But my domain provider (freedns) doesn’t let me use an subdomain starting with a _
I tried using http instead of dns in this command: sudo certbot -d yourNCP.domain.tld --manual --preferred-challenges dns certonly
and I got to this step in certbot
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
redacted
And make it available on your web server at this URL:
http://subdomain.ignorelist.com/.well-known/acme-challenge/redacted
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
So now I need to find my webroot on the odroid, and put the file in the specified location? How exactly would I do that?
And Copy/Paste the code generated by certbot into content of the file, save and exit.
In terminal you can use Ctrl+Shift+C or V to copy/paste the long strings used by certbot for the challenge. Both file name and content are randomly generated strings.
I usually visit the link, to check it works, before hitting enter in terminal.
Running deploy-hook command: /etc/letsencrypt/renewal-hooks/deploy/ncp
Output from ncp:
Unknown user
Hook command "/etc/letsencrypt/renewal-hooks/deploy/ncp" returned error code 1
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/redacted.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/redacted.com-0001/privkey.pem
Your cert will expire on 2019-06-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
Is it fine to proceed anyway? And when checking the link I had to use my domain.com:8443 <-- reflecting my port forwarding. Does this port have to be used in the certbot command? Or is it fine without it?
There is no way to tell certbot to use another port, it uses only default 80(http) and 443(https), but once your certificate and key are generated, the certificate will work regardless of port.
correct?
In /etc/letsencrypt/live/ there are two entries now, redacted.com, and redacted.com-0001. Must have happened because I tried multiple times I guess. Is it fine to leave the two of them, and just use redacted.com-0001?
And second, in /etc/letsencrypt/keys/ there are six files 000X_key-certbot.perm (X = 1-6). Which one should I use for SSLCertificateKeyFile?
Normally the files in the live/ folder are symbolic links to the actual files.
You can list files with -l (long) to view where symlinks point to with
sudo ls -l /etc/letsencrypt/live/
On second thought…It might be better to first backup your letsencrypt folder, and then move all the redacted . com files and folders from redacted . com 0001 to original location. In which case you do not need to edit nextcloud.conf, just reload webserver. Hope @nachoparker finds a moment which best practice fits ncp .
Dont know why, but links seem to be broken, try using
SSLCertificateFile /etc/letsencrypt/archive/redacted.com-0001/fullchain2.pem
and
SSLCertificateKeyFile /etc/letsencrypt/archive/redacted.com-0001/privkey2.pem