Hi, I was trying to install SSL for one of my domains. Our hosting providers allows connections only from UAE. So I asked them to enable connection from US to make it possible for certbot to access my server. After that I get this error. So it will be really helpful to get the country which I should allow access to my server to get the certificate installed.
My domain is: courier.deliveryzone.ae
I ran this command:
certbot --nginx certonly -d courier.deliveryzone.ae -d www.courier.deliveryzone.ae
It produced this output: > Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for courier.deliveryzone.ae and www.courier.deliveryzone.ae
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
My web server is (include version): nginx
The operating system my web server runs on is (include version): Ubuntu 20
My hosting provider, if applicable, is: Local one
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): 1.28.0
Let's Encrypt uses multi-perspective domain validation from around the globe, so an exemption for just the USA (the origin of Let's Encrypt) won't be enough.
It would be a better idea to globally allow requests for the path
/.well-known/acme-challenge/ which should not be a security risk (nothing should be present at that location except for validation tokens). Alternatively you might be able to use the
dns-01 challenge, if your DNS servers aren't affected by these strict rules from your hosting provider.
Thank you for your reply.
I don't have any idea about how to do the dns-01 challenge. It will be helpful if there is any documentation on this one. I tried this command
certbot certonly --manual
But it again asks me to put the token manually in well-known/acme-challenge/ folder but it failed similarly then.
That really depends on your DNS provider and if it has an API to change resource records of the hosted zones. Certbot has a few DNS plugins which you can find here: User Guide — Certbot 1.28.0 documentation Alternatively, there are also a few third party DNS plugins available: User Guide — Certbot 1.28.0 documentation
The manual plugin is documented here: User Guide — Certbot 1.28.0 documentation
It's HIGHLY recommended to automate issuance of certificates. The manual plugin requires scripts to make it automate issuance (and thus renewals).
An ACME client with a lot of DNS plugins is
acme.sh. You can find its DNS plugins here: acme.sh/dnsapi at master · acmesh-official/acme.sh · GitHub
acme.sh lists a DNS plugin for your DNS provider, but Certbot does not, you might be able to make the
acme.sh DNS plugin compatible with the
--manual-cleanup-hook of Certbot or switch over to
acme.sh entirely. Note that
acme.sh defaults to ZeroSSL as CA, although it does have an option to use Let's Encrypt as the CA using the (I believe)
I have run this command
certbot certonly --manual --preferred-challenge dns
and I was able to install SSL successfully after adding the txt records in dns settings.
Don't know how to renew it. I will check the documents you provided.
certbot renew won't work with the
manual plugin without the aformentioned hooks as you've done now. The only way to renew using this very literal manual method is to run the same command again over 60 days (and so forth).
I am checking the documentation. My DNS provider is Hostgator and I need to figure out how to create hooks in that case.
An alternative solution could be to use free DNS by e.g. Cloudflare and add a NS resource record for the required
_acme-challenge label to the Cloudflare nameservers. There's a DNS plugin for Cloudflare DNS. Or use e.g. acme-dns, which has Certbot integration using a script.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.