Unable to generate SSL certificate using letsencrypt

Question

I am trying to generate an SSL certificate for a subdomain that was purchased using Wordpress. Both the domain and subdomain were purchased from Wordpress. For the subdomain created using Wordpress, I have created a A record with IP pointing to some external server. Now I want to generate a SSL certificate for this subdomain. How can I do this?

Here is what I tried using sudo certbot certonly --webroot command but gives the following errors.

What is it that I am missing?

From where are you calling the command to generate the SSL Certificate? It has to be from the server which you specified in the A Record since LetsEncrypt fires up a temporary Web Server with the command to "challenge" if you actually own it. At least thats how I understand it. — JoCoaker, Sep 29 '20 at 10:56
@JoCoaker I am calling it from a different server. Can that server be behind a load balancer that has the actual public IP? — Amanda, Sep 29 '20 at 11:05
I wrote an answer. Please try it out and get back to me if it worked. Thank you. — JoCoaker, Sep 29 '20 at 11:42

score 1 · Answer 1 · edited Oct 07 '21 at 07:24

You will need to perform the certificate generation action on the server with the IP you specified in your DNS A Record.

or

If that is not possible you can also execute the certbot command with the --manuel flag. (Official Docs)

$ sudo certbot certonly --manual

# ...
# ... Asked for domain name and IP logging
# ...
 
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.<your-domain> with the following value:
 
5TyIfZh7Q38VnQuUvsIWJt0QffSJvCnHNOnlEuRim66
 
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue

Now here you will need to create a new DNS TXT record with the value displayed. (In this case its 2DYIfZh7Q38VnQuUvsIWJt0QffSJvCnHNOnlEuRim66) And wait a few minutes before pressing enter since the deployment will take some time. Don't delete the record afterwards, otherwise renewing will not work!

Now press enter and it should see sometime like this:

Waiting for verification...
Cleaning up challenges
 
IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/<your-domain>/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/<your-domain>/privkey.pem
   Your cert will expire on xxxx-xx-xx. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
 
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

And now your certificates will be laying in the folder /etc/letsencrypt/live/<your-domain>/.

Explanation on how the "HTTP challenge" works

Will this work with the NGINX server already running on port 80? I have 2 VMs behind one public IP. Can I copy the certificate generated in VM? — Amanda, Sep 29 '20 at 12:26
@JoCoaker it would be nice to provide some official docs, and not only an answer from you ;) — LeRouteur, Sep 29 '20 at 12:38
@Amanda as far as I know, yes you can copy the generated certificate on the machine, since your nginx vHost will load the certificate file at execution time. — LeRouteur, Sep 29 '20 at 14:43

Unable to generate SSL certificate using letsencrypt

1 Answers1