upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-06-17 04:29:02 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
certbot/docs/challenges.rst
Peter Conrad 6cf468bcd0 Went through log and fixed as much as I could
2018-06-08 09:31:36 -07:00

90 lines
4.8 KiB
ReStructuredText
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. _challenges:
Challenges
==========
To receive a certificate from Let's Encrypt certificate authority (CA), you must pass a *challenge_* to
prove you control each of the domain names that will be listed in the certificate. A challenge is one of
three tasks that only someone who controls the domain should be able to accomplish:
* Posting a specified file in a specified location on a web site (See the IETF draft of the `HTTP-01`_ challenge)
* Offering a specified temporary certificate on a web site (See the IETF draft of the `TLS-SNI-01`_ challenge)
* Posting a specified DNS record in the domain name system (See the IETF draft of the `DNS-01`_ challenge)
The DNS-01 challenge, in particular, requires configuration of a DNS server on
port 53, though that's often not the same machine as your webserver.
Its possible to complete each type of challenge *automatically* (Certbot directly makes the necessary
changes itself, or runs another program that does so), or *manually* (Certbot tells you to make a
certain change, and you edit a configuration file of some kind in order to accomplish it). Certbot's
design favors performing challenges automatically, and this is the normal case for most users of Certbot.
.. _TLS-SNI-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.3
.. _HTTP-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.2
.. _DNS-01: https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-7.4
Tips for Challenges
-------------------
General tips:
* Run Certbot on your web server, not on your laptop or another server. Its usually the easiest way to get a certificate.
* Use a tool like the DNSchecker at dnsstuff.com to check your DNS records to make sure
there are no serious errors. A DNS error can prevent a certificate authority from
issuing a certificate, even if it does not prevent your site from loading in a browser.
* If you are using Apache or NGINX plugins, make sure the configuration of your Apache or NGINX server is correct.
.. _http_01_challenge:
HTTP-01 Challenge
^^^^^^^^^^^^^^^^^
* Make sure the domain name exists and is already pointed to the public IP address of the server where
youre requesting the certificate.
* Make sure port 80 is open, publicly reachable from the Internet, and not blocked by a router or firewall.
* When using the Webroot plugin or the manual plugin, make sure the the webroot directory exists and that you
specify it properly. If you set the webroot directory for example.com to `/var/www/example.com`
then a file placed in `/var/www/example.com/.well-known/acme-challenge/testfile` should appear on
your web site at `http://example.com/.well-known/acme-challenge/testfile` (A redirection to HTTPS
is OK here and should not stop the challenge from working.)
* In some web server configurations, all pages are dynamically generated by some kind of framework,
usually using a database backend. In this case, there might not be a particular directory
from which the web server can serve filesdirectly. Using the Webroot plugin in this case
requires making a change to your web server configuration first.
* Make sure your web server serves files properly from the directory where the challenge
file is placed (e. g. `/.well-known/acme-challenge`) to the expected location on the
website without adding a header or footer.
* When using the Standalone plugin, make sure another program is not already listening to port 80 on the server.
* When using the Webroot plugin, make sure there is a web server listening on port 80.
.. _tls_sni_01_challenge:
TLS-SNI-01 Challenge
^^^^^^^^^^^^^^^^^^^^
* The TLS-SNI-01 challenge doesnt work with content delivery networks (CDNs)
like CloudFlare and Akamai because the domain name is pointed at the CDN, not directly at your server.
* Make sure port 443 is open, publicly reachable from the Internet, and not blocked by a router or firewall.
* When using the Apache plugin, make sure you are running Apache and no other web server on port 443.
* When using the NGINX plugin, make sure you are running NGINX and no other web server on port 443.
* With either the Apache or NGINX plugin, certbot modifies your web server configuration. If you get
an error after successfully completing the challenge, then you have received a certificate but the
plugin was unable to modify your web server configuration, meaning that you'll have to install the certificate manually.
In that case, please file a bug to help us improve certbot!
* When using the Standalone plugin, make sure another program is not already listening to port 443 on the server.
.. _dns_01_challenge:
DNS-01 Challenge
^^^^^^^^^^^^^^^^
* When using the manual plugin, make sure your DNS records are correctly updated;
you must be able to make appropriate changes to your DNS zone in order to pass the challenge.
Reference in a new issue View git blame Copy permalink