Connection refused when generating a Let's Encrypt certificate for a subdomain

Question

I'm trying to add a subdomain to my Let's Encrypt certificate but it's giving Connection refused.

The command I ran was sudo certbot --expand -d sub.domain.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: sub.domain.com
  Type:   connection
  Detail: xxx.xxx.xxx.xxx: Fetching http://sub.domain.com/.well-known/acme-challenge/jMDxrjAKBYguSgr5_EFp-0R_V9F99Qr-8NVOSPXJQPD: Connection refused
Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My subdomain is a CNAME (hosted on Cloudflare) that points to Backblaze B2 as a URL mask. Is this even possible what I'm trying to achieve? If so, what's the right way to do add a url mask?

Answer 1

You can't use this method of obtaining a Let’s Encrypt certificate, since you don't control the servers that sub.domain.com is currently pointing to.

Typically, to create a certificate, you run certbot on a machine in the desired domain - that is, a machine with a publicly addressable IP address to which your domain resolves. That machine is usually already running a supported web server, e.g. Apache, into which you wish to install the new certificate. If it's not running a web server, certbot can run a mini web server of its own. Either way, the Let’s Encrypt server attempts to connect to sub.domain.com and verify that it responds correctly to a challenge. The protocol is documented here.

As far as I can see, you have two options:

1. Bring up a server with Apache, temporarily point sub.domain.com at it, run through the typical certbot/Let's Encrypt process, then copy the certificate and its public key. Once you have these, you can shut down your server and point sub.domain.com back at B2.

2. Use the manual DNS challenge. When you run certbot with --preferred-challenges=dns, it will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended by _acme-challenge.

   In your case, for sub.domain.com, the zone file entry would look something like:

   _acme-challenge.sub.domain.com. 300 IN TXT "gfj9Xq...Rg85nM"
   

   You'll likely need to wait a few minutes after creating TXT record for it to propagate through the DNS system before proceeding with the certbot process.

In either case, you'll be on the hook to periodically renew your certificates.