No, httpd is the name of the executable for Apache on some distributions. Certbot uses --apache for all of them to make it easier.
I think you just have to also install certbot-apache but I am not sure of the exact name with EPEL7 on your RHEL (might be python2-certbot-apache or similar).
If you cannot figure out how to install the plugin, you could try the Certbot --webroot method.
I installed the package that u had suggested. Now getting Name resolution error. This system does not has direct internet access. Natting is done from firewall end for it's public internet access.
I have a proxy server but don't know how to configure further for certificate generation.
# rpm -qa python2-certbot-apache
python2-certbot-apache-1.11.0-1.el7.noarch
# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): [redacted]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
ConnectionError: ('Connection aborted.', gaierror(-3, 'Temporary failure in name resolution'))
Please see the logfiles in /var/log/letsencrypt for more details.
Yes, I warned you about this earlier. You should talk with your network experts on how to support outbound connections. You need this to access the Let's Encrypt API to request a cert. You will need to have DNS queries working and HTTPS outbound requests.
Correct. Let me check with the network team on this. There are many security restrictions but let me ask them what can be done in this situation.
I'll keep you posted on the progress, if any.
You may want to set the https_proxy shell environment variable before calling certbot. Even if you manage to reach the ACME server of Let'sencrypt, it will try to connect back via HTTP protocol to your server to validate the challenge.
You have not specified the domain in the questioner, that must be a public domain.
Only for HTTP Challenges of course. They could use a DNS Challenge to avoid the requirement to support inbound HTTP requests on port 80. Or, use a different ACME Client that supports TLS-ALPN (port 443).
Yes it is a public domain.
Good. That might allow you to use the HTTP Challenge which is often easier to setup than a DNS Challenge.
You still have to fix the outbound requests.
I checked with the network team and now I am able to ping and telnet the global DNS. But after I initiate the certbot command, it is now giving me the network unreachable error.
[root@mummyspdsrv01 ~]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): mansi.anand1@wipro.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
ConnectionError: ('Connection aborted.', error(101, 'Network is unreachable'))
Please see the logfiles in /var/log/letsencrypt for more details.
[root@mummyspdsrv01 ~]# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=118 time=2.65 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=118 time=2.31 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=118 time=3.88 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.319/2.953/3.885/0.674 ms
[root@mummyspdsrv01 ~]#
You need to be able to reach https://acme-v02.api.letsencrypt.org/directory
You can also (probably) find it easier to run certbot on a machine with an unrestricted internet connection and then scp/rsync the certificate. (Yes, you can use CSRs if you don't want to move the private key. That adds complexity, tho.)
I just got through it by adding a static route on the server.
Now stuck at below error:
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for mumbai.myspeed.vodafoneidea.com
Performing the following challenges:
http-01 challenge for mumbai.myspeed.vodafoneidea.com
Cleaning up challenges
"Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80."
Port 80 is enabled by the firewall team and still we are getting same error.
You need to use the dns-01 challenge.
Can you add a txt record on _acme-challenge.mumbai.myspeed.vodafoneidea.com? Can you do that programmatically?
Our firewall team just enabled port 80 to test it, but we are still getting the same error.
I saw an article for this: I think it might not work in my case?
Cons:
It'either port 80 on mumbai.myspeed.vodafoneidea.com
or dns on _acme-challenge.mumbai.myspeed.vodafoneidea.com
Port 80 requires certbot to cooperate with your webserver, tho (or you can use --standalone)
This is by design, and certbot supports it just fine. dns-01 means you authenticate using your authoritative dns and then install the certificate. It cannot validate using a webserver because it does not use http to validate. It's harder to configure, but if it works, it works.
I was successfully able to generate the certificate after adding proxy server configurations to the server in bashrc.
Thank you so much for all your guidance and support.
Truly appreciate your help !
make sure cron and/or the systemd timer have access to those for the automated renewal to work.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.