GoDaddy shared Hosting and gethttpsforfree.com

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: romuva.us

I ran this command:
openssl req -new -sha256 -key domain.key -subj "/" \

-reqexts SAN -config <(cat /ssl/openssl.cnf \

<(printf "\n[SAN]\nsubjectAltName=DNS:romuva.us,DNS:www.romuva.us"))

It produced this output:
cat: /ssl/openssl.cnf: No such file or directory
error on line -1 of /dev/fd/63
47738338784200:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/dev/fd/63','rb')
47738338784200:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
47738338784200:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
cat: /dev/fd/63: No such file or directory

My web server is (include version): Apache version??

The operating system my web server runs on is (include version): Cloud Linux Server 6.10

My hosting provider, if applicable, is: GoDaddy Shared Hosting

I can login to a root shell on my machine (yes or no, or I don't know): Not clear what the question is - I can login via SSH and I can get to webroot, but can't access anything below. SU is not available

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, but also have SSH access via Putty and The CPanel (ver. 94.0.19?) Terminal widget (there seems to more commands available on the CPanel Widget than using Putty)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Can't install certbot. Trying to use gethttpsforfree.com

So I have a shared server on GoDaddy. I have at least two domains I would like to secure, but right now just trying to get one done.

I tried using the command:

openssl req -new -sha256 -key domain.key -subj "/" \

-reqexts SAN -config <(cat /ssl/openssl.cnf \

<(printf "\n[SAN]\nsubjectAltName=DNS:romuva.us,DNS:www.romuva.us"))

as directed on gethttpsforfree
But I get the following error:

cat: /ssl/openssl.cnf: No such file or directory
error on line -1 of /dev/fd/63
47738338784200:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('/dev/fd/63','rb')
47738338784200:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
47738338784200:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:
cat: /dev/fd/63: No such file or directory

(I'm assuming this is because of user limitations and the openssl.conf file is located below what I have access to.)

So instead I generate a CSR using GoDaddy's tool.

Everything looks good until I try to Sign my API Request.

I copy and paste the stdin output (I've tried both with and without the "(stdin)= ") and I keep getting this error:

Error: Account registration failed. Please start back at Step 1. { "type": "urn:ietf:params:acme:error:malformed", "detail": "JWS verification error", "status": 400 } 

After some digging, discovered that sometimes a line break is inserted when copying and pasting, so I pasted the result into Notepad and discovered an errant linebreak, removed it, then recopied and pasted the text. No luck. Same error.

I'm guessing this has something to do with the auto-request for the CSR - something funky is being added.

I've got a directory called "ssl" at my root. In there are files "ssl.db" and "ssl.db.cache". Subdirectories are "csrs", "certs", and "keys" and with all of those, I see several files. Don't know if this info is helpful. Oh and I did a search for openssl.conf and nothing came up, so I'm sure it's out of my reach. 

Anyone have any suggestions for how to solve this? I've been at it for a few hours now. HALP!
1 Like
2

Hi @LeslieRez and welcome to the LE community forum :slight_smile:

Let me recommend this software to you:

and tag the writer: @griffin

4 Likes
3

Son of a BeechNut Gum!! It worked!!!

Geez, I wish I would have posted earlier. Just spent about 5 hours trying to troubleshoot. Why isn't CertSage listed on Let's Encrypt's site?? At least any of the searches I did didn't work.

Now to Cert my other sites. Oh, gotta change the file extension first though from php to somethin innocuous.

thank you
Thank You
THANK YOU!

2 Likes
4

Welcome to the Let's Encrypt Community, Leslie :slightly_smiling_face:

Glad CertSage served you well. If you run into any trouble or have any questions, just let me know.

4 Likes
5

Well, CertSage is relatively new, and I think Griffin may still working on polishing up a few things before trying to advertise it more widely.

Really the main problem is that GoDaddy doesn't have an easy free certificate integration built-in, and intentionally makes integrating with other certificate providers complicated in order to try to push people toward their paid certificate offerings. Many other hosting providers make getting a Let's Encrypt certificate (or a free certificate from some other CA) a simple checkbox in a control panel or just automatically do it.

6 Likes
6

Tagging @griffin
Question:

So when I first tried installing an additional cert on another domain (this is a shared IP - shared server), I didn't find an additional cert in the CertSage directory.

I ended up finding an ADDITIONAL CertSage directory because of the way the server is configured:

  • Root directory for shared hosting user
    • CertSage (this is where the parent domain cert is stored)
    • public_html (is the webroot for the parent domain
      and what the IP addy is attached to)
      - childdomain1 (webroot for childdomain1)
      - childdomain2 (webroot for childdomain2)
      - childdomain3 (webroot for childdomain3)
      - childdomain4 (webroot for childdomain4)
      - CertSage (this is where the child domain certs are stored)

My question is about security. Both CertSage directories have permissions of 0755. Since the CertSage directory for the child domains are in the webroot of the parent domain, everything in there is visible/downloadable including the private key! The permissions on the files is 0644.

What can I do to secure this directory (I don't know what would affect the usability of the certs - sorry for my ignorance!)?? Or is there a way to force CertSage to store all of the certs in the parent root (one level below webroot of the parent domain and TWO levels below the webroot of the child domains)?

TIA

4 Likes
7

Your question is quite common and your assessment is absolutely correct. The solution is actually quite simple:

Editing line 18 of the certsage.php files for the child domains to change the $dataDirectory variable from "../CertSage" to "../../CertSage" will cause all of the certsage.php scripts to securely use the same data directory one level below the webroot of the parent domain.

When you install a certificate and its private key, cPanel keeps its own copy of them internally (under ssl in the root folder), so there's no need to keep separate copies (or any copies for that matter) of acquired certificates once they're installed into cPanel. If you still wish to change the names of each acquired certificate and private key to save them separately in the common data directory, which will prevent overwriting of the certificate.crt and certificate.key files by them being named the same, you can edit lines 636 and 640 of certsage.php to name the two files as you please.

Example:

  • a.com could write a.com.crt and a.com.key
  • b.net could write b.net.crt and b.net.key
  • c.org could write c.org.crt and c.org.key
2 Likes
8

Makes perfect sense! I deleted those directories (but kept the certsage.php file in each webroot - giving it a nonsensical extension so I can easily re-use when the time comes).

I'll edit the child files and change those lines - commenting in big bold letters so I can find it easily for the next domain I secure!

One last question (I think):

Who sends the reminder emails out to the email addy CertSage asks for? Let's Encrypt?

3 Likes
9

Always LE.
CertSage won't email you (ever).

3 Likes
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.