I've been trying to issue a certificate for a domain
calamari-collator.polkadotters.com. Domain is hosted on the NameCheap, server is Ubuntu 20 LTS and I have full access to the machine. There's currently no web server as this is meant for an Prometheus metrics endpoint. So these are the steps I did
- Add A record to the NameCheap DNS configuration for the calamari-collator.polkadotters.com (this is working)
- Generated API token on the NameCheap
- Installed certbot and successfully added certbot_dns_namecheap plugin GitHub - schubc/certbot_dns_namecheap: Certbot plugin to provide dns-01 challenge support for namecheap.com
- The command I am trying to issue is
certbot certonly \
--work-dir certbot/workdir \
--logs-dir certbot/log \
--config-dir certbot/config \
-a certbot-dns-namecheap:dns-namecheap \
--certbot-dns-namecheap:dns-namecheap-credentials namecheap.ini \
--email "firstname.lastname@example.org" \
-d calamari-collator.polkadotters.com \
However, I am getting
Unable to determine zone identifier for calamari-collator.polkadotters.com using zone names: ['calamari-collator.polkadotters.com', 'polkadotters.com', 'com'].
Certbot version is 0.40. I kinda got stucked here and I wonder whether the problem lies in the plugin or I need to define the zone on the side of NameCheap. Thanks a lot for any hints!
Did you see the discussion on this issue? There are a couple of suggestions there.
If you're not opposed to keeping port 80 open on your server's firewall, you could also use Certbot's
--standalone mode and avoid having to interact with the Namecheap API.
Certbot version is really old. (About as old as Ubuntu 20.04)
I'd double check the rights for your API key.
(Also: you probably don't need to use dns-01 validation)
Thanks for the reply - yeah, I have whitelisted the IP as well, forgot to mention that. Otherwise it seems that solution was to wait for the API to kick in or either give up and try something else
Hmm, I don't usually like opening ports I don't need but I suppose this the simplest workaround so I'll see, thanks for a suggestion.
Hmm, ok, is it worth updating it? Yep, the key is correct and I have whitelisted the IP. What do you mean by the dns-01 validation? Sorry for such questions, I am kinda new to this
I don't know. But each key has different privileges.
As for opening ports, having your DNS credentials on your server is less secure than opening port 80, imho.
Ok, I'll try the standalone mode tomorrow, thanks
ACME challenges can by completed by HTTP-01 and DNS-01 validation.
In your situation, I strongly recommend HTTP-01:
Namecheap had - and possibly still has - a 5 minute read-through cache on their DNS systems. The only way I've been able to deal with acme records on their systems is to "sleep" for 301 seconds after updating a DNS record. If you use HTTP-01 validation, you don't have to deal with this.
Namecheap's API access has too many permissions by default and can be a security risk when used with Certbot, as the credentials can be used to transfer registration of your domain(s). You can eliminate this risk by creating a second namecheap account and granting that account only DNS permissions for your domains.
Perfect answer, thank you! Yeah, I've read about the permissions and was kinda worried about that. So the HTTP-01 seems to be the way
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.