[SOLVED] How letsencrypt works exactly?


#1

Hi all,

Very very good initiative !

My domain has just been whitelisted. So what can i do now ? I’ve tried to run the letsencrypt-auto but without success…

I have tried to run it on my desktop and on a VPS with full internet access. I always get this error:

Failed authorization procedure. host.domain.tld (tls-sni-01): unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge

Do I have to run the letsencrypt from the server where the subdomain is installed ? I see that i have to shutdown any existing running apache instance, but i can’t do that on my production server.

Do I have to configure something in my DNS zone file ?

I’m a bit lost. I don’t know what i have to do in order to get it working.

Any help would be appreciated
Thanks
Nico


#2

Read the email where you have been notified that your domain has been whitelisted carefully.
I suggest the webroot plugin in your case.


#3

Thanks Moepl

I think I have read carefully the email but maybe i’ve lost something. I’m French user, and maybe i have misunderstand the mail :frowning:

If i well understand with the webroot plugin, i have to run letsencrypt from the server that host the domain, because of --webroot-path directive which is the document root of the web site i want to protect with SSL, right ?

Thanks,
Nico


#4

Hello,

Ok i have successfully created the SSL certificate for my subdomain with the webroot plugin, Thanks Moepl. By the way, if i want to SSL my SMTP server, it can’t works right ? Because webroot plugin needs to point to a web site, right ? So in this case how we can protect mail server ?

Let me know,
Thanks,
Nico


#5

If you’re willing to spin up a web server on your smtp server during renewal (i.e. every few months), that’s possible. Understandably that’s not always an option for various reasons.

In the future, Let’s Encrypt will support DNS-based challenges, which should make this a whole lot easier.


#6

Thanks pfg,

So you mean thaht if i want to protect my mail server or other services that are not web based service, i have to install temporarily a web server, then create the SSL cert, and remove the web server, right ?

Let me know,
Thanks.
Best regards,
Nico


#7

That’s correct. Until DNS-based challenges are supported, that’s the only option AFAIK.


#8

Ok, thanks pfg.

So we have to always use webroot plugin, but what about if i want to create a SSL cert for a domain but from my desktop for exemple, do i have to use webroot plugin ? I don’t think so, but I don’t understand what I have to use instead.

Let me know,
Thanks.
Best regards,
Nico


#9

It is not necessary to run the Let’s Encrypt client on the server you’re going to deploy the certificate on, but you need a way to serve the challenge files from the certificate’s domain. For example, letsencrypt supports a manual mode where it will tell you to put a file with specific contents in a random path under example.com/.well-known/acme-challenge/. It’s up to you to decide how to copy and serve said file from your server (e.g. install nginx, copy the file via SFTP).

Let’s Encrypt will then request this file from your server to verify you have control over the domain and sign your certificate if it finds the file with the correct content. The client can run on your desktop in this scenario, as long as you find some way to serve the challenge file from your domain.

Generally speaking, the idea behind Let’s Encrypt is to create an open specification that allows third-party software to provide direct integration with Let’s Encrypt (and hopefully, in the future, other CAs with ACME-support), at which point most people probably won’t even need to work with the client directly and it “just works”. But that’s going to take some time for sure. :wink:


#10

Super ! I understood. But sometimes it is difficult to serve the challenge, because of some rewrite rules that are in place on the production server. So in this way the only simple way without modifying web server conf is to use the webroot plugin directly on the server hosting the web service, are we aligned with this ?

Let me know,
Thanks.
Best regards,
Nico


#11

webroot is probably the most compatible method at the moment, yes, especially if you don’t want to take down your site temporarily to let the client listen on port 80/443. It might still be necessary to change some parts of your config, for example a lot of people do not serve dot-files by default as a best practise, but it’s definitely less involved than other options.


#12

Ok many thanks for your help. I think all is clear for me now.

Best regards,
Nico