We are using RHEL 6.9 and Apache server and have installed certificate with the following commands.
chmod a+x certbot-auto
$ sudo ./path/to/certbot-auto --apache
Right now we are on UAT environment and have no domain available, only Public IP is available.
After running above command, we are able to open public IP with https, however it shows SSL certificate warning for all browsers.
How can we avoid this warning ? Can it work without domain name ? Am I missing any manual configuration which needs to be done ?
Let’s Encrypt does not issue certificates for IP addresses. There’s a lot more to consider here, especially since they can change so often (an IP address you control now might not be under your control only an hour later!)
Thanks for your response. So once we have domain name available, can we just run the same commands on production web server or we have to specify domain name with -d command ?
$sudo certbot --apache -d mydomainname.com -d www.mydomainname.com
We are going to have single website hosted on this server. So let me know, if any manual configuration is required ?
We have network load balancer configured on two web servers. So do we have to run these commands on separately on both servers ?
Configurations with load balancers can be complicated and depend a lot on the details of your setup and what layer things work at. In this case, it’s important to understand exactly what the components of the system are doing.
When a certificate is issued by Let’s Encrypt, there are three ways to prove your control over the domain name. It might be helpful to read
Notice that two of the methods (TLS-SNI-01 and HTTP-01) make an inbound connection to your server to prove control over the domain name. This connection must ultimately reach the machine that is running Certbot. This can be tricky in the load balancer case. One popular approach which is described in a number of threads on this forum involves setting up HTTP 301 redirects for particular URLs. That is only applicable to the HTTP-01 method, not to the TLS-SNI-01 method.
Then another question is about deploying your certificates after they are issued. It is possible to copy certificates, chains, and private keys from one machine to another. You need a certificate configured on each machine that can terminate inbound TLS connections, but they don’t have to be different certificates. You may also want a strategy for how to automate renewals, and, if you’re somehow copying certificates around, for how to deploy the certificates after each renewal happens.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.