Hi! I am able to create the certificate and all as shown in your tutorial. I am also able to view my website in https, however my subdomain is still not secured. I am using VestaCP, and i use the Let's Encrypt in there and it works fine. I just need to secure my subdomains. Any idea?
You would need to use cert-manager and configure the issuer to talk to letsencrypt server. I have a video but not wildcard just yet - th-cam.com/video/_jEgzqyUWKE/w-d-xo.html
Very well explained. I have query for my 2 subdomain i have taken separate certificate. how to get wild card certificate for my domain. if already sud domain is encrypted.
You can't renew dns challenge certs that simple as you say there. Either you should use --manual-auth-hook and some scripts either you should update/add new txt records manually. Or use something like terraform to automate this if you use cloudflare's dns. Certbot renew is non-interactive.
@@AntonPutra I'm trying now to renew automatically via cron job, but without success Running: certbot renew --break-my-certs --force-renewal --preferred-challenges dns Break my certs and force renewal only to test, I will remove those flags, but the command keeps returning me this: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping I will search about this error now. I appreciate If you know how to solve :)
@@AntonPutra I think I did it I'm using cloudflare, so was needed to install dns-cloudflare plugin. This tutorial can help (it is in portuguese, but I'm brazilian, so It's ok for me :D ) -> mindnotes.sh/integrando-certbot-com-dns-da-cloudflare/ In my case was different because I'm using certbot on docker, So I pulled this image -> hub.docker.com/r/certbot/dns-cloudflare to replace the standard image I was usgin And then followed this tutorial to pass the right flags to command and create the cloudflare api key and cloudflare.ini -> certbot-dns-cloudflare.readthedocs.io/en/stable/ chmod 600 to ini file... So after creating the certificate following your tutorial, I was able to run renew command: certbot renew --preferred-challenges dns --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini And you can remove the _acme_challenge TXT that you created before, because the renew command uses your api key to enter on cloudflare dns zone, create temporary TXT entry and delete it automatically
How long should a TXT record take to get detected while doing it this way? Mine haven't propagated yet and it's been like 40 minutes. Do I just leave my terminal up, check on a DNS record checker and wait for it to show?
The general rule is 24 to 48 hours, but based on my experience, it never takes longer than few minutes. You can close the terminal, or I would suggest that you applied your changes to DNS.
@@AntonPutra thankss broo I'm tired using shared hosting, 100% ram using, server crashing multiple times and don't have money for vps and wildcard ssl, so i decided self Hosting. Hope it's good idea.
@@salexkorsan8790 It's a pretty hot topic, I will definitely explore and create tutorial for apache wildcard cert, but it's going to be in couple weeks only..
@@AntonPutra broo tell me one thing , I'm installed this certificate in cpanel, subdomain ssl not works with www , it's working only without www on subdomain what do i do ?? Any solution ?
@@salexkorsan8790 well, probably you don't need a wildcard cert at all. When you request your certificate you need to make sure that you specify both domains including www subdomain. You should use "Subject Alternative Name" field.
Do you have "listen 443" directive in server block? You also need to restart or reload nginx "systemctl restart nginx". Try to check if the port open from. the host as well with "nc -vz localhost 443"
@@AntonPutra thanks for your prompt response, Anton. Actually I was forgetting to syslink configuration from available-sites to enabled-sites. Nice content, btw. Thanks for your tutorials.
Can you make a tutorial that explains how to get an SSL when your ISP is intentionally blocking port 80 and refuses to release it for you unless you spend a ton of money on a much slower "business" plan? I followed a tutorial on a Kemp Load Balancer and it has an SSL on it now, the validation method was "TXT", I have no idea how or why it worked because following tutorials like this for those of us that have no understanding of the fundamentals just know if we copy what we see on the screen everything should work, so if something doesn't work we have no idea what the hell is going on because our understanding from the get go was copying instructions, as opposed to knowing at all what those instructions actually mean.
There are two main methods to get a TLS certificate from letsencrypt. HTTP-01 challenge - cert-bot will create a URL endpoint on your web server with a special token provided by lets-encrypt. DNS-01 challenge, there you need to prove that you own your domain by setting a TXT record. It is a little bit harder to automate than HTTP-01. If your ISP blocks port 80, I would suggest you go with the DNS-01 challenge. You can take a look at this one - th-cam.com/video/7jEzioFsyNo/w-d-xo.html
Hi @Anton After obtaining the certificate , I still have one issue , for each client visiting any subdomain, a warning message says (this connection is not private) any idea how to avoid this? I'm using Apache service
Sure here is the official tutorial - certbot.eff.org/lets-encrypt/ubuntufocal-haproxy. The video is processing by TH-cam it will be available on Monday.
yes, please check 2021/07/18 12:38:32 [crit] 799125#799125: *135 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.145, server: 0.0.0.0:443 This error is happening when I ma opening website through Android
@@MrRahul15937 I found only this one, client outdated, maybe your client does not support new ciphers on the server... stackoverflow.com/questions/65854933/nginx-ssl-error141cf06cssl-routinestls-parse-ctos-key-sharebad-key-share
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
Get & Auto-renew Letsencrypt Wildcard Certificate - th-cam.com/video/81TKQIl1rCU/w-d-xo.html
Перфекто! Грасиас!
👉 How to Manage Secrets in Terraform - th-cam.com/video/3N0tGKwvBdA/w-d-xo.html
👉 Terraform Tips & Tricks - th-cam.com/video/7S94oUTy2z4/w-d-xo.html
👉 ArgoCD Tutorial - th-cam.com/video/zGndgdGa1Tc/w-d-xo.html
Hi! I am able to create the certificate and all as shown in your tutorial. I am also able to view my website in https, however my subdomain is still not secured. I am using VestaCP, and i use the Let's Encrypt in there and it works fine. I just need to secure my subdomains. Any idea?
If you are using wildcard certificate, it should cover all your subdomains.
Thankyou...
BTW your name like Indonesian name :-)
Thank you, keep getting this a lot :)
🔴NEW/UPDATED🔴 How to Get Letsencrypt Wildcard Certificate (Using Letsencrypt Nginx DNS Challenge) - th-cam.com/video/VJPfdXN-dSc/w-d-xo.html
The link says - video is unavailable - This video is private. Could you make this video public - Thanks
@@Fayaz-Rehman It will be availabe on Monday, here is a first part - th-cam.com/video/R5d-hN9UtpU/w-d-xo.html
@@AntonPutra Thanks
Thanks, How can we obtain a Wildcard certificate in Kubernetes cluster?
You would need to use cert-manager and configure the issuer to talk to letsencrypt server. I have a video but not wildcard just yet - th-cam.com/video/_jEgzqyUWKE/w-d-xo.html
Thanks! It was very helpful for me
my pleasure!
BIG THANX!
Very helpful!
Thanks!
Very well explained. I have query for my 2 subdomain i have taken separate certificate. how to get wild card certificate for my domain. if already sud domain is encrypted.
Thank you man you saved my life - really helpful video
Welcome
Thank you. Useful video
Thanks!
Thank you very thorough explanation. Really good!
You're very welcome!
Great video, but I'm lost on the automatic renewals, would be great if you create a follow up video.
Coming soon!
Great video, thanks!
Thanks Sean!
Вялікі Вам дзякуй! Усё вельмі проста і зразумела!
Thank you so much, this is really helpful.
You can't renew dns challenge certs that simple as you say there. Either you should use --manual-auth-hook and some scripts either you should update/add new txt records manually. Or use something like terraform to automate this if you use cloudflare's dns. Certbot renew is non-interactive.
Thank you for pointing this out.
Thanks man !
You're welcome Jørgen :)
Thanks! It was very helpful for me
Glad to hear that!
Very Cool tutorial !
Thanks! :)
I have already install the ssl certificate and want to take wild card certificate, tell the steps wtihout unistall overwrite the same.
you can manually remove it from ngnix spec
Worked like a charm, thank you so much!
You're welcome Hưng!
Thanks
it is an awesome tutorial
thanks :)
terima kasih
Great video, literally straight forward, Thanks.
Glad you liked it!
You saved me! Thanks!
+1 Subscription :)
Thank you Rafael!
@@AntonPutra I'm trying now to renew automatically via cron job, but without success
Running: certbot renew --break-my-certs --force-renewal --preferred-challenges dns
Break my certs and force renewal only to test, I will remove those flags, but the command keeps returning me this:
PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.'). Skipping
I will search about this error now.
I appreciate If you know how to solve :)
@@RafaelAmbrosio I can try to help, but only later tonight. Meanwhile, if you find the solution pls let me know.
@@AntonPutra I think I did it
I'm using cloudflare, so was needed to install dns-cloudflare plugin. This tutorial can help (it is in portuguese, but I'm brazilian, so It's ok for me :D ) -> mindnotes.sh/integrando-certbot-com-dns-da-cloudflare/
In my case was different because I'm using certbot on docker, So I pulled this image -> hub.docker.com/r/certbot/dns-cloudflare to replace the standard image I was usgin
And then followed this tutorial to pass the right flags to command and create the cloudflare api key and cloudflare.ini -> certbot-dns-cloudflare.readthedocs.io/en/stable/
chmod 600 to ini file...
So after creating the certificate following your tutorial, I was able to run renew command:
certbot renew --preferred-challenges dns --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini
And you can remove the _acme_challenge TXT that you created before, because the renew command uses your api key to enter on cloudflare dns zone, create temporary TXT entry and delete it automatically
Thank you a lot! U Saved my day!
You're welcome😊
How long should a TXT record take to get detected while doing it this way? Mine haven't propagated yet and it's been like 40 minutes. Do I just leave my terminal up, check on a DNS record checker and wait for it to show?
The general rule is 24 to 48 hours, but based on my experience, it never takes longer than few minutes. You can close the terminal, or I would suggest that you applied your changes to DNS.
it will be works on apace2 or not ??
There is a certbot apache plugin, but I have not tried it myself
certbot.eff.org/all-instructions
@@AntonPutra thankss broo
I'm tired using shared hosting, 100% ram using, server crashing multiple times and don't have money for vps and wildcard ssl,
so i decided self Hosting. Hope it's good idea.
@@salexkorsan8790 It's a pretty hot topic, I will definitely explore and create tutorial for apache wildcard cert, but it's going to be in couple weeks only..
@@AntonPutra broo tell me one thing , I'm installed this certificate in cpanel, subdomain ssl not works with www , it's working only without www on subdomain what do i do ?? Any solution ?
@@salexkorsan8790 well, probably you don't need a wildcard cert at all. When you request your certificate you need to make sure that you specify both domains including www subdomain. You should use "Subject Alternative Name" field.
Hi how do i install this cert on apache?
You can follow this - certbot.eff.org/lets-encrypt/ubuntufocal-apache
I've copied nginx config ipsis litteris but nginx isn't listening on port 443. All firewalls are ok. Any insight?
Do you have "listen 443" directive in server block? You also need to restart or reload nginx "systemctl restart nginx". Try to check if the port open from. the host as well with "nc -vz localhost 443"
@@AntonPutra thanks for your prompt response, Anton. Actually I was forgetting to syslink configuration from available-sites to enabled-sites. Nice content, btw. Thanks for your tutorials.
@@dinaiswatching Thanks :)
Can you make a tutorial that explains how to get an SSL when your ISP is intentionally blocking port 80 and refuses to release it for you unless you spend a ton of money on a much slower "business" plan? I followed a tutorial on a Kemp Load Balancer and it has an SSL on it now, the validation method was "TXT", I have no idea how or why it worked because following tutorials like this for those of us that have no understanding of the fundamentals just know if we copy what we see on the screen everything should work, so if something doesn't work we have no idea what the hell is going on because our understanding from the get go was copying instructions, as opposed to knowing at all what those instructions actually mean.
There are two main methods to get a TLS certificate from letsencrypt. HTTP-01 challenge - cert-bot will create a URL endpoint on your web server with a special token provided by lets-encrypt.
DNS-01 challenge, there you need to prove that you own your domain by setting a TXT record. It is a little bit harder to automate than HTTP-01. If your ISP blocks port 80, I would suggest you go with the DNS-01 challenge. You can take a look at this one - th-cam.com/video/7jEzioFsyNo/w-d-xo.html
Hi @Anton
After obtaining the certificate , I still have one issue , for each client visiting any subdomain, a warning message says (this connection is not private)
any idea how to avoid this? I'm using Apache service
Can you verify in the browser that your certificate is valid and up to date?
Great - Is it possible to install certbot on HAproxy ???
Sure here is the official tutorial - certbot.eff.org/lets-encrypt/ubuntufocal-haproxy.
The video is processing by TH-cam it will be available on Monday.
@@AntonPutra Thank you again - much appreciated.
awesome !!! like
Thank you! Cheers!
Hi my dig -t txt _acme-challenge.exemple.net show server as 8.8.8.8#53(8.8.8.8) and not as your 192.168.1.1
what should I do?
Not sure if i follow, 8.8.8.8 is a Google dns server and 192.168.1.1 is a router ip
Nice video!
Thank you Andrés!
THaNKS ALOT ... THIS ALONE VIDEO IS A LIFE SAVIOUR. THANKS ANTON
Thank you!
How to generate let’s encrypt cert and store it in key vault?
Thank you for the question, tutorials for vault is in my pipeline
Can we create certificate for IIS?
What is IIS?
@@AntonPutra its windows based web server
Thank you
Welcome!
This was perfect!
Thank you:)
@@AntonPutra Do you have discord channel?
@@wduandy I don't have it. Do you think I should sign up?
@@AntonPutra Of course!! Your channel has a HUGE potential! You should invest on the audience 🤗
@@wduandy will do))
These wildcard SSLs do not work on mobile devices.
Checked on android devices
Please suggest solution.
Can you share the error?
yes, please check
2021/07/18 12:38:32 [crit] 799125#799125: *135 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 35.203.245.145, server: 0.0.0.0:443
This error is happening when I ma opening website through Android
A searched but could not find any solution to this
really-simple-ssl.com/knowledge-base/ssl-working-desktop-not-mobile-android-devices/
@@MrRahul15937 I found only this one, client outdated, maybe your client does not support new ciphers on the server...
stackoverflow.com/questions/65854933/nginx-ssl-error141cf06cssl-routinestls-parse-ctos-key-sharebad-key-share
Did you test any of your website on android phones?
My device is less than a year old .
What does Dzintars remark mean for this solution?
Let me try to create a renewal script, and perhaps update it here or create a new video.
@@AntonPutra Hi Anton, Any news on the update script. My certs are expired and I cannot update them via the renew procedure. Thx, PPee
@@ppeeppee5800 there is a slightly different approach but may work for you - th-cam.com/video/81TKQIl1rCU/w-d-xo.html