Success! I was able to install Lets Encrypt certs after a few workarounds and may have found a root cause - - missing lighttpd openssl module.
-
I used certbot in manual mode to specify a DNS challenge instead of an ACME challenge to get the certs issued. When instructed by certbot, I added a TXT file with a specific string to the DNS record at the DynamicDNS provider’s website (No-IP) to validate the domain.
See How to use Let's Encrypt DNS challenge validation? - Server Fault as a starting point. -
Certbot initially give me error message about a “CAA record preventing issuance.”
I checked the DNS records for that domain at No-IP and discovered a CAA record (flag?) already existed for letsencrypt. I deleted the CAA and then I was able to get the certs.
This made me wonder if letsencrypt was working better than I thought. Why would this flag already be set? -
Since certbot doesn’t install the certs in manual mode, I created the necessary lighttpd conf files and edited lighttpd.conf as needed, per guidance here:
self signed sertificate -
The lighttpd service wasn’t restarting after these additions and edits. I checked the syntax of the files and then used “journalctl -xe” to find that that mod_openssl.so was missing. So, I used “apt install lighttpd-mod-openssl” to install it.
Then I was able to restart the lighttpd service and the certs worked. -
I then tried running dietpi-letsencrypt and it saw the existing valid certs and asked if I wanted to renew/reissue them.
-
Additional info: Looking at /etc/letsencrypt/keys, I noticed there were already about 12 key files, dating back to February 19, when I first started trying letsencrypt on this fresh dietpi install. Looking at /etc/letsencrypt/csr, there are also the same number of cert request files.
Maybe the ACME validation was working and the keys were being issued, but the process wasn’t completing because of the missing openssl module?
@Joulinar @MichaIng Thank you for your time, patience, and support.