1

Using Certbot, I installed a letsencrypt SSL Certificate for my domain which points a Hostinger Apache Server running Ubuntu 20.04. I am having trouble installing a certificate for my subdomain. I created an A record (Name: www) that points to my server's ip address. This was after deleting the CNAME record (Name :www Target: mydomain.com). I have looked at the related posts and tried "certbot certonly --standalone --expand -d mydomain.com -d www.mydomain.com). I used my domain name in place of "mydomain.com". This did not work. Any help would be appreciated.

First of all, thanks for looking into this issue. As far as being accessible, I'm assuming that you mean that the site appears when I type the domain name or the subdomain name in the address bar: in my case, the site appears for both cases.

As far as port 80 is concerned, after running netstat,I cannot see where port 80 is being used, if it's actually being used. However, the "certbot certonly --standalone ..." command does report "Could not bind TCP port 80 because it is already in use by another process on this system". I'm not sure how to stop port 80 and if stopping port 80 will allow "certbot certonly -- standalone ..." to install the certificate.

Len
  • 11
  • Ok, now the issue becomes clear. certbot --standalone starts a webserver on port 80, but if your website is displayed, then the webserver is running. try running this command: netstat -atunpl | grep 80 to find the process. But if you know what webserver you are using, I'd really recommend to use the certbot plugin like i described, then, your website can stay online during the renewal process. – Anuril Jan 11 '23 at 14:33

1 Answers1

0

If you're trying to expand a certificate, you need to make sure that the original as well as the new domain are accessible, as certbot will also re-verify the "existing" domain.

Also make sure that your DNS-Changes have been globally propagated by using a site like this, as while it might work for you, the let's encrypt servers are located in a different part of the world and might need more time to see the changes, depending on the TTL and refresh times you set for your DNS Zone.

If that is correct for both the existing and new domain, make sure that there is no other process that is listening on Port 80 when you start certbot in standalone mode (f.ex a webserver).

You say that you're having trouble "installing a certificate" - with the options you provided, you will only request the certificate, but not install it in your webserver. If the certificate is correctly created, but not installed, you need to make sure that the service you are using is aware of the certificate, either by pointing it to the correct files or by copying the files to the correct place. If you are using apache or nginx to serve the content you want to protect with ssl, it might be better to use the plugins that automate this with certbot for you.

You can install them like this: (remove the leading # for the line most applicable for you.)

#sudo apt-get install python3-certbot-apache # For apache on debian / ubuntu 
#sudo apt-get install python3-certbot-nginx # For nginx on debian / ubuntu 
#sudo yum install python3-certbot-apache # For apache on centos / fedora
#sudo yum install python3-certbot-nginx # For nginx on centos / fedora

Then you can simply run certbot manually and it will detect apache or nginx configurations and ask you which domains you want to use ssl with. If everything works, you can then enable a systemd timer to renew the certificates automatically. For more Information on that See here

Anuril
  • 713