@MadDemon eventually, it works, but you have to use GTS instead of Let's Encrypt.
It's all automatic but it takes a few hours and it wants you to hit buttons manually.
It still is messed up, tho. So look if you have alternatives. SSL Server Test: wordsoneafteranother.free.nf (Powered by Qualys SSL Labs)
I see that. This confirms they send only the leaf and no intermediates. Not good.
A quicker but less detailed check than SSL Labs
Thanks but I did it with went with another option, but I needed Let'sEncrypt 
Well I found a solution for adding Let'sEncrypt SSL manually in InfinityFree
Step 1.
Choose certbot DNS challenge
certbot certonly --manual --preferred-challenges dns -d "*.YourDomain"
Also, the subdomains work fine for Example: certbot certonly --manual --preferred-challenges dns -d "*.maddemon.free.nf"
output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:
_acme-challenge.maddemon.free.nf.
with the following value:
M6DRvcOBx6_apw_CGHR7VgqHBRSgE3586Q1c-plEWU4
Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.maddemon.fr
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Step 2.
Login to your InfinityFree cpanel scroll to the bottom and click on the CNAME
Step 3.
In the "Record Name" box enter (_acme-challenge), in "Domains" let it be the default, and in the " Destination" box enter the value that certbot provided, for Example: "M6DRvcOBx6_apw_CGHR7VgqHBRSgE3586Q1c-plEWU4"
Step 4.
Don't click enter yet...
Check if the DNS has updated yet
nslookup -type=TXT _acme-challenge.maddemon.free.nf
cause the DNS usually takes 1 to 2 or more hours to update
Keep the certbot verification window open in the background
I don't see a Let's Encrypt cert for your domain. Your domain is currently using a cert from Google. And, as per previous discussion that hosting site does not support intermediate certs so may fail validation like shown here:
I don't see a Let's Encrypt cert in the public logs but sometimes those are delayed as much as 24H.
You need to check the authoritative DNS servers directly.
[it may be updating much faster than that]
nslookup -q=ns free.nf
Ya 
I was just writing and applying the steps at the same time
Also, I am finding a faster way to update or use an updated DNS for faster verification 
I was thinking of using their own DNS server rather than Google's DNS (8.8.8.8) for nslookup and it worked
With Default Google's DNS (8.8.8.8)
nslookup _acme-challenge.maddemon.free.nf
output:
`nslookup _acme-challenge.maddemon.free.nf
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find _acme-challenge.maddemon.free.nf: NXDOMAIN`
Their DNS (198.251.86.152)
nslookup -type=TXT _acme-challenge.maddemon.free.nf 198.251.86.152
output:
Server: 198.251.86.152
Address: 198.251.86.152#53
_acme-challenge.maddemon.free.nf canonical name = m6drvcobx6_apw_cghr7vgqhbrsge3586q1c-plewu4.```
So, what if I use their DNS in certbot for verificationcertbot isn't the one doing the verification - it is just an ACME client.
If the ACME client could also do the verification ... we would have a broken/exploited system!
The DNS verification is being done by LE.
And they only follow the authoritative DNS tree/path.
So, it will never use systems like 8.8.8.8 [for verification].
oh Thanks
sorry guys this method will not work until there is a way to use their DNS in certbot cause it will not update or it will take a long time to populate the Google DNS
It has been up to 24 hours but nslookup -type=TXT _acme-challenge.maddemon.free.nf still shows
`Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find _acme-challenge.maddemon.free.nf: NXDOMAIN`
and the certbot gave me a Time-out error
I am still looking in certbot-dns-CustomDns like certbot-dns-cloudflare etc...
to make certbot-dns-infinityfree
$ dig txt _acme-challenge.maddemon.free.nf
; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> txt _acme-challenge.maddemon.free.nf
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49293
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.maddemon.free.nf. IN TXT
;; ANSWER SECTION:
_acme-challenge.maddemon.free.nf. 86400 IN CNAME m6drvcobx6_apw_cghr7vgqhbrsge3586q1c-plewu4.
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023083001 1800 900 604800 86400
;; Query time: 209 msec
;; SERVER: 192.168.192.1#53(192.168.192.1) (UDP)
;; WHEN: Wed Aug 30 20:28:08 CEST 2023
;; MSG SIZE rcvd: 193
You should add a TXT record, not a CNAME record 
Is your DNS even hosted by Google?
If not, then what's the relevance of Google DNS?
Nope, that's what I am saying 
Steps
Let's Encrypt crawls the authorative nameservers from the root servers down to the authorative nameserver of the hostname. Please don't use third party DNS servers to check for propogation, but use e.g. dig +trace or https://unboundtest.com.
Idk, But it's a txt record nslookup -type=TXT _acme-challenge.maddemon.free.nf 198.251.86.152
Server: 198.251.86.152
Address: 198.251.86.152#53
_acme-challenge.maddemon.free.nf canonical name = m6drvcobx6_apw_cghr7vgqhbrsge3586q1c-plewu4.
canonical name
cname
it literally means "look there instead" -- and it applies to every record type.
you then get a NXDOMAIN because that string does not exist as a domain.