I used letsdebug.net to check the domain and found it's OK using DNS-01. How do I invoke certbot to create/issue cert using DNS-01 specifically? It fails on HTTP and TLS but works with DNS-01
I'm close. I've been working at migrating from X-serve to MAMP Pro on Mac Studio. I'm a decent not expert admin. Thank yo to any that can point a direction for me.
certbot.errors.AuthorizationError: Some challenges have failed.
2025-08-29 13:05:24,694:ERROR:certbot._internal.log:Some challenges have failed.
there is no directory but it tried to create one, I saw it appear and then disappear. /etc/letsencrypt/live/
My web server is (include version): Apache (via MAMP Pro) 2.4.62
The operating system my web server runs on is (include version): MacOS Sonoma 14.4.1
My hosting provider, if applicable, is: Comcast but I have 5 static IP addresses, I don't think that's a factor
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I just installed it, /opt/homebrew/Cellar/certbot/4.2.0
To invoke the DNS challenge, you'd just add --preferred-challenges dns to the certbot command, replacing the --webroot. See the certbot docs for more information:
However, this won't really be viable unless your DNS host has an API that certbot can talk to, to create and delete the DNS records that are required for cert issuance, and I don't see that bigrock.com has such an API.
that "--preferred-challenges dns" change yielded... this in terminal - now what... he asks quite sheepishly
"Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not find ssl_module; not disabling session tickets.
Certbot has detected that apache version < 2.4.11 or compiled against openssl < 1.0.2l. Since these are deprecated, the configuration file being installed at /etc/letsencrypt/options-ssl-apache.conf will not receive future updates. To get the latest configuration version, update apache.
How would you like to authenticate with the ACME CA?
1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A separate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
Select the appropriate number [1-3] then [enter] (press 'c' to cancel):"
You can always use DNS validation in manual mode, but you'd need to repeat it (making new DNS records and deleting them after validation) every couple of months--not how the Let's Encrypt services are designed to be used. My solution would be (and indeed is, because I have a number of services on my LAN that I don't want to expose to the Internet) to use a different DNS host--which doesn't need to be the same as your domain registrar. Cloudflare works well and has a free service tier that includes DNS.
No. You'd sign up for an account with Cloudflare, add your domain to them, and set your NS records (at your registrar) to point to whichever servers they tell you (e.g., ines.ns.cloudflare.com). Once they've let you know that's complete, make sure any other necessary DNS records are present, and tell certbot to use Cloudflare for DNS validation--the docs I linked above should explain how.
This fix I'd suggest would be to host your website on a cloud hosted VM, instead of hosting it from home/office. That way it will be simpler to get HTTP domain validation to work and you remove the risk of your home/office network getting hacked via your website.
OK, back at this today. Thanks for the help so far.
First you're right, bigrock.com doesn't support certbot -
I went to cloudflare and created an account to use the 'free' SSL. in the next panel there is a choice between proxy or DNS only. I've switched the toggle to DNS and have stepped back to study things
Bigger curiosity though is I actually have 12 domains. My wife has one, we have family recipe siteand afew others. Does cloud flare allow just one free SSL site? do I have to create multiple accounts?
I appreciate the concept. Im trying to keep expenses down. I have a Comcast account (not that I give them any respect) that gives me 5 IPs and a good enough speed that I can do my project work and stream shows.
I really can't afford $20/mo per domain. i have about 15 of them and none get any real traffic. I suppose someday, I'll sell off a couple of names. (vipvr.com & ltdoc.com)
The sites are basically read only, nothing complex, no DB and don't have any forms.
I can't update the X-Serve and want to start learning more about WordPress (I grew up on raw text markup in '94) and learn some vibe coding but nothing extensive.
If I win the PowerBall tonight... I'll rethink everything.
There's no reason a VPS needs to cost $20/mo, nor to host each domain on its own VPS. Right now, a VPS on contabo.com starts just under US$4/mo, and you can host as many sites on that as it can handle. That's not to address whether you should go that route, but $20/mo/domain is a complete red herring.
Heck, some of the smaller cloud VMs on Oracle, Google, and Amazon are even free.
For light hosting I use AWS Lightsail, their $3.50 linux vm instances work fine for basic stuff and you can setup your webserver for hundreds of domains on one of those. It is a cost, but depending on your computer the costs can be about the same as the electricity you would have paid to host at home. Plus there's one less thing running to get hacked or go on fire!
For absolutely static stuff (some of which gets a pretty decent amount of traffic) I use github pages, or cloudflare pages, which are free.
I really appreciate the help.. Dan and Chris and the others who are looking in on things. Thank You, I know every shred of advice you give, you earned. Now I am earning them. Fundamentally, I know your approach is basically where I'll be at some point. I never considered a virtual private server. This wasn't in my realm of comprehension.
There is a fair chance you will drag me from the last century into this one. I probably need to run two projects concurrently...
making this migration so its stable and then... concurrently
register a couple of domains and use a VPS. I've never had the experience and when I looked years ago.. pricey
Where I am now:
Yesterday I had to solve a kitchen plumbing problem (garbage disposal replacement and blockage). I left in the middle of a Cloudflare screen that had DNS server changes, but I left them uncommittied because I really haven't done this before. I was using another of my sites here... sentinum.com to run a trial (I didn't want to commit bikpro.com without knowing all the steps and used sentinum.com to experiment) but didn't finish/commit it
Oddly after i changed the garbage disposal (I tend to be able to fix anything but a rainy day and servers LOL) my local network with static IP's stopped working. I didn't finish and I'm getting no connection (and no email coming from the old server no MX records changed) but considering the timeframe... equaled the propagation time roughly...
Can anyone tell me what's going on with address 50.196.170.169-173. Looking at bigrock there are no changes. My bill is current... somehow my server and work stations here don't resolve and find site/pages..
Your DNS nameservers for sentium.com are all still pointing at bigrock, so they are still your DNS provider and that's still where you would manage your DNS entries and what IP they point to. Regarding the Cloudflare migration, it first reads what it can see in DNS for your domain (which isn't necessarily everything) to create an initial set of DNS records, so yes you do need to double check MX records etc.
Once you've setup the "zone" in cloudflare it's still only theoretical until you tell your registrar to use cloudflares nameservers for your domain. You can jump back and forth by switching your domains nameservers at your registrar back to the known-good set.
Regarding your home hosting setup I'd imagine if your static IP stopped working then you'd need to repoint those DNS entries to whatever the new IP is, but the most likely problem (if your static IPs are still working for your home internet) would be that your router firewall is blocking the incoming traffic or not forwarding it to the correct servers internally. I'd restart everything, then start going through router/firewall and only change something you've previously changed.
Checking some of that IP range I don't currently see any listening services or ports open. I'd suggest go back to basics and forget the DNS migrations etc and get your existing stuff working again. Yes it is possible for home routers to get hacked, if they have outdated firmware or present an administrative UI to external browsers (especially with a default password), all the more reason not to host at home, because hosting = open ports and listening services that anyone can try.
[A good basic connectivity test is to get an http website working in your local network, then try accessing it via your mobile phone data (not wifi), that way the request will come from an external connection and test your firewall/nat forwarding rules etc]
I've shut everything down and left them down for.. and hour. Then rebooted just two machines.
That hasn't made a difference. When I have an 'ethernet' connection as my source, nothing loads just 'trying to find'.
Same system -> with ethernet turned off and WiFi on (using DCHP) the pages load. So it points to DNS. I'll rework.
(This reminds me of two other shattering moments in my CS past. DEC Alpha server in 1992 and... an SGI Indy in 2003 when I was using DDD with wrong source drive.)
PLAN
I'm going to partially rip back some of the knitting and remove some A records that gave each of the devices on the lan, and identity machine names until I get things working again
I'm going to move forward with the changes to sentinum at cloudflare to gauge that.
I'm NOW convinced about the VPS - it was never in my realm of comprehension because I thought... 'that's not how it's done'
I have the CONTABO page up and the cloudflare page up. If I were to start all of this with a fresh sheet of paper.. where would I go and what would ~you~ do?
as always, here dangling by fingertips from the ledge but appreciate that greater minds are watching over me.
I can't tell from your description exactly what you are trying to do (are you browsing to the internet or just to a local service?).
If you have a hard coded IP on your ethernet check it's not clashing with one assigned to something else by DHCP.
If you have NAT rules setup to forward port 80 traffic to your internal server you need to review which IP they point to.
If you have firewalls on a target machine they may have rules specific to IP/network interfaces.
You are probably familiar with telnet and that's a good connectivity debug tool e.g. telnet anyhostname 80 to test connectivity to an http service on TCP port 80. If it connects you know you have a working route to the host and no firewalls blocking int he way or NAT getting misdirected to the wrong IP.
