Thanks, I'm gonna keep iterating hopefully twice a week :)

thank you!

Thanks, well you can allocate/create a server where you would setup a acme-dns server. It doesn't have to be located on the same host where you have you webserver (e.g nginx). In case you have multiple webservers (e.g. you need to scale horizontally) just obtain a certificate and then copy it with "scp" to all targets, just distribute that certificate amount all the webservers.

@@AntonPutra i thought automation is the only viable option

Spasibo Alexander!

Can you resolve CNAME outside of that instance? Where do you get timeout?

try to resolve. those records by using "dig "

Sorry, it's been a while. Check firewalls and make sure the service is running

@@AntonPutra thanks that worked, I had to install firewalld and open up the ports. only the network security groups configuration wasn't sufficient

@@sheryfsays glad to hear that

Yes, you need to update nginx conf, provide paths to cert, key and ca

Thanks for the feedback. The problem with wildcard certificates is that only the DNS-01 challenge is supported. This is a very generic tutorial, so in your case, I would suggest using the cert-bot GoDaddy plugin to automate certificate issuance. Here is a link: github.com/miigotu/certbot-dns-godaddy.

@@AntonPutra Thanks for your response. I think that script needs GoDaddy api key, which GoDaddy stop recently.

@@StartNight-df3sv I see. Well, the idea is to try to use host provider-specific plugins to validate the DNS challenge. If that's not possible, you can use this approach and set up a DNS resolver.

You can reset with "systemctl reset-failed " But still, need to resolve the underlining issue.

Well, it really depends on your set up. Do you have multiple webserver instances? Do you need to scale your workload horizontally? In some cases you should have acme-dns server setup on different machine and distribute those certificates to webservers. Would it be easier in your case just use certbot dns plugin instead of setting up it manually? I don't think VPN will work.. maybe you can just whitelist cloudflare ip ranges

​@@AntonPutra In the case of the OVH instance where I installed the acme-dns server it's a single one for a demo, but yes I'll have to scale horizontally, but in this case I'll set up an OVH cert in the load balancer like with the ALB or NLB in AWS so Cloudflare to Load balancer traffic will be end-to-end encrypted and then I'll probably add some basic certbot standalone certs in the origin servers cause I read that even if they're timed out they work. Didn't think of this: "In some cases you should have acme-dns server setup on different machine and distribute those certificates to webservers", maybe I should consider it. One more thing, if I set the acme-dns server to listen on localhost(it works), then the port isn't opened to the outside like the 3306 or 33060 of mysql right? Thank you!

​ @David O.O Yes, if you bind to the localhost/127.0.0.1 it will be reachable from that machine only. You can test, run "nc -vz localhost 53" from the local host and from outside using the external IP of that machine. If request times out means it is not reachable.

@@AntonPutra Cool, thanks Anton!

Thanks 🤗

Well, it's hard for me to debug your setup. In general when you obtain a wildcard certificate you need to pass DNS-01 challenge, means every time you need to renew you need to create/update TXT record with a new value provided by letsencrypt. You should be able to use "dig" to query your DNS provider and get TXT.

someday

no more music lol