Unable to issue a certificate

[viktordw]

First, thank you for this really interesting project. I found your post on Reddit and wanted to try this out. I have followed the steps from the official installation guide: https://www.legocerthub.com/install After I selected the PLACE NEW ORDER option, I got the status Invalid for the order. Also, I have noticed that the option Challenge Method is missing on the Certificate > NEW CERTIFICATE page. The installation was completed via Docker, as described in the installation steps, and all the settings are default.

[gregtwallace]

Apologies, I need to update the website and screenshots. On the left hand navigation bar you need to go to “Providers” and configure your preferred challenge method(s) there. Once that’s done you should be good. Certificates no longer require manual selection of the challenge method.

[viktordw]

No problem, thank you for your response. There are five options I can see on the "Providers" page, and it seems that most of them are intended for the automatic creation of DNS records. What option is suitable for the manual creation of verification records? Is it "HTTP-01 Internal Server," maybe?

[gregtwallace]

There really isn't one. The purpose of LeGo is to automate the certificate process. If you want to manually generate a certificate every time you might want to look at other options.

As for LeGo the http-01 server is a way to validate ownership of a domain using a response sent over port 80 on an internet facing address.

[viktordw]

Thank you for the clarification. When it comes to http-01 validation, I'm not sure if I understand you well. The http-01 validation can be used to complete domain validation by using the file in .well-known/acme-challenge, but how can this method be used to verify ownership of a domain that is not on the same server as the application itself?

[viktordw]

After taking a look at HTTP-01 challenge section of the following page: https://letsencrypt.org/docs/challenge-types/, I noticed the line below:

It allows hosting providers to issue certificates for domains CNAMEd to them.

Does it mean that you can create some kind of CNAME for file-based verification, just like you could create a CNAME for _acme-challenge TXT record, as described in the DNS-01 challenge section of the same page?

[gregtwallace]

The http-01 cname has to be the exact (sub)domain you want the certificate for. As you noticed, this can make the method more challenging as every cname needing a cert will need to resolve to the http-01 server’s IP (or otherwise be routed to it). This is why most people use a dns method.

That said, if you’re at home and behind a NAT, every server will be located at the same public IP and you’d just forward port 80 to your http-01 server. This would make it impossible to host something else on port 80 though as the http-01 spec requires that port.