Word Press Has my Certifier Locked Down

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: Automic.Solutions

I ran this command: sudo certbot certonly --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): automic.solutions
Requesting a certificate for automic.solutions

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: automic.solutions
Type: unauthorized
Detail: The key authorization file from the server did not match this challenge. Expected "IH5T6yh_Euw5TfZ-uADoB9C0llbIOnm8g8CpnRva-EA.9XIv5qVK1G_5ba5pvdZXwa29oRD6fJ8wnvmme-pCkok" (got "WP.com")

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Word Press - They have a certifier for my domain, however, they won't give me a copy to use. So I want to create one for my own use. Is this even possible?

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.1.0

Um, why? What are you planning to do with your own cert, whether it's a copy of the one on your server or another one?

Not in the way you're trying to. It sounds like you've spun up your own Ubuntu server with Apache on it, but if it isn't what's responding to requests from the public Internet for your domain name (and it isn't; that's wp.com doing that), you won't be able to get your own cert using the --apache plugin.

You could still get a cert using DNS validation, assuming you have control over your DNS records, but that goes back to the question of "why?"

I want to lock down my server using SSL-encrypted connections only. This requires having a certifier.

I had hoped to simply use the one WordPress created, but they won't give me access, so I need to create my own.

But your server isn't serving automic.solutions, so what would it do for a cert for that domain?

What exactly do you mean by "lock down my server using SSL-encrypted connections"? Be specific. Because leaving aside that SSL is long since obsolete (having been replaced by TLS), this just isn't making much sense.

I want to server applications with a valid certificate that I don't have to create myself. Forcing all connections to be encrypted is the main reason for needing a certifier, ssl vs tls is just semantics in this case.

Ideally my server would be in the same domain as the web site. It is possible to have more than one server in the same domain. That's what I want.

The IP addresses (DNS A and AAAA records) associated with a fully qualified domain name should all point to servers that perform identical functions (like serving identical content). If you were to point the public address record(s) associated with your domain name to your own server, you would either be adding an additional server alongside WordPress or replacing the WordPress server. As @danb35 indicated, we're not exactly sure what you're trying to accomplish. In order to be issued a publicly-trusted certificate from Let's Encrypt using an HTTP-01 challenge, the challenge file(s) generated by your ACME client (certbot) need to be placed where they can be reached via your public DNS address records. Having multiple public address records simply creates a "poor man's load balancer" where which IP address will be used will be arbitrary, which is supposed to be for backup purposes.

Thanks for your input. I have found a solution to my requirement in an unexpected way. I chatted with the WordPress Support bot.

I explained to it what I wanted to do, it recommended creating a sub-domain by by creating an A record in my WordPress DNS using my server IP, and then creating a certifier for the sub-domain using Certbot.

So, instead of being able to manage the entire domain, I can work with sub-domains via WordPress DNS. Not what I had in mind, but it will work fine.