I would agree that using a different machine to get your certificate, then copying the certificate to the mail server is probably the best option. If you use DNS validation (as @griffin says) then you don't need to be using the same machine that hosts the service. Various ACME tools can do this, you just need to provide the script to copy the resulting certificate files to the correct place on the destination server, then restart any dependent services
Try this instead:
sudo certbot certonly --manual -preferred-challenges dns -d "mail.ivanovoobl.ru"
Be sure to follow the instructions onscreen that will direct you to add a TXT record to your DNS zone for _acme-challenge.mail.ivanovoobl.ru
with the large, random value string given to you by certbot.
Is it possible to shutdown Apache
just long enough to get a cert?
If so... try:
apachectl -k stop
certbot certonly --standalone -d your.mail.domain -m your.email.address
apachectl -k start
If that works, then we can get it scripted.
In general, I got to the domain management resource, but in order to register a dns record, you have to pay a premium and it will not be known when, the certificate expires in 22 hours, maybe there are other ideas how to try to update php? a work colleague suggested updating certbot, but I doubt that it will help, because he swears on acme
I would concern myself with obtaining a new cert before looking for:
Have you read my previous post?
I started updating in a week, but all week I was trying to eliminate obstacles preventing the renewal of the certificate, I saw the previous post, the Apache was not running, so the method did not work
Please show the failure.
Including log entries.
I still see Apache
running:
curl -Iki mail.ivanovoobl.ru
HTTP/1.1 403 Forbidden
Date: Fri, 30 Jul 2021 18:04:26 GMT
Server: Apache/2.4.10 (Debian)
Content-Type: text/html; charset=iso-8859-1
certbot certonly --standalone -d mail.ivanovoobl.ru -m it@ivanovoobl.ru
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit End of Life Plan for ACMEv1 - #27 by jillian for more information.
Please see the logfiles in /var/log/letsencrypt for more details.
Ok I see the problem now:
Have you tried using any other ACME client?
a colleague tried to install getssl, but there were also errors, unfortunately there are no logs, it was a couple of days ago, the best option would be to update php, but always writes a 404 error when executing the apt update command after adding the repository
That is the agreed LONG-TERM solution.
You need a very quick short-term solution (NOW).
I propose that you try: acme.sh
OR any other ACME client.
[at least to just get a valid cert quickly]
can you throw off the simplest manual? experience is not enough
I would start by installing acme.sh
See: Home · acmesh-official/acme.sh Wiki · GitHub
If that works, then we can proceed quickly from there.
what do you think about updating certbot won't help?
How would you update certbot
?
Compile the source code?
It doesn't seem like anyone tried to install certbot with pip
. that should work.
pypi still has python2 compatible certbot versions. i don't remember when certbot went py3 only, but it was long after acme v2 support.
edit: pypi uses the trove classifiers to respond to pip installs. when invoked under python2, pip should install the latest certbot that claimed to be python2 compatible.
I'm trying to put acme.sh asked to put socat after I issued
Â
mail.ivanovoobl.ru:Timeout
[ÐÑ Ð¸Ñл 30 23:20:09 MSK 2021] Please add '--debug' or '--log' to check more details.
[ÐÑ Ð¸Ñл 30 23:20:09 MSK 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh