Solution: SSL Support for .DEV/.BLOG TLDs - DNS01 Challenge over Cloudflare

Community Support Web
1

Hi there,

I looked around the forum and github issues, but I didnt find any solution for my “problem” - which I had with the “Google Domains” like *.DEV or/and *.BLOG which are enforcing SSL.

So, because of no SSL is available for the Domain, the Letsencrypt HTTP ACME Challenge over HestiaCP was not possible for me.

Issue:

Error: Let’s Encrypt finalize bad status 400

Thats the cause - why I build up finally my own solution over a python script with certbot and cloudflare - which are also using some add/update scripts of HestiaCP.

ITs finally working for me - So, I created a gist code / manual on my github:

https://gist.github.com/torsten-online/926b5baab451b805458e76f9a772a6ca

The good news: Now I’am ready to start my https://open.source.blog :slight_smile: :heart:

Maybe this alternative solution is for someone other also helpful.

I suggest: Final Integration into HestiaCP for DNS01 Letsencrypt Challenge Support would be awesome!

My solution is just a “hackaround”.

Have a lot of Fun
Torsten

2

Hi @torsten,

I don’t know what the problem was, maybe you were using Cloudflare as a proxy for your domain but Let’s Encrypt can issue certificates using HTTP-01 challenge on .dev and .blog top level domains.

I issued a certificate for a dev domain 1 minute ago using Hestia and HTTP-01 challenge.

2 Likes
3

Great to know, thats the HTTP-01 ACME Challenge is working for “Google Domains” which are enforcing SSL.

So, it was maybe a problem at the DNS Provider before.

I will check that out - maybe with the DNS of my hestiacp.

Kind regards
Torsten

1 Like
4

Keep in mind that the way to enforce https is to include the top level domain .dev, .blog, .app, etc. in the HSTS preload list and this list is used by major browsers but not all tools that can speak http will use it… and Let’s Encrypt doesn’t use it, because the main goal is to issue a certificate for your domain but if you don’t have one… you can’t issue a certificate? :wink:

2 Likes
5

I can confirm this.

As I understand, you can not do the ACME HTTP-01 Challenge, if you dont have already an SSL cert in place.

I just successfull enabled SSL Support now over hestiacp,
so its not required to run my script as cronjob anymore.

But I think its a great easy solution for getting the “first cert” with certbot and have all automatically in place.

Thanks