On the host that renew poly.tique.info there is only one lego process at once. And lego only keep the nonce in memory so no shared cache here.| Let's Encrypt Community Support - Latest posts
Thanks for your testing and comment. This seems beyond my tech level of understanding. It is quite frustrating that the letsencript verifier cannot reach my sever when I can externally access the challenge file through port 80. I will contact my DNS managing team, but specifically, what should I ask them to test or check?| Let's Encrypt Community Support - Latest posts
FileMaker Server 22 now has Let's Encrypt baked in, but I'm having problems with it that Claris hasn't been able to solve. Across my domain with a particular hosting provider, I cannot get a single SSL issued. The test validation passes, but the actual SSL fails to issue, giving " Certificate Request Failed. Failure / timeout verifying challenge passed" Port 80/443 are both open in Windows Firewall, and I can run curl -i http://EXAMPLE.DOMAIN/.well-known/acme-challenge/test.txt from any machi...| Let's Encrypt Community Support - Latest posts
Is this still a problem for you? Is it still every request that fails? The only suggestion I have is to try a different ACME Client. Given how early in the ACME API sequence it fails it doesn't matter which Challenge you use. If the challenge fails you know the new-order request succeeded. Just be sure to use something with a nice enough logging option. Maybe use the APT install of Certbot. It's logging is very good. Normally the Snap install is recommended but for this kind of test the APT i...| Let's Encrypt Community Support - Latest posts
My domain is: HPradio.country-radio.eu NGINX: 1.26.3 Debian: trixie What happen if I run Certbot --nginx? What modification is Certbot doing, because I can find any. In my Nginx configuration There ia a big part for TYPO3. The root for TYPO3 is /var/www/html/typo3/public and I have some other Nginx blocks for /phpmyadmin/ , /test/ and /public/ with a root of /usr/www/html/. I also can find any .well-known directory. I guess the directory should be created by Certbot, but where? And how Certbo...| Let's Encrypt Community Support - Latest posts
Hi, I have a website — Foxnett. I’ve enabled the Cloudflare proxy for it, but I’d like to continue using the SSL certificate issued by Let’s Encrypt. How can I set this up so that I can use Cloudflare’s proxy service while keeping my Let’s Encrypt SSL?| Let's Encrypt Community Support - Latest posts
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help. My domain is:deborahsweetin.com I ran this command: sudo /opt/bitnami/bncert-tool It produced this output: bitnami@ip-172-26-4-228:~$ ls -l /opt/bitnami...| Let's Encrypt Community Support - Latest posts
For the "backdoor requests" scenario, one may enable Authenticated Origin Pulls feature, which will allow authenticating that request truly comes from Cloudflare Edge. It's also possible to further lock down to ensure the traffic comes from specific zone or even hostname defined in Cloudflare dashboard. This is a form of mTLS (effectively a client certificate).| Let's Encrypt Community Support - Latest posts
Our system uses anycast for DNS (DOH and DOT) services. We'd like to use IP authentication, since our IP addresses are useds by clients to bootstrap or directly communicate with our systems. I see a few problems with the current model that has been documented for IP address certificates, and I'm wondering if there can be a discussion on the topic. Cert time is too short. We own our own /24's and /48's for use, and we are listed as the "owners" of the address space in the RIR. It seems tha...| Let's Encrypt Community Support
Hi all, I am using IBM Cloud Secrets Manager to request public TLS certificates from Let’s Encrypt. My certificates are being issued successfully. The certificate chain I currently get looks like this: End-entity certificate: RSA 2048 Intermediate certificate: RSA 2048 Root certificate: RSA 4096 When I try to use this certificate chain with AWS (Keycloak exposed on the internet), AWS rejects the chain. Their support explained that: “On further analysis, we understand that you have three c...| Let's Encrypt Community Support - Latest posts
In my situation, the problem isn't Manual DNS domain validation in terms of getting the acme challenge token into the zone files. Automation is not an option in my situation.| Let's Encrypt Community Support
After learning about and remediating a bug in our CAA checking code [1] on 2020-02-29 UTC (the evening of Friday February 28, U.S. Eastern time), we announced that we would be revoking approximately 2.6% of our active certificates that were potentially affected by the bug, totalling approximately 3 million certificates [2]. We announced the plan to revoke because even though the vast majority of the certificates in question do not pose a security risk, industry rules require that we revoke ce...| Let's Encrypt Community Support
On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA software, Boulder, checks for CAA records at the same time it validates a subscriber’s control of a domain name. Most subscribers issue a certificate immediately after domain control validation, but we consider a validation good for 30 days. That means in some cases we need to check CAA records a second time, just before issuance. Specifically, we have to check CAA within 8 hours prior to issuance (per BRs §3.2.2.8), so...| Let's Encrypt Community Support
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help. My domain is: youthministry.rccghopmn.org I ran this command: sudo certbot --nginx It produced this output: ubuntu@ip-172-31-85-195:~$ sudo certbot --n...| Let's Encrypt Community Support
My domain is: bitcastle.lol I ran these commands: sudo certbot renew --nginx --cert-name bitcastle.lol --dry-run sudo certbot certonly --nginx --cert-name bitcastle.lol --dry-run They all failed the with same result: authenticator: nginx, Type: unauthorized, Detail: ... Invalid response from https://bitcastle.lol/.well-known ... 404 And I see 404 status codes in nginx access.logs and perhaps more notably i see in the error.logs No such file or directory looking for the acme-challenge/| Let's Encrypt Community Support
The word "only" is doing a lot of heavy lifting in your sentence, but yes I think that's what this thread is requesting. Maybe subsumed in your "extend ACME and CA/B" is that it'd take a lot of effort to get CAs on board. And I don't see commercial CAs getting excited about something unless they could charge a lot for it. And non-profit CAs like Let's Encrypt have enough on their plates just trying to keep HTTPS going. All of which is why I was suggesting someone would need to put together so...| Let's Encrypt Community Support
It would be useful to include instructions on upgrading CertSage.php as new versions are released. Maybe upgrading isn't necessary since it seems most improvements are to make it easier for getting the first certificate and not renewals? But, since I don't know, I have upgraded. Just finally figured out how to do that with less work than starting from scratch. With my multiple subdomains and renamed main directory, it just means editing the certsage.php directory line again within the new cop...| Let's Encrypt Community Support
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help. My domain is: wgvc.com I ran this command: sudo certbot certonly --apache It produced this output: Saving debug log to /var/log/letsencrypt/letsencryp...| Let's Encrypt Community Support
So I went to the router, to the WAN section, then went to the "Virtal Server/Port Forwarding" section, and then in the "Port Forwarding List" section, I made the settings that I showed in the screenshot.| Let's Encrypt Community Support
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help. My domain is: https://mobilise.alzheimersresearchuk.org/ I ran this command: certbot renew -v It produced this output: Saving debug log to /var/log/let...| Let's Encrypt Community Support
Hello, I have 2 ubuntu 24.04 LTS servers with Let's Encrypt on them - each with a web app, based on apache server, one with MariaDB the other with PostgreSQL databases. Everything is fine ... except the day the certificate is renewd, I saw a strange and not understandable behaviour - for me - let me give a bit of context. Each day, the following tasks are executed : 00:01 CET : backup of the database 00:11 CET : stop of the server (apache server, and database) 00:12 CET : renew certificate,...| Let's Encrypt Community Support
We're almost ready to issue certificates for IP address SANs from Let's Encrypt's production environment. They'll only be available under the shortlived profile (which has a 6-day validity period), and that profile will remain allowlist-only for a while. Please note: We have more work to do before we're ready to launch this feature for the public. We don't yet have a timeline, and aren't ready to accept allowlist requests. Here's a sample staging certificate, and a site using it: abadcafe.tx...| Let's Encrypt Community Support
[Update 2020-03-05: The most up-to-date summary is at 2020.02.29 CAA Rechecking Bug] Due to the 2020.02.29 CAA Rechecking Bug, we unfortunately need to revoke many Let’s Encrypt TLS/SSL certificates. We’re e-mailing affected subscribers for whom we have contact information. This post and thread will collect answers to frequently asked questions about this revocation, and how to avoid problems by renewing affected certificates early. If you’re affected, please: thoroughly read this threa...| Let's Encrypt Community Support
Retired. 🙂 https://en.wikipedia.org/wiki/Tardigrade https://wildkratts.fandom.com/wiki/Tardigrade_Xtreme "Stand-up philosopher. I coalesce the vapors of human experience into a viable and logical comprehension."| Let's Encrypt Community Support
