How to know the location of CA to enable access to my server

Hi, I was trying to install SSL for one of my domains. Our hosting providers allows connections only from UAE. So I asked them to enable connection from US to make it possible for certbot to access my server. After that I get this error. So it will be really helpful to get the country which I should allow access to my server to get the certificate installed.

My domain is: courier.deliveryzone.ae

I ran this command:

certbot --nginx certonly -d courier.deliveryzone.ae -d www.courier.deliveryzone.ae

It produced this output: > Saving debug log to /var/log/letsencrypt/letsencrypt.log

Requesting a certificate for courier.deliveryzone.ae and www.courier.deliveryzone.ae

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is: Local one

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.28.0

Let's Encrypt uses multi-perspective domain validation from around the globe, so an exemption for just the USA (the origin of Let's Encrypt) won't be enough.

It would be a better idea to globally allow requests for the path /.well-known/acme-challenge/ which should not be a security risk (nothing should be present at that location except for validation tokens). Alternatively you might be able to use the dns-01 challenge, if your DNS servers aren't affected by these strict rules from your hosting provider.

6 Likes

Thank you for your reply.

I don't have any idea about how to do the dns-01 challenge. It will be helpful if there is any documentation on this one. I tried this command

certbot certonly --manual

But it again asks me to put the token manually in well-known/acme-challenge/ folder but it failed similarly then.

1 Like

That really depends on your DNS provider and if it has an API to change resource records of the hosted zones. Certbot has a few DNS plugins which you can find here: User Guide โ€” Certbot 1.28.0 documentation Alternatively, there are also a few third party DNS plugins available: User Guide โ€” Certbot 1.28.0 documentation

The manual plugin is documented here: User Guide โ€” Certbot 1.28.0 documentation

It's HIGHLY recommended to automate issuance of certificates. The manual plugin requires scripts to make it automate issuance (and thus renewals).

An ACME client with a lot of DNS plugins is acme.sh. You can find its DNS plugins here: acme.sh/dnsapi at master ยท acmesh-official/acme.sh ยท GitHub

If acme.sh lists a DNS plugin for your DNS provider, but Certbot does not, you might be able to make the acme.sh DNS plugin compatible with the --manual-auth-hook and --manual-cleanup-hook of Certbot or switch over to acme.sh entirely. Note that acme.sh defaults to ZeroSSL as CA, although it does have an option to use Let's Encrypt as the CA using the (I believe) --server option.

5 Likes

Thank you.

I have run this command

certbot certonly --manual --preferred-challenge dns

and I was able to install SSL successfully after adding the txt records in dns settings.

Don't know how to renew it. I will check the documents you provided.

1 Like

Note that certbot renew won't work with the manual plugin without the aformentioned hooks as you've done now. The only way to renew using this very literal manual method is to run the same command again over 60 days (and so forth).

6 Likes

I am checking the documentation. My DNS provider is Hostgator and I need to figure out how to create hooks in that case.

An alternative solution could be to use free DNS by e.g. Cloudflare and add a NS resource record for the required _acme-challenge label to the Cloudflare nameservers. There's a DNS plugin for Cloudflare DNS. Or use e.g. acme-dns, which has Certbot integration using a script.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.