Unable to get https certificate for openhab2


#1

My domain is: veplopenhab.ga and www.veplopenhab.ga

I am working in openHAB project. I am trying to get certificate for “https://”

I ran this command:

In “freenom.com”,I have created a domain “veplopenhab.ga” and linked my system IP with the new domain

I have followed below steps to get certificate from certboot.

sudo apt-get update sudo apt-get install software-properties-common
sudo add-apt-repository universe sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update sudo apt-get install python-certbot-apache

$ sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): veplopenhab.ga
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for veplopenhab.ga
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. veplopenhab.ga (http-01): urn:ietf:params:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for veplopenhab.ga

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: veplopenhab.ga
    Type: unknownHost
    Detail: No valid IP addresses found for veplopenhab.ga

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

My web server is (include version):

Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version):

Ubuntu 16.04

I am debugging on this issue.

Can you please help me solve this issue and get the certificate?

Thanks,
Dhanasekar


#2

You haven’t succeeded at this step.

Your domain does not resolve to any address.


#3

Thanks for replying… I have shared screenshot of freenom,


#4

Yes, your domain is registered, but there’s no A or AAAA records present in the DNS.

Manage Freenom DNS -> Add Record


#5

Is it correct?


#6

No, I don’t think you want glue records.

You need to add that record via “Manage Freenom DNS -> Add Record” instead.

Additionally, you need to add records for all domains you want certificates for. So if you want a certificate for veplopenhab.ga as in your first post, you must add an entry for that, not just for iot.


#7

Additionally, you have to use a public IP address, not a 10.x.x.x or other private IP address. To use HTTP validation, Let’s Encrypt has to be able to access your server from the Internet.


#8

Please check below image and correct me,


#9

Yes, it’s the correct place to do that. It’s now deployed:

$ dig +noall +answer @ns02.freenom.com veplopenhab.ga
veplopenhab.ga.         3600    IN      A       10.1.68.206

But please see @mnordhoff’s comment regarding private IP addresses.

If you want to use Certbot, you need to put an external (public) IP address that can reach your website over the internet.


#10

You want me to not disclose my system IP in this community. I have to use 10.xx.xx.xx for communication.

Am I correct ?


#11

That’s an understandable requirement.

But the basis of Let’s Encrypt is “domain validation”. If Let’s Encrypt cannot connect to your server to verify that you control the domain, then it cannot issue you with a certificate.

Otherwise, anybody could pretend to be “google.com” and get an SSL certificate for them.

Your other option is to use “DNS validation”. Where you deploy a TXT record in your DNS to prove your control of the domain. However, Freenom does not support programmatic deployment of these TXT records, so you cannot really use this without switching to a different DNS host (like Cloudflare).

You can get a certificate via manual DNS validation, but it will not automatically renew your certificate, so you would have to repeat every 60-90 days. It’s not the proper way to use Let’s Encrypt:

certbot  -i apache -a manual --preferred-challenges dns -d veplopenhab.ga

#12

I am new to this. I don’t know what should be followed next. As of now, I have to get certificate for my domain and need to make sure all features are working in my openhab. This is required for shot period.

Please suggest next steps for my activity.


#13

If it’s just for a short period, you can try the command I wrote above.

You will need to follow the instructions, enter the TXT record into Freenom as instructed, wait 5 minutes for the record to update, and then continue.


#14

Why not create an A record with your server’s public IP address?


#15

So Let’s Encrypt is not providing certificate to my domain. Because, it is unable to access my system. Am I correct ?


#16

I provided you an option that avoids Let’s Encrypt accessing your system. It’s up to you to use it.


#17

I am new to this field. I am following steps available in net. I am learning on the fly.

Please provide me the steps to create an A record with my server’s public IP address…


#18

Ok… I will follow your suggestion. Please provide me the steps to do.

I want to solve this error,
image


#19

Hi,

After running this command “certbot -i apache -a manual --preferred-challenges dns -d veplopenhab.ga”, I am getting below error,

OUTPUT:

Performing the following challenges:
dns-01 challenge for veplopenhab.ga


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?


(Y)es/(N)o: Y


Please deploy a DNS TXT record under the name
_acme-challenge.veplopenhab.ga with the following value:

H6DU9QpFqclsj5zY4eTgw8ttC2qGx58ehK6fpcUw6nM

Before continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. veplopenhab.ga (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.veplopenhab.ga

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: veplopenhab.ga
    Type: None
    Detail: DNS problem: NXDOMAIN looking up TXT for
    _acme-challenge.veplopenhab.ga


#20

Did you follow the instructions and create the TXT record within the Freenom user interface, before continuing?

If you did, could you take a screenshot of it?