Trying to run:
sudo certbot certonly -w /var/www/html -d my.domain.com
And then I select
2: Place files in webroot directory (webroot)
(unrelated, how do I get this prompt to go away and automatically default it to option 2 from the first command I use?)
I thought at first for some reason apache wouldn’t serve contents within .well-known, so I tried to manually add a file b with contents ‘Hi’ and perform a
curl -O “http://my.domain.com/.well-known/acme-challenge/b”
cat b gives me ‘Hi’
(from another machine, on the same network though)
It would be easier to help if you provided your domain name. If you really don't want to do that, maybe try checking it yourself with https://letsdebug.net/ and see if that comes up with anything useful.
It seems the simplest answer is the correct one in this case. Port 80 is blocked by the ISP . So I guess that means http-01 is out of the question. I probably should of tried this simple test first before asking…
I can’t add a txt record, so there goes dns-01.
And if I understood correctly, tls-sni-01 is disabled which explains the following when i add ‘–preferred-challenges tls-sni’
“certbot.errors.AuthorizationError: None of the preferred challenges are supported by the selected plugin”
The ISP blocks port 80 and allow 443?
Well that's a first! An ISP that forces HTTPS...
While (for security reasons) this CA is now forced to only issue certs via port 80 (not 443).
Catch 22 at it's finest.
Are you using dynamic DNS? If so would you be willing to switch to a different dynamic DNS service? (Of course that would mean using a different domain name). There are a few such as dynu and duckdns that are supported by acme.sh for example.
Btw, this is for a server that I have at home and I wanted to switch the self signed cert to a real one.
It’s a residential service, they explicitly and historically block port 80 to not allow people hosting their own stuff.
I was using *.mynetgear.com since it was configurable at the router level. I will try dynu with their little client on the server and see how it goes.
I’m not attached to the domain name, so no loss there
Thanks for this suggestion!