My Server is Geoblocked and I don't have DNS or Firewall privileges

For now :wink:


Follow-up configuration question.

Although the new certificate from ZeroSSL is working fine, I can't validate a dry run.

I've confirmed under /etc/letsencrypt/renewal/<domain>.conf that the value pair server = is still set correctly.

When I call certbot renew --dry-run it seems to throw the LetsEncrypt geoblock error message:

During secondary validation: ... Timeout during connect (likely firewall problem)

Is there a way to verify certbot is connecting to the specified server?

zerossl doesn't run own staging server


In other words the --dry-run option overrides the server setting?

I was able to confirm --force-renewal pulls a new ZeroSSL cert, where as --dry-run pulls a Let'sEncrypt geoblock error.


To use a different test server you could do:

certbot renew --dry-run --server URL

Where the URL value is the test server. The --server value must appear after the --dry-run.

The default for --dry-run is:


But, ZeroSSL does not have their own test system (google does I think and there may be others)


The Certbot log contains the URL for the ACME server it's using to connect to.


Also be aware other CAs validation requests could come from an entirely different set of geo locations.

1 Like