Creating a Certificate using DNS challenges and Installing on GoDaddy Shared Hosting

Dear All,

I am trying to create a free SSL for my domain on a local computer, with certbot (manual), but it keeps failing.

I can see others succeed in "tutorials" on the net, but they all have time to upload a file or create a TXT record for verification. For me, this "offline" version is not available.

If I could pause certbot, I could upload a file to http://viktak.com/.well-known/acme-challenge/... or create a TXT record in DNS...

Any pointer what I am doing wrong?

Thank you in advance!

My domain is: viktak.com

I ran this command: certbot certonly -manual

It produced this output:

sudo certbot certonly -manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): viktak.com,www.viktak.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for viktak.com
http-01 challenge for www.viktak.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.viktak.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.viktak.com/.well-known/acme-challenge/lFUHssaFgBvl10vmY49zZdZxPwxP3u9qaJp4hiuhLjw [107.180.5.6]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", viktak.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://viktak.com/.well-known/acme-challenge/1WQQ8u6keSzLkEA19--meb9iXNr6ZsC-VoVoedupu3M [107.180.5.6]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.viktak.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.viktak.com/.well-known/acme-challenge/lFUHssaFgBvl10vmY49zZdZxPwxP3u9qaJp4hiuhLjw
   [107.180.5.6]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   Domain: viktak.com
   Type:   unauthorized
   Detail: Invalid response from
   http://viktak.com/.well-known/acme-challenge/1WQQ8u6keSzLkEA19--meb9iXNr6ZsC-VoVoedupu3M
   [107.180.5.6]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
   2.0//EN\">\n<html><head>\n<title>404 Not
   Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My web server is (include version): I don't know, GoDaddy customer service was not able to tell me

The operating system my web server runs on is (include version):

Linux version 2.6.32-954.3.5.lve1.4.80.el6.x86_64 (mockbuild@buildfarm03.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) ) #1 SMP Thu Sep 24 01:42:00 EDT 2020

My hosting provider, if applicable, is: GoDaddy shared hosting

I can login to a root shell on my machine (yes or no, or I don't know): I can login, but I don't think it is as root.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): 'cPanel v86.0.30`

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

Hi @viktak

the option is --manual with two --

Welcome to the Let's Encrypt Community

Your certbot version

is quite ancient.

I would highly recommend updating it if at all possible.

Please note that your version may not prevent you from getting a certificate. I'm just making you aware of the situation.

You absolutely have root access on your local machine where you are running certbot. You do NOT have root access on your GoDaddy shared hosting account.

Your webserver is most certainly Apache.

Try using this command:

sudo certbot certonly --cert-name viktak.com --manual --preferred-challenges dns -d "viktak.com,www.viktak.com" --keep

Thank you guys for the quick replies, you are amazing!

@JuergenAuer:
Yepp, I missed that, sorry about that.

@griffin:
As for certbot version: I just installed it using sudo apt-get install certbot, so I have no idea why it is not the latest version...

Correcting the mistakes I was able to create the certificates successfully. But what now? The files are in pem format (which they are supposed to be), so my next question is how to deal with them? I can't even display the content of them on my machine, in Windows they don't even show up in the folder where they are, only the readme files. (I have copied the pem files from their location to my home directory, which I have shared on my home network so that I can access them from Windows.) Is there a "best practice" for converting/getting them up to GoDaddy (Which expects a Certificate: (CRT), a Private Key (KEY), and a Certificate Authority Bundle: (CABUNDLE) file?

Copy the contents of /etc/letsencrypt/live/viktak.com/cert.pem into the certificate box. Copy the contents of /etc/letsencrypt/live/viktak.com/privkey.pem into the private key box. Those are the Linux folder names, but they are similar in Windows. Let cPanel fill in the CA Bundle for you. Enter today's date for the note to help you remember when to renew. Once you've saved your certificate, remember to click install next to the certificate in the list to actually install it!

You may have to go into the archive folder instead of live to get the actual PEM files since the files in live are symbolic links (even in Windows).

For your reference, the CA Bundle is usually known as the "CA intermediate certificate". If you look in fullchain.pem, you'll find your certificate first and the "CA intermediate certificate" second. This is the same as what you'll find in chain.pem. You don't need to copy it into the box though as cPanel retrieves it automatically from a repository as soon as you paste your certificate.

@griffin: Thank you, I was able to install it for viktak.com.

Thank you guys all!!!!!!

One more question:
when I installed the certificate (on GD) I got this warning:

The SSL certificate also supports this domain, but this domain does not refer to the SSL website mentioned above:
www.viktak.com

The site seems to be working with and without www. So can I ignore this message?

That's a curious warning.

Because both https version work, so it's good the certificate has both domain names.

-->> Ignore it or ask GoDaddy.

Thank you, @JuergenAuer!

Make certain to go into Domains under the Domains section in cPanel, expand the item for your domain, and turn on the slider for "Force HTTPS Redirect". This ensures that your site cannot be accessed insecurely via http.

Thanks for the tip, I was wondering myself if I should do it. I already have it forced in the .htaccess file. Do you think I need it set here too?

It's much more efficient to do it where I specified because it happens at the vHost level. Only do it in one place though.

PS

Your .htaccess method clearly isn't working. I can access your site via http.

Thank you.

Indeed, I meant one of my other subdomains, diy.viktak.com

It's alright to add other subdomain names to the command I gave you to make a bigger certificate (as long as they're all hosted on the same server).

@griffin: Thank you, I appreciate your help!!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.