Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: *.g-wiz.org
I ran this command: I haven't yet - this is what I'm trying to figure out.
It produced this output: n/a
My web server is (include version): Nginx 1.18.0
The operating system my web server runs on is (include version): Ubuntu 20.04 LTS
My hosting provider, if applicable, is: Self-Hosted
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Will be using certbot
For a wildcard certificate, for the time being, you'll need to use the dns-01 challenge. You can read more about challenges on the Let's Encrypt documentation: https://letsencrypt.org/docs/challenge-types/
What DNS software/provider are you using? If using Certbot, you'll either need to use one of the DNS Plugins or somehow write your own manual auth hooks to update your DNS server with the challenge values.
Last time, a buddy and I did this we did it manually, I just don't remember how. Now I'm here to learn it.
I tried reading the documentation, and ended up confusing myself thoroughly.
I figured I'd get a bit of guidance first, and then see if my command looks correct, then give it a try. Asking questions as I go. But first just didn't know where to start (well, short of I have certbot installed and ready to go).
You can also consider changing your DNS provider to one that offers an API that works with an automated Let's Encrypt client such as Certbot or acme.sh, or using an authentication subdomain via CNAME record (which is also part of a common way of using acme-dns). This is sort of in-between doing everything manually and running your own acme-dns instance.
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-cloudflare-credentials /home/xxxxxxxxxxx/.secrets/certbot/cloudflare.ini
If you’d like to obtain a wildcard certificate from Let’s Encrypt or run certbot on a machine other than your target webserver, you can use one of Certbot’s DNS plugins.
These plugins are not included in a default Certbot installation and must be installed separately. While the DNS plugins cannot currently be used with certbot-auto, they are available in many OS package managers, as Docker images, and as snaps. Visit https://certbot.eff.org to learn the best way to use the DNS plugins on your system.
Yes, the path is correct. Home directory, then subdirectory .secrets/certbot filename cloudflare.ini
And to triple-check...
sudo cat ~/.secrets/certbot/cloudflare.ini
gives me (with the actual token information changed out):
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = xxx123456789abcdef123456789abcdef000
I'm going to take a read through the new page you linked to me, and see what I can learn from that... well, and get some sleep too. Thank you for your continued help and patience.
I'm pretty sure you can't combine a certbot installed through apt with a plugin installed through snap. I recommend removing certbot installed by apt.
I'm not familiair with snap, but I assume installing the CloudFlare DNS plugin through snap should have also installed the certbot snap as a dependency. If that is the case, you should be able to keep using certbot regularly even if you have removed the certbot version from apt.
Okay... Fixed SOME things, but still not my base issues.
To clear the "Release does not have a Release file" / Repository issue... I issued the following:
sudo apt-add-repository -r ppa:certbot/certbot
Then I attempted to update, and had no luck updating past the 0.40.0 version.
So I uninstalled certbot altogether (I was using the bare-metal version).
This time, I followed the instructions on the website ( https://certbot.eff.org/lets-encrypt/ubuntufocal-nginx.html ), and just installed the dang snap for it. I had to remove and then re-install the Cloudflare plugin to accomplish this successfully, but I got it in with no errors.
Certbot is now version certbot 1.9.0
Still generating that same error message about "unrecognized arguments" when attempting to get certificates though.
Osiris, Thank you for that additional information. I hadn't thought of that, but did run into issues that led me down the removing apt/bare metal and just installing via snaps.
Glad to know that I can still stumble along when given my own devices.
Thanks again Osiris. It sure didn't have the cloudflare plugin installed. And when I got it installed... I think it worked. I have valid certificates now, anyhow!
But I do have one question... Is the following message normal, part of it was in red (I bolded that part):
Performing the following challenges:
dns-01 challenge for g-wiz.org Unsafe permissions on credentials configuration file: /home/xxxxxxxxxx/.secrets/certbot/cloudflare.ini
Waiting 60 seconds for DNS changes to propagate
No, it isn't. Normally, certbot runs as root. Sensitive information such as keys/tokens should not be accessible for other users. You should check the permissions of your cloudflare.ini file to be only readable by root or the user running certbot if it isn't root.
Altough I would assume the .secrets directory to be sufficiently restricted? Not sure what actually triggers this warning though, but if .secrets is secure, so is the content I presume:
