I am trying to add certificates to a work server we use for showcases. The certificates will be used in an oracle product so I will have to do an standalone certification (there is no web server on the server anyway).
The IP that I use is a router. What I was hoping to do was to install certificates on a machine on the IP. Currently there are several machines under this IP. I have freed the IP:443.
So my questions are:
Is the Failed to find apache2ctl important?
Should I redirect the IP:443 to the machine where I try to install the certificate or what would be the correct thing to do here?
I ran this command:
./certbot-auto certonly --standalone-supported-challenges tls-sni-01 --email a@email.com -d A.webpage.com
It produced this output:
urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge
and
Failed to find apache2ctl in PATH: ..
My operating system is (include version):
Linux 3.10
without your domain name and testing a little it’ difficult to determine exactly what’s wrong. The TLS-SNI-01 challenge creates a temporary SSL certificate which it displays on your sever on port 443. Let’s Encrypt then tests to verify it can see this certificate. For some reason it isn’t able to do that ( possibly because something else is listening in port 443, or the port forwarding isn’t correct through your router …)
The DNS challenge is relatively straightforward if you have an API on your DNS provider ( so you can automatically add a TXT record). It can be done manually, but would need to be renewed every couple of months so a DNS provider with a good API makes life easier. The client you are running ( certbot or other) will provide you with the TXT record).
Do you use a public DNS provider for your domain name ? if so which ? or do you manage your DNS yourself ?
Bluehost is the DNS provider and they provide the domain name myDomainName.com to us. I asked the person responsible for the router to open port 443 and forward it to the server where I run the certbot. When I do some checks it looks like the port is closed, but that can be because nothing is listening on that port if I am not mistaken.
I thought since I running the certbot on my server and I want to validate my server I do not need to use some API from my DNS provider. I thought the certbot was sufficient, but please let me know if it is wrong.
You are correct. The only reason I suggested using the DNS challenge was because your site didn't appear to be connected direct to the internet ( from what you said, it's behind a router, and there are several other servers behind the same router - hence it was a suggestion as an alternative approach.
Correct, there should be nothing running until you run certbot.
Now that the router has been opened and port 443 forwarded to your server - are you still getting the same error from certbot ?
Personally I’d run something on there to listen on port 443 - and test the connection. You don’t need a full webserver, just something to show you have access.