For now 
4 Likes
Follow-up configuration question.
Although the new certificate from ZeroSSL is working fine, I can't validate a dry run.
I've confirmed under /etc/letsencrypt/renewal/<domain>.conf that the value pair server = https://acme.zerossl.com/v2/DV90 is still set correctly.
When I call certbot renew --dry-run it seems to throw the LetsEncrypt geoblock error message:
During secondary validation: ... Timeout during connect (likely firewall problem)
Is there a way to verify certbot is connecting to the specified server?
zerossl doesn't run own staging server
3 Likes
In other words the --dry-run option overrides the server setting?
I was able to confirm --force-renewal pulls a new ZeroSSL cert, where as --dry-run pulls a Let'sEncrypt geoblock error.
Yes.
To use a different test server you could do:
certbot renew --dry-run --server URL
Where the URL value is the test server. The --server value must appear after the --dry-run.
The default for --dry-run is:
--server https://acme-staging-v02.api.letsencrypt.org/directory
But, ZeroSSL does not have their own test system (google does I think and there may be others)
4 Likes
The Certbot log contains the URL for the ACME server it's using to connect to.
3 Likes
Also be aware other CAs validation requests could come from an entirely different set of geo locations.
1 Like