Hallo,
at first - Certificates are horror for me - every time is there trouble… since 30 years, I can’t understand.
A little company has provider allinkl.com with Website- and Mail-hosting domain: firma-xy.de
Since 2016 we use nethserver with pop3-connector + sogo + netxcloud.
Therefore we created an A-Set for DNS at account of allinkl.com for our Nethserver neth.firma-xy.de
But this Nethserver has only selfcreated certificates and this is complicated for our partners …
Is there a chance to get an letsencrypt-certificate for this subdomain ?
I tried ~ 12 kinds of doing… nothing goes…
Where is a howto for an old man like me ?
Thanks for every good tip !
Start with the manual. If you have problems, post the details. Assuming that the public Internet sees neth.firma-xy.de as your Neth server, and it’s accessible on port 80, this should be very straightforward.
thank you for this Tip - first trouble !
Nethserver is not reachable on Port 80 - only on Port
980 good old admin site
9090 perhaps good new admin site
443 Standard website of neth.firmaxy.de over https (“This site is under construction …”)
Sorry, can’t find/remember, where to config open port 80 for this site.
Between internet and local LAN there is a ipFire - redirected port 80 to nethserver.
I think port 80 at nethserver is closed ?
It responds for me, both at neth.firmaxy.de and at neth.firma-xy.de. It gives a 404 page:
However, an attempt to reach something in the /.well-known path (which is what the baked-in Let’s Encrypt support needs) fails with a strange error:
…which makes me wonder if it’s actually the Neth server that’s responding at all.
sorry, this are no real names, only examples …
But I’ve found the reason, why no answer on port 80.
From firma.lan there was website http://neth.firma-xy.de, but not from WAN.
This could only block the Firewall. I corrected the rule (forgot NAT) and now it’s possible to see http://neth.firma-xy.de from WAN.
So I tried again to create Certificate Let’sEncrypt, but this said; domain: Challenge failed for domain neth.firma-xy.de Some challenges have failed. neth.firma-xy.de is only an example, real name is replaced
Where is the mistake ?
No idea. The latest Let’s Encrypt log file should have more information. Or (again) you can use DNS validation, in which case the system doesn’t need to be reachable on port 80 at all.
For a request for LE certs tot work, you need an A or CNAME record for the (sub)domain you request it for. Did you create those in DNS (external DNS at your domain registrar)?
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. 2020-03-15 16:53:24,257:DEBUG:certbot._internal.error_handler:Encountered exception: Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations*
You could try UDP as well, just in case, but I wouldn’t think that would change anything. Or, for the third time, look into using DNS validation instead–your situation was exactly why I wrote the first of the links I gave you up-topic.
and I see [THIS IS ONLY A TEST !] in browser.
That’s why I’m sure, …acme-challenge is reachable at port 80, or is this not correct ?
I rereaded your link userguide:let_s_encrypt_for_internal_servers, but in our case, the nethserver is reachable at port 80 …
What could be the reason for timeout (looking the letsencrypt.log) ?
And now I have an idea … On Firewall there is GeoIP-block - because of …
Which country must be unblocked by GeoIPblock for Letsencrypt ?
Where are letsencrypt-servers working ?
We don’t know and the IPs change. From the letsencrypt faq:
We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.
I’m not a profi - autodidact - learning by doing since 1989. The years ago the same, but other fields.
And now I see this set: If you do not have your DNS hosted with Cloudflare, you cannot follow these instructions as written–you’ll need to adapt them for your DNS hosting solution.
That’s looking complicated - the DNS-record is A-record on all-inkl.com
what i have to do there: export CF_Key="YourCloudflareGlobalAPIKey"
What’s meaning GlobalAPIKey and where I found this key-string for all-inkl.com ?
That is exactly what it says: the Cloudflare global API key. If you aren’t using Cloudflare, you won’t have one. You’d instead consult the acme.sh documentation (the link to which is in the wiki article) to see if your DNS host has an API that’s supported by acme.sh. If it does, the same documentation will tell you what credentials you need to give. If your DNS host doesn’t have a supported API, you could consider moving your DNS hosting to Cloudflare (it’s free), or consider using acme-dns instead. Or completely remove the GeoIP block.
