Hi! I am able to create the certificate and all as shown in your tutorial. I am also able to view my website in https, however my subdomain is still not secured. I am using VestaCP, and i use the Let's Encrypt in there and it works fine. I just need to secure my subdomains. Any idea?
You would need to use cert-manager and configure the issuer to talk to letsencrypt server. I have a video but not wildcard just yet - ua-cam.com/video/_jEgzqyUWKE/v-deo.html
Very well explained. I have query for my 2 subdomain i have taken separate certificate. how to get wild card certificate for my domain. if already sud domain is encrypted.
You can't renew dns challenge certs that simple as you say there. Either you should use --manual-auth-hook and some scripts either you should update/add new txt records manually. Or use something like terraform to automate this if you use cloudflare's dns. Certbot renew is non-interactive.
How long should a TXT record take to get detected while doing it this way? Mine haven't propagated yet and it's been like 40 minutes. Do I just leave my terminal up, check on a DNS record checker and wait for it to show?
The general rule is 24 to 48 hours, but based on my experience, it never takes longer than few minutes. You can close the terminal, or I would suggest that you applied your changes to DNS.
Do you have "listen 443" directive in server block? You also need to restart or reload nginx "systemctl restart nginx". Try to check if the port open from. the host as well with "nc -vz localhost 443"
@@AntonPutra thanks for your prompt response, Anton. Actually I was forgetting to syslink configuration from available-sites to enabled-sites. Nice content, btw. Thanks for your tutorials.
@@AntonPutra I'm trying now to renew automatically via cron job, but without success Running: certbot renew --break-my-certs --force-renewal --preferred-challenges dns Break my certs and force renewal only to test, I will remove those flags, but the command keeps returning me this: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping I will search about this error now. I appreciate If you know how to solve :)
@@AntonPutra I think I did it I'm using cloudflare, so was needed to install dns-cloudflare plugin. This tutorial can help (it is in portuguese, but I'm brazilian, so It's ok for me :D ) -> mindnotes.sh/integrando-certbot-com-dns-da-cloudflare/ In my case was different because I'm using certbot on docker, So I pulled this image -> hub.docker.com/r/certbot/dns-cloudflare to replace the standard image I was usgin And then followed this tutorial to pass the right flags to command and create the cloudflare api key and cloudflare.ini -> certbot-dns-cloudflare.readthedocs.io/en/stable/ chmod 600 to ini file... So after creating the certificate following your tutorial, I was able to run renew command: certbot renew --preferred-challenges dns --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini And you can remove the _acme_challenge TXT that you created before, because the renew command uses your api key to enter on cloudflare dns zone, create temporary TXT entry and delete it automatically
Hi @Anton After obtaining the certificate , I still have one issue , for each client visiting any subdomain, a warning message says (this connection is not private) any idea how to avoid this? I'm using Apache service
Can you make a tutorial that explains how to get an SSL when your ISP is intentionally blocking port 80 and refuses to release it for you unless you spend a ton of money on a much slower "business" plan? I followed a tutorial on a Kemp Load Balancer and it has an SSL on it now, the validation method was "TXT", I have no idea how or why it worked because following tutorials like this for those of us that have no understanding of the fundamentals just know if we copy what we see on the screen everything should work, so if something doesn't work we have no idea what the hell is going on because our understanding from the get go was copying instructions, as opposed to knowing at all what those instructions actually mean.
There are two main methods to get a TLS certificate from letsencrypt. HTTP-01 challenge - cert-bot will create a URL endpoint on your web server with a special token provided by lets-encrypt. DNS-01 challenge, there you need to prove that you own your domain by setting a TXT record. It is a little bit harder to automate than HTTP-01. If your ISP blocks port 80, I would suggest you go with the DNS-01 challenge. You can take a look at this one - ua-cam.com/video/7jEzioFsyNo/v-deo.html
yes, please check 2021/07/18 12:38:32 [crit] 799125#799125: *135 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.145, server: 0.0.0.0:443 This error is happening when I ma opening website through Android
@@MrRahul15937 I found only this one, client outdated, maybe your client does not support new ciphers on the server... stackoverflow.com/questions/65854933/nginx-ssl-error141cf06cssl-routinestls-parse-ctos-key-sharebad-key-share
Sure here is the official tutorial - certbot.eff.org/lets-encrypt/ubuntufocal-haproxy. The video is processing by UA-cam it will be available on Monday.
@@AntonPutra thankss broo I'm tired using shared hosting, 100% ram using, server crashing multiple times and don't have money for vps and wildcard ssl, so i decided self Hosting. Hope it's good idea.
@@salexkorsan8790 It's a pretty hot topic, I will definitely explore and create tutorial for apache wildcard cert, but it's going to be in couple weeks only..
@@AntonPutra broo tell me one thing , I'm installed this certificate in cpanel, subdomain ssl not works with www , it's working only without www on subdomain what do i do ?? Any solution ?
@@salexkorsan8790 well, probably you don't need a wildcard cert at all. When you request your certificate you need to make sure that you specify both domains including www subdomain. You should use "Subject Alternative Name" field.
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
Get & Auto-renew Letsencrypt Wildcard Certificate - ua-cam.com/video/81TKQIl1rCU/v-deo.html
👉 How to Manage Secrets in Terraform - ua-cam.com/video/3N0tGKwvBdA/v-deo.html
👉 Terraform Tips & Tricks - ua-cam.com/video/7S94oUTy2z4/v-deo.html
👉 ArgoCD Tutorial - ua-cam.com/video/zGndgdGa1Tc/v-deo.html
Great video, literally straight forward, Thanks.
Glad you liked it!
BIG THANX!
Very helpful!
Thanks!
Great video, but I'm lost on the automatic renewals, would be great if you create a follow up video.
Coming soon!
Hi! I am able to create the certificate and all as shown in your tutorial. I am also able to view my website in https, however my subdomain is still not secured. I am using VestaCP, and i use the Let's Encrypt in there and it works fine. I just need to secure my subdomains. Any idea?
If you are using wildcard certificate, it should cover all your subdomains.
🔴NEW/UPDATED🔴 How to Get Letsencrypt Wildcard Certificate (Using Letsencrypt Nginx DNS Challenge) - ua-cam.com/video/VJPfdXN-dSc/v-deo.html
The link says - video is unavailable - This video is private. Could you make this video public - Thanks
@@Fayaz-Rehman It will be availabe on Monday, here is a first part - ua-cam.com/video/R5d-hN9UtpU/v-deo.html
@@AntonPutra Thanks
Thanks, How can we obtain a Wildcard certificate in Kubernetes cluster?
You would need to use cert-manager and configure the issuer to talk to letsencrypt server. I have a video but not wildcard just yet - ua-cam.com/video/_jEgzqyUWKE/v-deo.html
Вялікі Вам дзякуй! Усё вельмі проста і зразумела!
Thank you man you saved my life - really helpful video
Welcome
Very well explained. I have query for my 2 subdomain i have taken separate certificate. how to get wild card certificate for my domain. if already sud domain is encrypted.
Thanks! It was very helpful for me
my pleasure!
Thank you very thorough explanation. Really good!
You're very welcome!
Thank you. Useful video
Thanks!
You can't renew dns challenge certs that simple as you say there. Either you should use --manual-auth-hook and some scripts either you should update/add new txt records manually. Or use something like terraform to automate this if you use cloudflare's dns. Certbot renew is non-interactive.
Thank you for pointing this out.
Great video, thanks!
Thanks Sean!
Thank you so much, this is really helpful.
Thankyou...
BTW your name like Indonesian name :-)
Thank you, keep getting this a lot :)
Thanks! It was very helpful for me
Glad to hear that!
Thanks man !
You're welcome Jørgen :)
Very Cool tutorial !
Thanks! :)
Worked like a charm, thank you so much!
You're welcome Hưng!
How long should a TXT record take to get detected while doing it this way? Mine haven't propagated yet and it's been like 40 minutes. Do I just leave my terminal up, check on a DNS record checker and wait for it to show?
The general rule is 24 to 48 hours, but based on my experience, it never takes longer than few minutes. You can close the terminal, or I would suggest that you applied your changes to DNS.
Thanks
it is an awesome tutorial
thanks :)
I've copied nginx config ipsis litteris but nginx isn't listening on port 443. All firewalls are ok. Any insight?
Do you have "listen 443" directive in server block? You also need to restart or reload nginx "systemctl restart nginx". Try to check if the port open from. the host as well with "nc -vz localhost 443"
@@AntonPutra thanks for your prompt response, Anton. Actually I was forgetting to syslink configuration from available-sites to enabled-sites. Nice content, btw. Thanks for your tutorials.
@@dinaiswatching Thanks :)
You saved me! Thanks!
+1 Subscription :)
Thank you Rafael!
@@AntonPutra I'm trying now to renew automatically via cron job, but without success
Running: certbot renew --break-my-certs --force-renewal --preferred-challenges dns
Break my certs and force renewal only to test, I will remove those flags, but the command keeps returning me this:
PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping
I will search about this error now.
I appreciate If you know how to solve :)
@@RafaelAmbrosio I can try to help, but only later tonight. Meanwhile, if you find the solution pls let me know.
@@AntonPutra I think I did it
I'm using cloudflare, so was needed to install dns-cloudflare plugin. This tutorial can help (it is in portuguese, but I'm brazilian, so It's ok for me :D ) -> mindnotes.sh/integrando-certbot-com-dns-da-cloudflare/
In my case was different because I'm using certbot on docker, So I pulled this image -> hub.docker.com/r/certbot/dns-cloudflare to replace the standard image I was usgin
And then followed this tutorial to pass the right flags to command and create the cloudflare api key and cloudflare.ini -> certbot-dns-cloudflare.readthedocs.io/en/stable/
chmod 600 to ini file...
So after creating the certificate following your tutorial, I was able to run renew command:
certbot renew --preferred-challenges dns --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini
And you can remove the _acme_challenge TXT that you created before, because the renew command uses your api key to enter on cloudflare dns zone, create temporary TXT entry and delete it automatically
Hi @Anton
After obtaining the certificate , I still have one issue , for each client visiting any subdomain, a warning message says (this connection is not private)
any idea how to avoid this? I'm using Apache service
Can you verify in the browser that your certificate is valid and up to date?
Перфекто! Грасиас!
awesome !!! like
Thank you! Cheers!
Thank you
Welcome!
terima kasih
Hi my dig -t txt _acme-challenge.exemple.net show server as 8.8.8.8#53(8.8.8.8) and not as your 192.168.1.1
what should I do?
Not sure if i follow, 8.8.8.8 is a Google dns server and 192.168.1.1 is a router ip
Thank you a lot! U Saved my day!
You're welcome😊
I have already install the ssl certificate and want to take wild card certificate, tell the steps wtihout unistall overwrite the same.
you can manually remove it from ngnix spec
Can you make a tutorial that explains how to get an SSL when your ISP is intentionally blocking port 80 and refuses to release it for you unless you spend a ton of money on a much slower "business" plan? I followed a tutorial on a Kemp Load Balancer and it has an SSL on it now, the validation method was "TXT", I have no idea how or why it worked because following tutorials like this for those of us that have no understanding of the fundamentals just know if we copy what we see on the screen everything should work, so if something doesn't work we have no idea what the hell is going on because our understanding from the get go was copying instructions, as opposed to knowing at all what those instructions actually mean.
There are two main methods to get a TLS certificate from letsencrypt. HTTP-01 challenge - cert-bot will create a URL endpoint on your web server with a special token provided by lets-encrypt.
DNS-01 challenge, there you need to prove that you own your domain by setting a TXT record. It is a little bit harder to automate than HTTP-01. If your ISP blocks port 80, I would suggest you go with the DNS-01 challenge. You can take a look at this one - ua-cam.com/video/7jEzioFsyNo/v-deo.html
Nice video!
Thank you Andrés!
These wildcard SSLs do not work on mobile devices.
Checked on android devices
Please suggest solution.
Can you share the error?
yes, please check
2021/07/18 12:38:32 [crit] 799125#799125: *135 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.145, server: 0.0.0.0:443
This error is happening when I ma opening website through Android
A searched but could not find any solution to this
really-simple-ssl.com/knowledge-base/ssl-working-desktop-not-mobile-android-devices/
@@MrRahul15937 I found only this one, client outdated, maybe your client does not support new ciphers on the server...
stackoverflow.com/questions/65854933/nginx-ssl-error141cf06cssl-routinestls-parse-ctos-key-sharebad-key-share
Did you test any of your website on android phones?
My device is less than a year old .
THaNKS ALOT ... THIS ALONE VIDEO IS A LIFE SAVIOUR. THANKS ANTON
Thank you!
This was perfect!
Thank you:)
@@AntonPutra Do you have discord channel?
@@wduandy I don't have it. Do you think I should sign up?
@@AntonPutra Of course!! Your channel has a HUGE potential! You should invest on the audience 🤗
@@wduandy will do))
How to generate let’s encrypt cert and store it in key vault?
Thank you for the question, tutorials for vault is in my pipeline
Great - Is it possible to install certbot on HAproxy ???
Sure here is the official tutorial - certbot.eff.org/lets-encrypt/ubuntufocal-haproxy.
The video is processing by UA-cam it will be available on Monday.
@@AntonPutra Thank you again - much appreciated.
Hi how do i install this cert on apache?
You can follow this - certbot.eff.org/lets-encrypt/ubuntufocal-apache
it will be works on apace2 or not ??
There is a certbot apache plugin, but I have not tried it myself
certbot.eff.org/all-instructions
@@AntonPutra thankss broo
I'm tired using shared hosting, 100% ram using, server crashing multiple times and don't have money for vps and wildcard ssl,
so i decided self Hosting. Hope it's good idea.
@@salexkorsan8790 It's a pretty hot topic, I will definitely explore and create tutorial for apache wildcard cert, but it's going to be in couple weeks only..
@@AntonPutra broo tell me one thing , I'm installed this certificate in cpanel, subdomain ssl not works with www , it's working only without www on subdomain what do i do ?? Any solution ?
@@salexkorsan8790 well, probably you don't need a wildcard cert at all. When you request your certificate you need to make sure that you specify both domains including www subdomain. You should use "Subject Alternative Name" field.
Can we create certificate for IIS?
What is IIS?
@@AntonPutra its windows based web server
What does Dzintars remark mean for this solution?
Let me try to create a renewal script, and perhaps update it here or create a new video.
@@AntonPutra Hi Anton, Any news on the update script. My certs are expired and I cannot update them via the renew procedure. Thx, PPee
@@ppeeppee5800 there is a slightly different approach but may work for you - ua-cam.com/video/81TKQIl1rCU/v-deo.html