Simply obtain some files to get a cerificate

Then we have two different definitions of "anchor".

Show us the log files and we can better understand what is happening.

6 Likes

Interesting.
Who ever may generate a certificate must know that address (URI). Of course. But to give it to a discussion here is… well, out of discussion.

me: But where, how, to get that «first certificate» (as a n new seed) since there only does exist an outdated one? In fact no tool can verify anything which does nit exist (not longer exist) where to get an anchor?
My ‹anchor› may be a seed to a new series of certificates… As you prefer this idea.

I must re-initiate process, but not today, to get such a log.

But… You may tell me using tool X step by step, buttons to press, entries to do and so on. Then we get described message a verification file obviously can not be found, read, load, whatever. But my stupid browser can load and display it.
Do you think a log file tells us why, beside just something did went wrong? So many logs I read did exactly that - ›does not work‹ but no ›does not work because …‹.

For today AFK
Eric March

I don't think you understand. Anyone can search the CT logs. It is possible to search for all new certs if you want (and some harvesters likely do). See https://crt.sh as just one example. Or, Let's Debug Cert Search

There is no hiding of your domain name when using a public CA that is CT log compliant

And, frankly, all public IP addresses are scanned regularly by sources kind and otherwise. Trying to hide is a futile exercise. Hardening is the best approach

5 Likes

Why would you need a valid cert in order to get a new cert?
That would create a "catch-22" situation.
OR as some refer to it: "Chicken-Egg problem"

For HTTP-01 authentication, no cert is required.
If HTTP is redirected to HTTPS, then any cert [even an expired or self-signed cert] will work for authentication.
For DNS-01 authentication, there is no access required to the web site - no cert is ever used.

5 Likes

Suddenly I got a hint. Is your web site open to public or restricted by firewall? If it is restricted by firewall then HTTP-01 (and ALPN-01) process won't apply to you. For HTTP-01 to work, port 80 must not be firewalled (But the whole site is allowed to be restricted my Apache Require/Deny statement, as long as only the URL /.well-known/acme-challenge/ is allowed to public.)

But you also told me you are using DynDNS, then DNS-01 process doesn't apply to you either (because you cannot put TXT record).

If both validation methods are not available to you, then you simply cannot obtain a certificate from Let's Encrypt.

3 Likes

You DON'T NEED to have a old certificate on port 443. The HTTP validation process happens on port 80 (plain text HTTP). You have to open port 80 to public. (HTTP-01 validation is allowed on only port 80, alternative port is not allowed. Open to all IP addresses, not firewalled.)

4 Likes

@Eric_March it's probably unintentional just because you're frustrated with the process but it feels like you've come here to complain about how hard you find certificates are to setup using ACME, which is why some responses are not that helpful. This is often a symptom of not being motivated towards getting/understanding a good solution, instead you just want it to work and you don't want to know all the details, which is understandable but not something that's easy to achieve and can be counterproductive.

Getting a certificate requires that you can prove you control your domain every time you renew, and with automated certs using ACME (let's encrypt etc) that typically requires either HTTP validation (serving a verification file on your web server) or DNS validation (serving a TXT record on your DNS).

Where things are even more complicated for you is you are using Apache which is not as well integrated on Windows as IIS is. If you were using IIS both win-acme and Certify The Web could get and apply a cert just by selecting your website (assuming the hostname is already set in an IIS binding) and they would use http validation to prove you control the domain, so as long as http access to your site already works.

Apache is a little more complex because it requires manual or automated updates to the apache config, filesystem updates to copy the latest verification file etc. Certbot has a built in option for apache and as far as I know that should work even on Windows, but I'm not the certbot expert.

You mentioned TXT and I'm not sure if you have tried DNS validation yet? If so consider trying the acme-dns option in whichever client you prefer (on first use you will be prompted to create CNAME record in DNS, then the acme-dns service will answer the challenge for you on each renewal). The benefit of DNS validation over http validation is you don't need http access or to configure your web server to serve the verification file if you're finding that problematic.

7 Likes

I was asked for a protocol…
Due some issues I assumed my Router tackles assess from internal, which my be a conflict. No trying all from a machine outside of that LAN. (I could view an image from here, outside, but same URI from inside was tackled by router…)

So again I used CertifyTheWeb and followed instruction. Place a file «_acme-challenge.xxxxx.dynv6.net» (same provider as to planned server) into… well, root or not uncommon [xampp\htdocs].well-known\acme-challenge. I did, set in code by a simple plan text editor.
«No TXT record found at _acme-challenge.xxxxx.dynv6.net Forbidden urn:ietf:params:acme:error:unauthorized
2023-05-02 06:38:07.033 +02:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: xxxxx.dynv6.net»
Well, If I use from here, outside, «https://xxxxx.dynv6.net/_acme-challenge.xxxxx.dynv6.net» my very best friend FireFox tells me as security risk, automatically on to open HTTPS but not HTTP. (deadlock??) If I confirm risking that risk I got content of my validation file. OK, https was a mistype of mine brought in by copy-paste.
And, giving http:/xxxxx.dynv6.net/.well-known/acme-challenge/_acme-challenge.xxxxx.dynv6.net I got immediate access to content of my file, FireFox an Opera.
So, what to be forbidden, what not to be found by whom?

Note, I’m on work. And if my request relies to work, I must stop responding until back in my home office. Well, so far weather is fine I will insert an additional shift with lawn mower, so I may back at keyboard in alter afternoon (CEST).

Eric March

based on the error message, you have incorrectly selected dns verification, while you should be using http verification.

pls see the section “Automated HTTP Challenge Response” on how to perform http verification

4 Likes

Hi :slightly_smiling_face:

If you want a really do-it-yourself ACME client that uses a web-page interface, here you go. It's tedious to use, but I can absolutely assure you that it works. You do not need to install ANY software on ANY machine you control. You just work with your own CSR and private key, both of which you generate yourself (for example using OpenSSL or LibreSSL).

https://gethttpsforfree.com/

4 Likes

Yes as @leeyc0 noted you have chosen (manual) DNS validation, it's asking you to create a TXT record in your domain DNS called _acme-challenge with the value shown.

You could try DNS validation if you want to, but if you actually want to use HTTP validation instead then in the Authorization tab select Challenge Type: http-01 and set the Site Root directory to be the root of your apache website - the app will then create a folder during test/requests called /.well-known.acme-challenge/ with the verification files. Clicking "Test" will let it do a test of creating the files and seeing if it can fetch them via http. If that's ok, select Request Certificate to attempt an order.

Once you have a certificate you will want to export it so that Apache can use it and for that you would add a Deploy to Apache task on the Tasks tab, and under Task Parameters set the full file paths you want for your fullchain.pem and privkey.pem (you can call these files anything you want, full chain is your certificate plus intermediates it depends on). If you then save that and click :arrow_forward:next to the task it will run and export the files.

In your Apache config you will need to point it to the correct file paths for SSLCertificateFile and SSLCertificateKeyFile, example syntax is here: Mozilla SSL Configuration Generator then you will want to restart Apache for it to pick up the files. If you get errors loading apache then the files are likely pointing to the wrong place.

Certbot has much more integration for Apache so theoretically that should have worked better/easily but distributions like XAMPP can be a bit non-standard and it's integrations may not be compatible with that.

6 Likes

If (if…) I shall create a CSR - how? And, quite more important, how. literally handle this? It mus be delivered to an institution to create a certificate. IMHO - load a website, upload 2 files, get back material to create a CRT or PEM or whatever.

Sounds more easy to me old guy, manual work. But if I find time I will see to try http-01 and observe.

But for now, something came in between. So I just fund some minutes to this quick reply.

Eric March

1 Like

With ACME, you always need two different private keys. One for the ACME account and another for the CSR/certificate itself. The website I gave you before (gethttpsforfree) walks you through the entire complex process on the most basic level possible.

5 Likes

Maybe by using the commands given on the page you were given? It tells you exactly what to do.

As I and others have repeatedly told you, if this is the experience you want, Let's Encrypt is not the CA for you. There are lots of other CAs out there; surely you can select one that better fits your needs.

7 Likes

Step 1 - o.k.
Setp 2 - fine.
Step 3 - «Error: Account registration failed. Please start back at Step 1. { "type": "urn:ietf:params:acme:error:malformed", "detail": "JWS verification error", "status": 400 }»
And, yes, I really think I’d followed instructions on an command line - using as displayed the account.key where I wonder used variable sound PRIV_KEY

Anyway, this procedure also fails - or I have the evil eye…

Eric March

Try clicking to show "how do I do this?"
image

each of the three places on Step 3

Example

I am doing this on Windows 10 Firefox 112.0.2 (64-bit).

3 Likes

Of course I tried. And I do not find declared using account.key or private.key, both created steps above.
Command works, delivering output starting (stdin)= …, but I get that error.

Eric March

So you are saying you did this from Step 1, correct?
image

3 Likes

Also please share the output of openssl version

And the Web Browser (and the OS it is running on) the you are accessing https://gethttpsforfree.com/ with.

3 Likes

That is true for you, but is not necessarily true of other new community members.

3 Likes