Question

Photo of Chris Kiser

0

Problems validating domain name for SSL certificate via Acme

3

Has anyone else had any issues getting an Acme SSL certificate created successfully? I'm not sure if it's my DNS settings for my domain (hosted via GoDaddy) or something else but would love some guidance. Even if someone has A or CNAME records for an Azure hosted Rock instanace guidance would be really helpful. I've read all the standard documents that Microsoft puts out but can't seem to get the right configuration. Thanks!

  • Photo of Chris Kiser

    0

    Big thanks to Jim Michael and Daniel Hazelbaker as I was able to figure it out. We're hosting on Azure and have our domain through GoDaddy so here were the settings that finally did it.


    A           @                  <public IP from Azure VM>

    A           rock             <public IP from Azure VM>

    CNAME        *          <app name>.<location>.cloudapp.azure.com

    CNAME       www    <app name>.<location>.cloudapp.azure.com

    TXT             @         <app name>.<location>.cloudapp.azure.com


    Hope this helps others :) Took roughly an hour after the settings were right for the changes to take effect.

  • Photo of Jim Michael

    0

    What exact error are you getting? Two things must be in place in order for LetsEncrypt to validate your site... 1. The domain name for the cert must (duh) resolve to your Rock site, and 2. It *must* be accessible on port 80. This second point tripped me up because I only had our Rock site "listening" on port 443, and had a different IIS site listing on port 80 that redirected to the Rock site. That won't work with Acme/LE because it needs to contact your site (which is thinks does NOT have a cert) on port 80. 

    You really shouldn't have to mess with DNS for LetsEncrypt to work, specifically. So, from the beginning... is your Rock server even functioning? If so, at what DNS name? And if you have a functioning Rock server, are you simply trying to add SSL via the Acme plugin?



  • Photo of Luke Johnston

    0

     I am having issues related to renewal, so I would be interested in some help as well. I don’t have my server listening on port 80, but I would think I wouldn’t need that anymore, right? 

    • Daniel Hazelbaker

      Daniel Hazelbaker

      Just to verify, yes you still need port 80 active. You can setup Rock to require SSL and it will force-redirect everybody to HTTPS, but Lets Encrypt still needs to perform the validation on port 80.


      The reason for this is primarily due to the initial validation. They can't connect over SSL if you don't have a cert yet, so they check on port 80. For simplicity, they probably chose to just always check on port 80 rather than offer a 443 option and have people try using 443 thinking thats better (but don't yet have a cert).