Does Certbot offer self-signed SSL certificates only?

October 15, 2017 3.5k views
Security Ubuntu 16.04
stradaentracasa
By:
stradaentracasa

Just wondering if they offer anything other than self signed SSL certificates.

Log In to Comment
2 Answers
mnordhoff October 15, 2017

Certbot offers certificates signed by Let's Encrypt, a widely trusted CA, or by the Let's Encrypt staging environment's non-trusted test CA.

(Let's Encrypt certificates chain ultimately to IdenTrust's DST Root CA X3, or to Let's Encrypt's newer ISRG Root X1.)

Certbot can also be used with any other CA implementing ACME, but there aren't really any yet.

I don't know of any convenient way for Certbot to produce self-signed certificates.

Why do you ask?

Reply
  • stradaentracasa October 15, 2017

    Thank you very kindly. I had some more questions about that. I followed through this guide for generating an SSL certificate with Certbot on my droplet server:

    https://certbot.eff.org/#ubuntutyakkety-apache

    However when I enter my droplet server's IP address/the domain name I've associated with it, it connects with HTTP, not HTTPS. how can I set up the SSL certificate such that it connects via HTTPS?

    Also, can you tell me how to generate and set up an SSL certificate with Certbot on a CentOS VPS?

    thanks very kindly

    • mnordhoff October 15, 2017

      There are 3 matters:

      1. Did Certbot issue a certificate?

      2. Is the web server configured to use the certificate?

      3. Is the web server configured to redirect HTTP requests to HTTPS?

      If you explicitly try to access your site over HTTPS, does it work? What happens?

      1. What's your domain?

      2. What command did you run?

      3. What did it output?

      4. What web server are you using? Apache? What version?

      5. What OS are you using? What version? Ubuntu Yakkety? It's end of life.

      Using Certbot on CentOS should be about the same as Ubuntu, but i don't personally have experience with it. https://certbot.eff.org/ has information about it.

      You may want to post on the Let's Encrypt forum, https://community.letsencrypt.org/.

      • stradaentracasa October 15, 2017

        Hey there, I have Apache2 as my web server, the droplet is running on Ubuntu 16.04.

        To be totally honest I just followed through the commands listed in that guide, how do I go back and check to see if a certificate was issued?

        I just figured by running the command "sudo certbot --apache" it'd issue automatically, it says in the guide: "Running this command will get a certificate for you and have Certbot edit your Apache configuration automatically to serve it."

        I don't remember what the output was when I entered the command, would it be safe to try entering the command again and pasting its output here?

        When I try connecting to my droplet via https (https://46.101.196.186) it says the site cannot be reached, when I try connecting via http however it outputs the default Apache2 blank page.

        thanks again for all the help it is deeply appreciated

        • mnordhoff October 15, 2017

          Well... "sudo certbot --apache" won't automatically, definitely, immediately issue a certificate. It will ask you what to do, and it's possible for it to fail.

          "sudo certbot certificates" will list what certificates Certbot is currently managing.

          It sounds like Apache isn't configured to do HTTPS at the moment. If Certbot had succeeded, it should have set everything up.

          However, there could be a firewall on your droplet, or maybe a DigitalOcean Cloud Firewall, blocking access, even if the Apache configuration is perfect.

          (Let's Encrypt certificates are for FQDNs, not IP addresses. Once everything is working perfectly, visiting https://46.101.196.186/ will return an error like "Connection to https://46.101.196.186/ is not secure, certificate is for www.example.com," or something like that.)

          • stradaentracasa October 16, 2017

            Thanks a ton for your help. I have bought a domain name as well that redirects to the droplet's IP address. When I enter my domain (https://domain.com) it also fails to connect. How can I configure Apache for HTTPS connection?

          • mnordhoff October 17, 2017

            What's the error message?

            "certbot --apache" should usually be able to configure everything necessary in Apache. As long as there isn't a firewall blocking it, the DNS records are correct, it ought to work.

stradaentracasa October 17, 2017

When I try to connect via HTTPS i get this error on chrome:

"This site can’t be reached

cultureontrial.com refused to connect.
Try:
Checking the connection
Checking the proxy and the firewall
ERRCONNECTIONREFUSED"

When I run the command "sudo certbot certificates" it looks like there is already a 90 day certificate that has been generated as of four days ago:

https://imgur.com/a/3giSh

Reply
  • mnordhoff October 17, 2017

    Hm.

    HTTP IPv4 -> Apache default page
    HTTP IPv6 -> No route to host
    HTTPS IPv4 -> Connection refused
    HTTPS IPv6 -> Timeout

    Exactly what Certbot command was used to create the certificate? What did it output? "certbot --apache" should automatically configure Apache; something like "certbot certonly --webroot" would leave that part to you.

    The IPv6 issues are also a problem, but they're a different problem.

    Firewall?

    What's the Apache configuration?

    • stradaentracasa October 18, 2017

      Nevermind, I tried re-entering the command "sudo certbot --apache" and now it seems to work!! I can access my site via HTTPS. Thanks!

Have another answer? Share your knowledge.

Related Questions