SSL Certificate for Non-Hosted Domain

I havent used certbot in a long time, but I remember using explicitly the --authenticator and --installer options.

4 Likes

For certbot:
--deploy-hook gets triggered (with or without installation) whenever a cert is renewed.

4 Likes

Well guys, I tried getting a certificate via the ACME package earlier and got an error: error updating domain, error adding txt for domain:_acme-challenge.nollivoipserver.nollicomm.net

I used DNSNSupdate method and when I look at the log, it's not clear what the problem is

Though, it would go smoothly without a hitch...also, since I want to use TLS/Srtp, I will need to add the certificate to FreePBX after all. How to fix this? Where it is wanting to add txt? Is DNSNSupdate the best method to use for a newbie?

2 Likes

Is there any answer on the above post?

1 Like

I don't think there is enough experience here with the tools you are trying to use to get a DNS-01 authentication for certbot.

Have you tried looking into using another ACME client (one that already has proven tools)?

4 Likes

To the DNS zone(s) for the domain name(s) being certified.

3 Likes

Yes, not enough experience since this is my first time. I usually buy my SSL certificates; however, wanting to try this out and it seems had I know the challenges and time spent, I would have been better off just buying the thing...I have gone too far to turn around.

In the package, that box is listed as optional...not mandatory; so, I was not expecting to put anything in the box. So, what should I place in the zone box...the domain name?

Zone

Sets the zone name the package sends to the DNS server in the update request
2 Likes

So, I place the domain name into the zone box ...now, I get this error: ; TSIG error with server: expected a TSIG or SIG(0)
update failed: NOTIMP

This is turning into a nightmare, it seems. Then reading this becomes a foreign language: DNS Requirements

2 Likes

Sorry you're running into such troubles. Usually, satisfying the DNS-01 challenge is a matter of one of these:

  • manually or programmatically (via an API) add/remove the necessary _acme-challenge.domain TXT record to the DNS for domain
  • delegate the first bullet to the DNS of a different domain name by adding an _acme-challenge.domain CNAME record to the DNS for domain that points to the alternate domain name

This is a tool for accomplishing the second bullet:

4 Likes

I run my own FreePBX server, and I have Let's Encrypt certs working on it using DNS validation. Here's the topic on their forum where I'm working out the details:

7 Likes

Ah!

:smiley:

Perfect.

:star2:

5 Likes

Hey Danb35, I had mentioned you thread above as I saw on FreePBX and Dicko had been very helpful...of course, seeing all the CLI gave me headache because it seems that it's consuming more time. So, I decided to use Acme new release on pfSense since I had planned to use HAproxy thus eliminating the need for a certificate on FreePBX...ran into a brick wall consuming more time. It seems that the issue could be a pfSense one since I found a similar thread with the same exact issue that turned out to be pfSense.

I am actually thinking to buy a certificate to be done with this as it's consuming more time that its worth.

1 Like

How will that help exactly?

3 Likes

I know it sounds like ranting and it is however, if one is not an expert at CLI and what should have been easy method didn't work out one becomes highly frustrated having traded time from other projects. At least, buying the certificate now, would be buying more time to get familiar with Lets Encrypt to see if that something one wants to pursue. I would not put myself in a rush the get my home office phone working. I have to be honest with myself first to be honest with others.

1 Like

You can use a manual client. There are some web based ones. You'll get your certificate and 90 days (at a time) to make your research.

3 Likes

To be perfectly clear...
My question is:
How would having a paid cert be any different than having a free one?
[I guess I have completely missed the "real problem"]

3 Likes

Time is the difference...the convenience...look, me really what to work with Lets Encrypt as I think the intent is good. I am waiting to hear what's up with ACME on pfSense forum before having to make the purchase since the new package was release yesterday and a similar thread with the same exact problem I am having turned out to be a pfSense issue.

2 Likes

I just download an app from the Apple's app store called Certkey manager. Any link to a web based one? I search after sending this. Then, this problem arise: Web browser based ACME clients

1 Like

I've never used one. This sounds like it works: https://www.sslforfree.com/

2 Likes

But then, this problem arise: Web browser based ACME clients

1 Like