Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Hello everyone, I have been trying to secure my domain recently with certbot, but have been facing issues as I do not have access to the DNS records to create TXT records for this authentication method. Is there any way to certify a website with the default HTTP challenge and have the SSL auto-renew?
Hey Bruce, thanks for the quick reply. I am familiar with most of these websites but am unsure on how to translate them to steps I can take to secure my subdomain. My previous attempts on the AWS CLI seem to default to the DNS challenge and instructions on Certbot have seemed to direct me to bncert which is undesirable. Could you please provide insight on how I would go about this process?
Do you need a wildcard cert? If not you would not be limited to a DNS Challenge and could use HTTP Challenge instead. Probably easier especially as I don't see an existing plugin to automate with your DNS provider by either Certbot or acme.sh
Why is bncert undesirable? Are you running bitnami?
I don't believe I need a wildcard cert, and yes the default instance does come with a bitnami stack leading me to believe bncert would be easier. However, I had read bncert doesn't work with IPv6 which I heard can cause issues and the person I am working on this project for stated a preference for using Certbot. If you would recommend bncert is there any drawbacks I should be aware of? I believe the HTTP challenge would be most desirable in this case. However, I am unsure how to complete it as all the steps I've found online default to the DNS challenge and I can't find steps on the HTTP challenge. Could you please advise me on how I would go about this?
You showed Certbot using a manual DNS Challenge. Which should work but cannot be automated so must be repeated every 60 days or so. This is not advised. There are ways to automate DNS challenges but they are often harder than HTTP Challenges.
Generally, bncert works well with bitnami. Often people come here using bitnami/Lightsail and it works well for them.
You say you have a "python" server but right now an Apache server is responding to HTTP requests to your domain.
If Apache will be running you could use Certbot with --webroot method or even --apache to get the cert. Both methods are easily automated for renewals. I just have never used it on bitnami.
The bitnami bncert tool is specifically designed for HTTP challenges on bitnami. I didn't recall the IPv6 limitation which seems very strange but maybe so. Is that an issue for you because right now I see you only have IPv4 anyway.
Thanks for the quick reply, I'll try out the --webroot and --apache methods you've mentioned. Also to clarify my earlier claim, this post on the Bitnami docs seems to claim it is incompatible with ipv6: Learn about the Bitnami HTTPS Configuration Tool. I am unsure if I would be allowed to continue with bncert given this limitation could affect things in the future, but perhaps I can ask the person I am building for.
Sorry for the late response, to elaborate further I've tried both the --webroot and --apache methods although perhaps I'm using them wrong, but I've gotten varying errors that hopefully someone here can illuminate me on. I have determined my project's webroot to be the following
Would you be willing to try bncert and see if it works for you?
The last I remember is that there is something distinctive about Bitnami installations (maybe the name of some configuration files or scripts?) that is unusual relative to the default Apache installation and made certbot --apache not work properly.
Maybe sometime I should look into this further and propose a patch either to make Certbot work better with Bitnami Apache or to make it detect it and give an error message recommending the use of bncert.
bncert should be fine but Certbot --webroot should work too. webroot just places a challenge token file in a folder and does not directly reload the web server like --apache plugin.
Your try may have worked had you entered the options differently. Try
I'm not sure if this error sheds any light or if Certbot is just incompatible with Bitnami apache at this point, so I may have to settle on bncert in the worst case scenario.
If not, I say we stick a "fork" in it!
One that can send ACME challenge requests to the ACME client [on a unique port] and also send the rest of the HTTP requests to Bitnami [on some other unique port].
I'm not either. On other distros a 404 just means the -w folder on the Certbot command did not match the DocumentRoot for the VirtualHost in Apache.
I suggested that value as you showed a grep of your VirtualHosts and that was the only value shown. Maybe that was bad assumption. You could check your DocumentRoot manually and if different than we tried retry with the DocumentRoot folder.
But, yeah, bncert was designed for bitnami with the known restriction of no wildcard cert and the IPv6 thing (which seems odd but okay).
Thanks for the response, to be honest I'm quite new to this all so I'm not sure if I would need port 80 down the line. What are the drawbacks to this method and how would I go about sticking a "fork" in it?
Step #1: Find the Bitnami bindings and move HTTP from 80 to some other unused number [81, 88, 8000, 8080, etc.]
Step #2: Install a web server [to be used solely as an HTTP proxy] - I'd recommend using nginx.
Something like "sudo apt install nginx" should do that trick
Step #3: Configure nginx to:
[that part requires knowing which specific unique ports will be used for each - recall nginx would now be the only one using port 80]
