30 Oct
2025
30 Oct
'25
8:09 a.m.
Hi Folks,
I'm having some trouble trying to get LetsEncrypt SSL certificates
authorised for use on my WWW devices. The issue seems to be that I do not
have control of the TLD and so I can never authorise the issuing of
the certificate.
I've tried *.ni2o.ampr.org (generic catch all), fqdn.ni2o.ampr.org (device
specific) and many other variations but they all fail at the authorizing of
the cert.
What am I doing wrong? I'm using LetEncrypt (free not-for-profit) SSL
certificates successfully in other areas but i do control the domain for
those.
Thanks for your help
Mark / G7LTT
30 Oct
30 Oct
8:50 a.m.
Hello Mark,
I suppose you are using the DNS-01 challenge type since you are trying to get a wildcard
certificate?
The ARDC DNS does not propagate in real time (it typically takes about an hour), so that
exceeds Let's Encrypt's timeout.
What I usually do is to make the _acme-challenge.YOUR_DOMAIN a CNAME record to a domain
under a different nameserver (Cloudflare and HE.net <http://he.net/> offer free DNS
that basically propagates in real time), like
_acme-challenge.ampr-dns01-alias.MY_OTHER_DOMAIN. After this, there should be an option in
your ACME client to choose an
Alternatively, you can also delegate the entire ni2o.ampr.org
<http://ni2o.ampr.org/> to an external nameserver.
Let me know if you have any problems!
Best,
Maiyun Zhang AK6DS
On Oct 30, 2025, at 08:09, Mark Phillips via 44net
<44net(a)mailman.ampr.org> wrote:
Hi Folks,
I'm having some trouble trying to get LetsEncrypt SSL certificates authorised for use
on my WWW devices. The issue seems to be that I do not have control of the TLD and so I
can never authorise the issuing of the certificate.
I've tried *.ni2o.ampr.org <http://ni2o.ampr.org/> (generic catch all),
fqdn.ni2o.ampr.org <http://fqdn.ni2o.ampr.org/> (device specific) and many other
variations but they all fail at the authorizing of the cert.
What am I doing wrong? I'm using LetEncrypt (free not-for-profit) SSL certificates
successfully in other areas but i do control the domain for those.
Thanks for your help
Mark / G7LTT
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
8:53 a.m.
The actual problem depends on which error message you're getting.
ampr.org doesn't seem to be opting out of certificate issuance with DNS CAA
records, so you should be able to get one. However, the HTTP validation
method will be the only one available to you. That means the machine you're
running the ACME client on will need to be able to accept incoming
connections on port 80 from the public Internet, at the IP address behind
your FQDN.
On Thu, Oct 30, 2025, 05:10 Mark Phillips via 44net <44net(a)mailman.ampr.org>
wrote:
Hi Folks,
I'm having some trouble trying to get LetsEncrypt SSL certificates
authorised for use on my WWW devices. The issue seems to be that I do not
have control of the TLD and so I can never authorise the issuing of
the certificate.
I've tried *.ni2o.ampr.org (generic catch all), fqdn.ni2o.ampr.org
(device specific) and many other variations but they all fail at the
authorizing of the cert.
What am I doing wrong? I'm using LetEncrypt (free not-for-profit) SSL
certificates successfully in other areas but i do control the domain for
those.
Thanks for your help
Mark / G7LTT
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
11:20 a.m.
Thanks chaps. I think I have it now. Would someone please try
https://ni2o.ampr.org
Also, with ths manual method do I have to renew the cert every 3 months?
The acme/certbot tool will take care of that for you automatically. Not
sure about the manual method though.
I gave it some more thought and opted for individual certs fo the servers
in the end. other .ni2o.ampr.org services will get SSL over the weekend.
Mark / NI2O
On Thu, Oct 30, 2025 at 8:53 AM Cory (NQ1E) <cory(a)nq1e.hm> wrote:
The actual problem depends on which error message
you're getting.
ampr.org doesn't seem to be opting out of certificate issuance with DNS
CAA records, so you should be able to get one. However, the HTTP validation
method will be the only one available to you. That means the machine you're
running the ACME client on will need to be able to accept incoming
connections on port 80 from the public Internet, at the IP address behind
your FQDN.
On Thu, Oct 30, 2025, 05:10 Mark Phillips via 44net <
44net(a)mailman.ampr.org> wrote:
Hi Folks,
I'm having some trouble trying to get LetsEncrypt SSL certificates
authorised for use on my WWW devices. The issue seems to be that I do not
have control of the TLD and so I can never authorise the issuing of
the certificate.
I've tried *.ni2o.ampr.org (generic catch all), fqdn.ni2o.ampr.org
(device specific) and many other variations but they all fail at the
authorizing of the cert.
What am I doing wrong? I'm using LetEncrypt (free not-for-profit) SSL
certificates successfully in other areas but i do control the domain for
those.
Thanks for your help
Mark / G7LTT
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
11:28 a.m.
To answer my own question ....
Requesting a certificate for wx.ni2o.ampr.org
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/
wx.ni2o.ampr.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/wx.ni2o.ampr.org/privkey.pem
This certificate expires on 2026-01-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate
in the background.
Deploying certificate
So "yes" it will auto renew a "standalone".
On Thu, Oct 30, 2025 at 11:20 AM Mark Phillips <enicomms(a)gmail.com> wrote:
Thanks chaps. I think I have it now. Would someone
please try
https://ni2o.ampr.org
Also, with ths manual method do I have to renew the cert every 3 months?
The acme/certbot tool will take care of that for you automatically. Not
sure about the manual method though.
I gave it some more thought and opted for individual certs fo the servers
in the end. other .ni2o.ampr.org services will get SSL over the weekend.
Mark / NI2O
On Thu, Oct 30, 2025 at 8:53 AM Cory (NQ1E) <cory(a)nq1e.hm> wrote:
> The actual problem depends on which error message you're getting.
>
> ampr.org doesn't seem to be opting out of certificate issuance with DNS
> CAA records, so you should be able to get one. However, the HTTP validation
> method will be the only one available to you. That means the machine you're
> running the ACME client on will need to be able to accept incoming
> connections on port 80 from the public Internet, at the IP address behind
> your FQDN.
>
>
>
> On Thu, Oct 30, 2025, 05:10 Mark Phillips via 44net <
> 44net(a)mailman.ampr.org> wrote:
>
>> Hi Folks,
>>
>> I'm having some trouble trying to get LetsEncrypt SSL certificates
>> authorised for use on my WWW devices. The issue seems to be that I do not
>> have control of the TLD and so I can never authorise the issuing of
>> the certificate.
>>
>> I've tried *.ni2o.ampr.org (generic catch all), fqdn.ni2o.ampr.org
>> (device specific) and many other variations but they all fail at the
>> authorizing of the cert.
>>
>> What am I doing wrong? I'm using LetEncrypt (free not-for-profit) SSL
>> certificates successfully in other areas but i do control the domain for
>> those.
>>
>> Thanks for your help
>>
>> Mark / G7LTT
>> _______________________________________________
>> 44net mailing list -- 44net(a)mailman.ampr.org
>> To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
>>
>
12:06 p.m.
OK, so now that I have that going, how about some inter-server SSL
connections? When I was at JPMC we were required to make all servers talk
to each other over SSL. All API's and other data sharing connections had to
be protected by SSL. The bank was its own authority but it also slaved to
an outside party. This ensured that all traffic on the network was 2)
coming from a known/sanctioned JPMC device and b) was less likely to be
sniffed in transit.
I'm not suggesting that we make ALL 44net connected devices SSL compliant
but certainly the ones involved with holding up the network.
Mark / NI2O
On Thu, Oct 30, 2025 at 11:28 AM Mark Phillips <enicomms(a)gmail.com> wrote:
To answer my own question ....
Requesting a certificate for wx.ni2o.ampr.org
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/
wx.ni2o.ampr.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/
wx.ni2o.ampr.org/privkey.pem
This certificate expires on 2026-01-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this
certificate in the background.
Deploying certificate
So "yes" it will auto renew a "standalone".
On Thu, Oct 30, 2025 at 11:20 AM Mark Phillips <enicomms(a)gmail.com> wrote:
> Thanks chaps. I think I have it now. Would someone please try
> https://ni2o.ampr.org
>
> Also, with ths manual method do I have to renew the cert every 3 months?
> The acme/certbot tool will take care of that for you automatically. Not
> sure about the manual method though.
>
> I gave it some more thought and opted for individual certs fo the servers
> in the end. other .ni2o.ampr.org services will get SSL over the weekend.
>
> Mark / NI2O
>
> On Thu, Oct 30, 2025 at 8:53 AM Cory (NQ1E) <cory(a)nq1e.hm> wrote:
>
>> The actual problem depends on which error message you're getting.
>>
>> ampr.org doesn't seem to be opting out of certificate issuance with DNS
>> CAA records, so you should be able to get one. However, the HTTP validation
>> method will be the only one available to you. That means the machine you're
>> running the ACME client on will need to be able to accept incoming
>> connections on port 80 from the public Internet, at the IP address behind
>> your FQDN.
>>
>>
>>
>> On Thu, Oct 30, 2025, 05:10 Mark Phillips via 44net <
>> 44net(a)mailman.ampr.org> wrote:
>>
>>> Hi Folks,
>>>
>>> I'm having some trouble trying to get LetsEncrypt SSL certificates
>>> authorised for use on my WWW devices. The issue seems to be that I do not
>>> have control of the TLD and so I can never authorise the issuing of
>>> the certificate.
>>>
>>> I've tried *.ni2o.ampr.org (generic catch all), fqdn.ni2o.ampr.org
>>> (device specific) and many other variations but they all fail at the
>>> authorizing of the cert.
>>>
>>> What am I doing wrong? I'm using LetEncrypt (free not-for-profit) SSL
>>> certificates successfully in other areas but i do control the domain for
>>> those.
>>>
>>> Thanks for your help
>>>
>>> Mark / G7LTT
>>> _______________________________________________
>>> 44net mailing list -- 44net(a)mailman.ampr.org
>>> To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
>>>
>>
12:39 p.m.
Works fine from 44.182.21.x...
On 30/10/2025 17:20, Mark Phillips via 44net wrote:
Thanks chaps. I think I have it now. Would someone
please try
https://ni2o.ampr.org
Also, with ths manual method do I have to renew the cert every 3
months? The acme/certbot tool will take care of that for you
automatically. Not sure about the manual method though.
I gave it some more thought and opted for individual certs fo the
servers in the end. other .ni2o.ampr.org <http://ni2o.ampr.org>
services will get SSL over the weekend.
Mark / NI2O
On Thu, Oct 30, 2025 at 8:53 AM Cory (NQ1E) <cory(a)nq1e.hm> wrote:
The actual problem depends on which error message you're getting.
ampr.org <http://ampr.org> doesn't seem to be opting out of
certificate issuance with DNS CAA records, so you should be able
to get one. However, the HTTP validation method will be the only
one available to you. That means the machine you're running the
ACME client on will need to be able to accept incoming connections
on port 80 from the public Internet, at the IP address behind your
FQDN.
On Thu, Oct 30, 2025, 05:10 Mark Phillips via 44net
<44net(a)mailman.ampr.org> wrote:
Hi Folks,
I'm having some trouble trying to get LetsEncrypt SSL
certificates authorised for use on my WWW devices. The issue
seems to be that I do not have control of the TLD and so I can
never authorise the issuing of the certificate.
I've tried *.ni2o.ampr.org <http://ni2o.ampr.org> (generic
catch all), fqdn.ni2o.ampr.org <http://fqdn.ni2o.ampr.org>
(device specific) and many other variations but they all fail
at the authorizing of the cert.
What am I doing wrong? I'm using LetEncrypt (free
not-for-profit) SSL certificates successfully in other areas
but i do control the domain for those.
Thanks for your help
Mark / G7LTT
_______________________________________________
44net mailing list -- 44net(a)mailman.ampr.org
To unsubscribe send an email to 44net-leave(a)mailman.ampr.org
_______________________________________________
44net mailing list --44net(a)mailman.ampr.org
To unsubscribe send an email to44net-leave(a)mailman.ampr.org
125
days inactive
125
days old
6 comments
4 participants
participants (4)
-
Cory (NQ1E) -
Hostmaster -
Marius Petrescu -
Mark Phillips