How to get private key files

I bought domain from google domains. I see valid certificate. But I need private key etc, and I dont know how to get them. So trying to use letsencrypt

Environment - Docker ...Linux Containers, using git bash

I ran this command:
winpty docker run -it --rm --name certbot
-v /"/etc/letsencrypt:/etc/letsencrypt"
-v /"/var/lib/letsencrypt:/var/lib/letsencrypt"
certbot/certbot certonly
opted (1) Standalone (2) supplied my domain name

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: <>
Type: unauthorized
Detail: Invalid response from https://www.<> [2607:f8b0:4007:80d::2013]: "<html lang="en-US" itemsco
pe itemtype=""><meta charset="utf-8"><script nonce="IqaK"

Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes
are accessible from the internet.
My web server is (include version):

The operating system my web server runs on is (include version):
Windows 10

My hosting provider, if applicable, is:
Google domains .. GTS
I can login to a root shell on my machine (yes or no, or I don't know):
I run gitbash as admin

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

docker pull certbot/certbot#

Please help me get private key , cert , fullchain , chain pem files

Hi @kswat, and welcome to the LE community forum :slight_smile:

Are you sure you are on the right system?
Server: ghs

[difficult to provide accurate/useful help without the actual domain name]

1 Like

I presume you mean GTS.. Google Trust... (for Server: ghs)

domain :

The operating system my web server runs on is (include version):
Windows 10
Answer : I do not know. Right now I just have a domain.

Why do you require the private key?

If I surf to your site, I see the "PrimarY Wise" header, so it seems you have more than just the domain: it seems you're also using some kind of Google website hosting service?

1 Like

I am creating a spring web application, and will hook to this domain. my spring application needs certificate and private key/password

What does "hook to this domain" mean? Do you mean you'll change the host the domain is pointing to, to the host you're running your spring web application on?

Also, what's a "spring web application"? And why does it absolutely require a certificate? Can't it run without it?

1 Like

yep. redirect
I will deploy web application to cloud - Azure or gcp or aws. The url for end users is this

I want my spring application to be secure and accessible only using https. I can create a self signed certificate and enable my app to be https only, and test on my machine. But a little confused on the order of my steps.
I assumed I can get pem files with domain name, but I do not know fully (trying like plural sight course instruction...image attached)

It's probably a good idea to educate yourself about how Let's Encrypt works by reading the basics:

Also, the "challenge type" documentation explains the different possible challenges:


I mean that is what the site responds with:

Address:  2607:f8b0:4007:80d::2013

curl -Iki
HTTP/1.1 404 Not Found
Date: Tue, 29 Jun 2021 19:08:08 GMT
Content-Type: text/html; charset=UTF-8
Server: ghs
Content-Length: 1561
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

So GHS might mean Google Hosting Server(Service).

Updated with the domain name provided:

Addresses: 2001:4860:4802:36::15

curl -Iki4
HTTP/1.1 301 Moved Permanently
Date: Tue, 29 Jun 2021 20:47:55 GMT
Content-Type: text/html; charset=UTF-8
Server: ghs
Content-Length: 221
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

curl -Iki6
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3444

The IPv4 and IPv6 addresses reply somewhat differently...
Whereas LE prefers IPv6, it makes sense that your cert request would fail, given the 403 forbidden response for IPv6.

1 Like

Please can you tell me the fix / resolution

ok thanks. will check

I know the challenge is - required http-01 challenges. and there is a requirement for a folder

I am confused, whether to use certbot or I already have the certificate

certbot github repo did give me problems , - Your system is not supported by certbot-auto anymore

You need to better understand how your web content is being served (and secured).
[I would only be guessing]

Hard to tell from this thread but it sounds like you are on Windows 10, running linux in docker, and you want to be able to use certbot to get a new certificate using http validation.

If that sounds right, I'd suggest that using DNS validation would be potentially easier as otherwise you need to route external port 80 http request through to your docker instance (from the public internet) as that's what's required for http validation to work.

Alternatively fetch your certificate on your desktop machine and feed the certificate files as configuration to docker (skip trying to get docker to fetch certs via certbot).

Hi @webprofusion your are correct.
I am trying to create certificate from my windows 10. As I don't have sudo, I decided to use docker container.

I can use chrome browser, to view and download my DER certificate. But do not know next steps/commands

So you're on Windows 10 but you don't have admin rights to run anything that requires admin? And you don't have command line access to any linux environment (like WSL etc?). This is a very complex way to get your certificate but I'd suggest using DNS validation as http validation is unlikely to work unless you have access to the web server hosting the domain.

The DER file you can download via chrome is no use as it's just your public certificate, you need to get your private key file as well in order to be able to use that certificate in an application. I'm assuming you have managed to get your certificate and can somehow browse to a site using it.

Assuming you have already managed to use certbot under docker to get your certificate you need to copy the privkey.pem and fullchain.pem to a shared volume so you can then use those files once docker has exited. WSL would be more useful for this because you can easily access the linux files from windows.

If this is all just for local dev testing I'd suggest just using a self signed certificate. For your actual live service you will need to configure certificate renewal and validation via http or dns validation.

1 Like

Hi @webprofusion
I have admin rights. I open git bash as an administrator, and can run commands (so equivalent to sudo)

certbot using docker is not working as expected. The error is in the original post. something to do with ipv4 and ipv6.

Please note, I only have "domain" and a single webpage. so don't know .well-known folder etc

I want to create certificates and add to my spring application

Ok, so you could just run certbot on windows and skip docker completely?

Getting and using your certificate via Let's Encrypt involves the following process:
1 - Order the certificate via ACME (using an ACME compatible tool like certbot)
2 - Validate your domain control via http or DNS (server a specific http response on that domain, or add a specific TXT record to that domains DNS). If http validation will be difficult, use DNS validation instead.
3 - Fetch your certificate and optionally convert it to the format you need
4 - Apply your certificate to the service you need it for

Steps 1-3 are performed using your ACME client (certbot or others).
Step 4 may involve your acme client deployment hooks/tasks or may be something you do manually or script.

Does Spring supported pkcs12 cert containers? if so, you could also just use win-acme or Certify The Web (which is a GUI) to get your cert as a PFX file (same as a .p12 file).

I know it feels like nobody is giving you a clear answer to your question but it's really broad topic. Getting a certificate and using it are two different things and both can be quite complicated.

Start by learning how to get your certificate using the ACME client of your choice, then look at how to apply/use it.

1 Like

I found this article

I used my ubuntu VM and was able to make some progress, but stuck at - "set the DNS record within ..", In Google domains page, I went to DNS tab

But I am confused on what to do there

any pointers please

Ok, so you are trying to use acme-dns which is a DNS delegation technique (a form of DNS validation which doesn't modify your own DNS each time and instead uses a CNAME redirection), those particular instructions get you to use an hosted acme-dns service.

When you run certbot with the acme-dns-auth script installed the software will prompt you to create a CNAME record and point it to a specific record hosted by the acme-dns service. You only need to do this once, and subsequent renewals will update the acme-dns service which serves a TXT record one your behalf.

An alternative to using acme-dns is to use the cerbot manual dns challenge, which requires you to set a particular TXT record in your dns every time you renew your certificate. This is useful for testing but it's not automated. User Guide — Certbot 1.16.0.dev0 documentation

1 Like