How to obtain a certificate for a domain that I will host locally?


#1

Hello, I have an Express server and hire a michaelgram.ga domain, to finish creating my application.
Well, the problem, as always is Windows, because they recommended me https://letsencrypt.org/getting-started/ to do it, but certbot does not support Windows, or so I understood.
What steps should I follow to get an SSL certificate for my domain (michaelgram.ga) which I will use locally, on an Express server?
Thank you.


#2

There are a number of clients that support Windows: https://letsencrypt.org/docs/client-options/

https://github.com/PKISharp/win-acme is popular

https://certifytheweb.com/ too

You can also use web-based zerossl.com / gethttpsforfree.com but it’s better to use a native solution that can deal with renewal automatically.


#3

Thanks @_Arizona for your proposals, but I can not find a way to get it.
I used all the options he suggested, and none of them succeeded.
I do not know if the domain I have will be a problem: (michaelgram.ga).

The option that most believed for good was one for Express: https://git.coolaj86.com/coolaj86/greenlock-express.js, but I am not able to create the code to make it work.
I’ll keep trying, it’s been 7 days without going through this bump.
Thanks for the support.


#4

When you say that you will host this locally, do you mean to imply that it is not publicly accessible, or simply that you’re hosting it yourself? Is this host currently reachable at this domain name over the public internet?


#5

I mean it is on my computer, the express server, if I do not have the server up, it is not seen on the internet.
I am creating the application and joining the modules, even if it does not lead to production


#6

For a Let’s Encrypt client to issue a certificate, it has to prove control over your domain in some way.

For a local application (not seen on the internet), generally the way to do this is via the DNS challenge: Let’s Encrypt asks the client to update a TXT record in your domain, the client adds that record, and you receive a certificate.

Unfortunately none of the Windows clients nor Node Integrations appear to support Freenom, who are you using to host your DNS.

This leaves you with the option to perform the process manually. You can do this by using ZeroSSL which I linked before, and choosing the “DNS verification” option.

If you have trouble with ZeroSSL or gethttpsforfree, we can help you with that. There should be no reason for this option to fail, but it is not ideal because it will not automatically renew for you.


#7

Hello, select the DNS option and give me domain error, as I show in the capture.
I do not know what else to do.
Thanks for the support, I will continue looking for the way to get it, because until I do not, I can not go ahead with my application

Maybe not that good option, a free domain …


#8

Did you follow the instructions and set the TXT records up in Freenom?

It seems like you have tried too many times and failed recently, you’ll need to wait an hour.


#9

No, in freenom I did not do anything, that’s why I get the error. now I will see how I do what is necessary in freenom.
Thanks, something had to be wrong.
In Freenom I do not know what I should change, any ideas …?


#10

You have to create TXT records in your DNS zone as instructed by the ZeroSSL service. It will tell you the required names and values for these records. Freenom should have an interface to create specific records in the DNS zone. You have to complete this before going on to the next step in ZeroSSL.

Tiene que criar entradas TXT en su zona DNS según las instrucciones del servicio ZeroSSL. Le dirá cuales son los nombres y valores necesarios. Freenom debería ofrecer una interfaz para criar entradas específicas en su zona DNS. Tiene que terminar esto antes de ir al próximo paso en ZeroSSL.


#11

Click on “Manage Freenom DNS” and you’ll see where you can create records.


#12

adding to what @schoen said…

  1. On FreeNom, configure the DNS A Record for michaelgram.ga to 127.0.0.1
  2. On ZeroSSL, choose “DNS Verification”
  3. On FreeNom, configure the TXT Record with what ZeroSSL tells you to.
  4. Wait at least 5 minutes and then query the TXT record using a website like http://www.mxtoolbox.com ; if the correct TXT record does not update, wait 5 minute more and check again.
  5. Once the TXT record shows up, complete the process on ZeroSSL.

#13

I think you mean “on ZeroSSL” in this step.


#14

fixed. thanks! 12345


#15

I have added the two lines below in the DNS of freenom, but I think I did not do it well, because it keeps giving me error. Thank you @_Arizona
I’m not sure where I should add what Zerossl offers me …


#16

Two things:

  • You can’t have random spaces/whitespace in the value column for _ACME-CHALLENGE.WWW like that. It needs to appear exactly as ZeroSSL showed it
  • Did you wait 5 minutes before continuing in ZeroSSL as suggested earlier?

–

I know it’s largely academic at this point, but I was able to get Greenlock + Express + Freenom DNS (which was mentioned up-thread by OP) working with automatic certificates.

It’s kind of crappy due to having to delay so long after installing TXT records, but it worked:

express

You can find an example project here.


#17

Well, I do not know what to answer, because they all helped me get the certificate.
I only have to configure the Facebook API, because it keeps giving me as not sure.
If I put the one that is not correct, I beg you to tell me, I am new here and I am finding a lot of help.
I hope soon I can help other users.
Thank you very much to all.

EXITO


#18

And facebook is still not let me login, all this to not achieve the goal.
This is incredible. Wanted the certificate for them, and still do not accept the application
When trying to put the url in the configuration of the API it says: “it was identified as malicious or abusive”

FACEBOOK


#19

And facebook is still not let me login, all this to not achieve the goal.
This is incredible. Wanted the certificate for them, and still do not accept the application
When trying to put the url in the configuration of the API it says: “it was identified as malicious or abusive”

FACEBOOK


#20

It’s possible that Facebook may have blacklisted the Freenom TLDs (.ga, .ml, etc) because they were being abused.

It’s not unheard of with other providers.

Are you sure you’re putting the HTTPS URL in as the OAuth redirect URL? Is Web OAuth login on?

Perhaps you can find out from Facebook support.