Please fill out the fields below so we can help you better.
My domain is:silicontrip.net
I ran this command: sudo /Users/mark/.local/share/letsencrypt/bin/certbot certonly --webroot -w /Library/Webserver/Documents -d mx.silicontrip.net
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mx.silicontrip.net
Using the webroot path /Library/Webserver/Documents for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mx.silicontrip.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to mx.silicontrip.net
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): not for a web server
The operating system my web server runs on is (include version): OSX 10.5 PPC
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The --webroot method is only for web servers. If you’re not obtaining a certificate for a web server, you shouldn’t use --webroot. (If you can tell me where you got the suggestion to use --webroot in this case, maybe we can modify the documentation or ask someone else to modify it to make this point clearer.)
If you’re trying to get a certificate on a machine that can receive connections on port 80 but that normally doesn’t run a web server on port 80, you can use certbot certonly --standalone --preferred-challenges http-01 -d mx.silicontrip.net. If it can receive connections on port 443 but normally doesn’t run a web server on port 443, you can use certbot certonly --standalone --preferred-challenges tls-sni-01 -d mx.silicontrip.net. In both cases, you should omit -w because -w only makes sense with --webroot, which only makes sense when running a web server.
mx.silicontrip.net
Is not running port 80
But is running port 443:
subject=/CN=mx.silicontrip.net
issuer=/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3
So maybe tls-sni is an option for it.
silicontrip.net
is running both 80 and 443:
subject=/OU=Domain Control Validated/OU=Free SSL/CN=silicontrip.net
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
Gee you guys are quick. I was in the middle of editing my post as I didn’t see anywhere to ask my question and didn’t expect it to post. But you’ve got the gist of it.
Port 443 on my mail server is actually a port forward to port 465 to get around stubborn firewalls that block mail server traffic.
If I want to listen on port 80, I’ll have to contact my ISP to put in a temporary rule to allow port 80 to that host.
But I have other devices that need certificates that I don’t have control over their web content and cannot run certbot on. Is there a way I can request certificates for subdomains of my domain?
Currently the widest support for different DNS providers’ APIs for using the DNS challenge is found in the acme.sh client. Certbot is working on adding more of these too.