Let'sEncrypt-Certificate for Subdomain

NethServer Version: 7.7.1908 (final)
Module: server-certificate

at first - Certificates are horror for me - every time is there trouble… since 30 years, I can’t understand.
A little company has provider allinkl.com with Website- and Mail-hosting domain: firma-xy.de
Since 2016 we use nethserver with pop3-connector + sogo + netxcloud.
Therefore we created an A-Set for DNS at account of allinkl.com for our Nethserver neth.firma-xy.de
But this Nethserver has only selfcreated certificates and this is complicated for our partners …
Is there a chance to get an letsencrypt-certificate for this subdomain ?
I tried ~ 12 kinds of doing… nothing goes…
Where is a howto for an old man like me ?
Thanks for every good tip !

Of course.

Start with the manual. If you have problems, post the details. Assuming that the public Internet sees neth.firma-xy.de as your Neth server, and it’s accessible on port 80, this should be very straightforward.

Hallo Dan,

thank you for this Tip - first trouble !
Nethserver is not reachable on Port 80 - only on Port
980 good old admin site
9090 perhaps good new admin site
443 Standard website of neth.firmaxy.de over https (“This site is under construction …”)

Sorry, can’t find/remember, where to config open port 80 for this site.
Between internet and local LAN there is a ipFire - redirected port 80 to nethserver.
I think port 80 at nethserver is closed ?

It responds for me, both at neth.firmaxy.de and at neth.firma-xy.de. It gives a 404 page:
However, an attempt to reach something in the /.well-known path (which is what the baked-in Let’s Encrypt support needs) fails with a strange error:
…which makes me wonder if it’s actually the Neth server that’s responding at all.

You might be better off following one of my guides for using DNS validation:


sorry, this are no real names, only examples …
But I’ve found the reason, why no answer on port 80.
From firma.lan there was website http://neth.firma-xy.de, but not from WAN.
This could only block the Firewall. I corrected the rule (forgot NAT) and now it’s possible to see
http://neth.firma-xy.de from WAN.
So I tried again to create Certificate Let’sEncrypt, but this said;
Challenge failed for domain neth.firma-xy.de Some challenges have failed.
neth.firma-xy.de is only an example, real name is replaced
Where is the mistake ?

No idea. The latest Let’s Encrypt log file should have more information. Or (again) you can use DNS validation, in which case the system doesn’t need to be reachable on port 80 at all.

For a request for LE certs tot work, you need an A or CNAME record for the (sub)domain you request it for. Did you create those in DNS (external DNS at your domain registrar)?

Hallo robb,

yes I’ve done. Tested it
nslookup msrv.eds-systeme.de

Non-authoritative answer:
Name: msrv.eds-systeme.de

and reverse:
nslookup name = p5099e46a.dip0.t-ipconnect.de.

Authoritative answers can be found from:

In /var/log/letsencrypt/letsencrypt.log I found this:
Domain: msrv.eds-systeme.de
Type: connection
Detail: Fetching http://msrv.eds-systeme.de/.well-known/acme-challenge/VqEW65BtN1x8OZr-dapz0eMhTizdl2G3DIW71rtG_j4: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2020-03-15 16:53:24,257:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):

  • File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations*
  • self._poll_authorizations(authzrs, max_retries, best_effort)*
  • File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations*
  • raise errors.AuthorizationError(‘Some challenges have failed.’)*
    AuthorizationError: Some challenges have failed.

In Firewall (iPFire) only opened Port 80 and 443 to Nethserver msrv…
Is it possible, letsencrypt need more then 80 and 443 TCP ?

You could try UDP as well, just in case, but I wouldn’t think that would change anything. Or, for the third time, look into using DNS validation instead–your situation was exactly why I wrote the first of the links I gave you up-topic.

Hallo Dan,
thanks for your patience . Is there a misunderstanding at me ?
I tried this per ssh:

  • created a file on nethserver /var/www/html/.well-known/acme-challenge/hallo01
  • Inside this file only text “THIS IS ONLY A TEST !
  • now I started Firefox at home notebook and browsed
  • and I see [THIS IS ONLY A TEST !] in browser.
    That’s why I’m sure, …acme-challenge is reachable at port 80, or is this not correct ?
    I rereaded your link userguide:let_s_encrypt_for_internal_servers, but in our case, the nethserver is reachable at port 80 …
    What could be the reason for timeout (looking the letsencrypt.log) ?

And now I have an idea … On Firewall there is GeoIP-block - because of …
Which country must be unblocked by GeoIPblock for Letsencrypt ?
Where are letsencrypt-servers working ?

We don’t know and the IPs change. From the letsencrypt faq:

We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.

Hallo Markus,

found this advice too - and tried to unblock country US … and now I have the LetsEncrypt-Certificate…

Not especially happy about the fact, I have to open Firewall for US … but we will watch the logs …

Thanks to all, who give me advice !

If you don’t like to open the firewall, you may have a look at the links @danb35 provided and go for DNS validation.

Hallo Markus,

I’m not a profi - autodidact - learning by doing since 1989. The years ago the same, but other fields.
And now I see this set:
If you do not have your DNS hosted with Cloudflare, you cannot follow these instructions as written–you’ll need to adapt them for your DNS hosting solution.

That’s looking complicated - the DNS-record is A-record on all-inkl.com
what i have to do there:
export CF_Key="YourCloudflareGlobalAPIKey"
What’s meaning GlobalAPIKey and where I found this key-string for all-inkl.com ?

That is exactly what it says: the Cloudflare global API key. If you aren’t using Cloudflare, you won’t have one. You’d instead consult the acme.sh documentation (the link to which is in the wiki article) to see if your DNS host has an API that’s supported by acme.sh. If it does, the same documentation will tell you what credentials you need to give. If your DNS host doesn’t have a supported API, you could consider moving your DNS hosting to Cloudflare (it’s free), or consider using acme-dns instead. Or completely remove the GeoIP block.

… missunderstanding.
I don’t know, if all-inkl.com this support. I hope so.

“However, acme.sh supports the APIs of a number of DNS hosts; the list, along with instructions for use, can be found in the acme.sh documentation

there I can’t see no list of DNS hosts acme.sh supports

It’s a little bit confusing …

all-inkl.com is not supported as it’s not mentioned in the list.

If your DNS provider doesn’t have a supported API, you may want to look into using acme-dns instead.

You can’t? Because when I click that link, I see this:

…and all the way down to

Hallo Dan,

this should be a LIST ? - no problem, I think, this acme.sh is a work for a rainy day…

Thanks and I think, we should close this now …