Please fill out the fields below so we can help you better.
I ran this command:
certbot certonly --standalone -d my.domain
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log │
│ Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org │
│ Obtaining a new certificate │
│ Performing the following challenges: │
│ tls-sni-01 challenge for my.domain │
│ Cleaning up challenges
At least one of the (possibly) required ports is already taken.
My operating system is (include version):
Mac OS 10.11.6
My web server is (include version):
N/A
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
Comments:
If I'm not mistaken, a non-root user cannot bind to port 80. So I tried prepending 'sudo' in front of the certbot command. That was better, but still failed (see below). Rather than have certbot installed on several machines, I simply want to install it on my Mac and generate certs there, then install on my various Ubuntu servers.
Failed authorization procedure. my.domain (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 443040444366676cd6274007c771c9d3.9af1c006bb1a80f4a94974cb022212e1.acme.invalid from 52.40.249.94:443. Received certificate containing 'my.domain'
You can use certbot on a mac, you may find that the bash client GetSSL in this case, as that’s designed to run on one machine and place the tokens and certs on other machines.
Certbot does work best as root, although can be made to work as a non root user. It does need permissions to place the tokens on the web server for verification though.
Yes, Certbot is primarily designed to be run on the machine that is serving the site(s) that will receive the certificate. That machine could be running Mac OS, but in any case it should normally be the web server.
If you want to run Certbot on a machine that isn’t the webserver, the normal way is with the manual plugin, which prompts you to make changes on the webserver at specified times in order to prove your control over the domain, but this can be inconvenient (especially for renewal, where you’ll have to do the same manual steps again). There are also other options like the new script plugin (if you want to do some shell scripting). Otherwise, @serverco’s suggestion is very useful because other tools will be more specifically designed for this situation.
I suppose another advantage to running it on the actual server is that you can set up auto-renew, correct? I assume this will work for a mail server (postfix + dovecot) that also has nginx running, with all three relying on the same cert?
Also, generated certs get stored in /etc/letsencrypt/live. Is it intended to just leave them there and point nginx, dovecot, etc to this folder? (it’s readable by root only)
These do not work out of the box (permission denied errors). I had to manually create /etc/letsencrypt and /var/lib/letsencrypt for some reason. Then there’s the question of either leaving those owned by root and using sudo letsencrypt or chowning the dirs to the user instead.