My Server is Geoblocked and I don't have DNS or Firewall privileges

For now :wink:

4 Likes

Follow-up configuration question.

Although the new certificate from ZeroSSL is working fine, I can't validate a dry run.

I've confirmed under /etc/letsencrypt/renewal/<domain>.conf that the value pair server = https://acme.zerossl.com/v2/DV90 is still set correctly.

When I call certbot renew --dry-run it seems to throw the LetsEncrypt geoblock error message:

During secondary validation: ... Timeout during connect (likely firewall problem)

Is there a way to verify certbot is connecting to the specified server?

zerossl doesn't run own staging server

4 Likes

In other words the --dry-run option overrides the server setting?

I was able to confirm --force-renewal pulls a new ZeroSSL cert, where as --dry-run pulls a Let'sEncrypt geoblock error.

Yes.

To use a different test server you could do:

certbot renew --dry-run --server URL

Where the URL value is the test server. The --server value must appear after the --dry-run.

The default for --dry-run is:

--server https://acme-staging-v02.api.letsencrypt.org/directory

But, ZeroSSL does not have their own test system (google does I think and there may be others)

5 Likes

The Certbot log contains the URL for the ACME server it's using to connect to.

3 Likes

Also be aware other CAs validation requests could come from an entirely different set of geo locations.

1 Like