I haven't used any version of certbot. I need to know the steps first..

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lb-api-school.jeruedu.com

I ran this command:

It produced this output:

My web server is (include version): Apache

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: HAProxy 2.6.0

I can login to a root shell on my machine (yes or no, or I don't know): No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Have you seen the docs (link below)? We highly recommend using a method that allows automation of cert renewal. Let's Encrypt certs expire after 90 days. We recommend renewing after 60 days so you have time to recover from problems. It can be problematic to do manual tasks like that.

But, if you require a manual request see the --manual option:
https://eff-certbot.readthedocs.io/en/stable/using.html#manual

That said, I am pretty sure HAProxy is able to acquire Let's Encrypt certs automatically. If you want guidance on that just ask.

Hi @fasisi, and welcome to the LE community forum

If the IP of the server trying to get the cert doesn't match the IP of the name requested [on the cert], then you may have to use DNS-01 authentication.

Note: If you have access to the server needing the cert [which I would expect that you do], then you can also play a redirection trick to send the HTTP-01 authentication request to the other server.
But that assumes that the server needing the cert is also a web server [or, at least, can be reached via TCP port 80(HTTP)].
But if that were the case, then you could simply run an ACME client at the server needing the cert and be done with this.

So... I suspect there are some unusual circumstances around the use of this required cert.
Please elaborate on the matter.
[I'm intrigued...]

@rg305 It's also perfectly fine to SSH into the server from whereever Certbot is running and realllly manually place the token using e.g. echo, vim or nano et c. No redirection or dns-01 necessary.

That said, that wouldn't be automatable, so highly NOT recommended of course.

Hi @MikeMcQ ,

I have seen the doc you sent.

Now, I need to tell you that the haproxy is in a jelastic system. I do not have root access to the OS. I have tried installing certbot on that server and failed.

I have access to the DNS management. So I think I have a chance to setup SSL using dns validation.

Based on the docs on this site (User Guide — Certbot 2.1.0 documentation), is that true that certbot will do the dns validation?

Can I run certbot from my laptop ?

Hi @rg305 ,

I can not install certbot on the server needing cert.

I imagine that I can install certbot on my windows laptop. Then cerbot give me a dns challenge. I can put the challenge on dns management. Then certbot will check it. If certbot find it valid, then cerbot will produce files for me to put them in the server.

This is what I do using sslforfree.com.

Why?
Can you install any other ACME client?

Why would you use that?

Hi @rg305 ,

The jelastic system did not give me the root access.
To be precise, the hosting provider has setup many types of packages. I choose the one which later I found that has no root access... then I realize that another package will give me the root access.

So I can not install anything more than what has been given in the package.

I use sslforfree.com because it works.
But it put a limit of 3 free SSL.
And I still want free SSL so I try let's encrypt.

Yes, if using the --manual option in certbot you can use the DNS or HTTP Challenges. The DNS requires adding a TXT record in your DNS Zone. The HTTP has you place a text file in your server's web root folder (Apache DocumentRoot)

More info on challenges below. You are already aware of certbot docs

Hi @MikeMcQ ,

Where I can download certbot for windows?

Is it from this site : certbot/windows-installer/windows_installer at master · certbot/certbot · GitHub ?

Certbot Instructions | Certbot (eff.org)

Hi @rg305 ,

Thank you very much...

@MikeMcQ , @rg305 ,

I have downloaded the certbot and tried it on windows. I got the SSL files but haven't put it into the server.

I will come back later after I put the files on the server.

Well, that's progress!
Be aware that LE certs are only good for 90 days.
So, each time, you will have to renew it before it expires.
[and put them on the server - and restart the web service]

I have created another SSL using certbot with --manual option. And it was a success.

Thank you very much for your guidance.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.