For now
Follow-up configuration question.
Although the new certificate from ZeroSSL is working fine, I can't validate a dry run.
I've confirmed under /etc/letsencrypt/renewal/<domain>.conf
that the value pair server = https://acme.zerossl.com/v2/DV90
is still set correctly.
When I call certbot renew --dry-run
it seems to throw the LetsEncrypt geoblock error message:
During secondary validation: ... Timeout during connect (likely firewall problem)
Is there a way to verify certbot is connecting to the specified server?
zerossl doesn't run own staging server
In other words the --dry-run
option overrides the server
setting?
I was able to confirm --force-renewal
pulls a new ZeroSSL cert, where as --dry-run
pulls a Let'sEncrypt geoblock error.
Yes.
To use a different test server you could do:
certbot renew --dry-run --server URL
Where the URL value is the test server. The --server value must appear after the --dry-run
.
The default for --dry-run is:
--server https://acme-staging-v02.api.letsencrypt.org/directory
But, ZeroSSL does not have their own test system (google does I think and there may be others)
The Certbot log contains the URL for the ACME server it's using to connect to.
Also be aware other CAs validation requests could come from an entirely different set of geo locations.