems with Let's Encrypt. Some other Certificate Authorities offer IP-based certs.
Based on what I know I don't think you are pursuing a productive solution. Although, as noted I am not an xrdp expert. I still recommend you start by asking these questions on an xrdp support forum. I am sure you are not the first with these kinds of setup questions.
If you could point to some xrdp references that describe how it uses a public cert maybe someone could give advice.
5 Likes