How can I get a certificate just with user ssh access?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: new starter cpanel = alnwickchoralsoc.co.uk; original Linux business alnwickchoralsociety.co.uk
I run the website for my local choir. When search engines recently starting flashing up dire warnings I looked into changing my site to an https site. I bought a new hosting package with 123reg as they told me it support the upload of external ssl certificates. I copied the website to the new site and closed down the old one. I intend to rename the current site with the full domain name. alnwickchoralsociety.co.uk I would be very grateful if you could let me know how to proceed with the ssl certificates. I have read about acme client but don't know how to start - if that is the way I should choose. I need to validate the site to show that the site is mine and upload a valid certificate.

The operating system my web server runs on is (include version):Apache and shared web hosting

My hosting provider, if applicable, is:123reg; shared web hosting

I can login to a root shell on my machine: - No, I have switched on ssh access but I am just a user & don't have root access

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):??

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): My account with 123reg does not allow certbot to be installed but does support the upload of external ssl certificates. My problem is that I do not know how to validate that I own the domain so that I can access certificates from letsencrypt. I am happy to manually renew every 3 months or so.
I am sorry if I have missed important information out - I can always add it if you show me where I can find it .... if anyone can help I would be very grateful. Many thanks,
Ian

4 Likes

Hi @IanADCS, welcome to the LE community forum :slight_smile:

I would be happy if you could automate this.
But the hosting package doesn't seem to allow for that... :frowning:
So you may have to obtain the cert manually and then update it manually also.
But there is one possible ray of light that might ease the... manual pain.
Does the server run PHP?
If so, then there might be a PHP client that can help.
If not, then there is one other (half automation) method... But that requires being able to update your DNS zone via an API.
So you will have to ask your DNS Service Provider (DSP) if they support DNS updates via an API.
If they do, then you can automate that part (from any PC/system with Internet access) with an ACME client that supports that DSP.
Otherwise, the only way left to obtain a cert is to manually run an ACME client (at any other system) and use the DNS-01 authentication method. Which would require making changes to your DNS zone manually (and waiting for all the authoritative DNS servers to synchronize that change) before obtaining a cert.
Once you have a (new) cert, then you need to follow their instructions on how to install it (every 60-90 days).

Sorry about the long read - hope it was worth it.

4 Likes

This might be an insightful question to revisit. Usually, shared hosting has some kind of website on which you can login with your user credentials and where you can configure and manage your site. Examples are cPanel, DirectAdmin, ISPConfig, Plesk or Webmin, to name a few.

It would be rather rare you just have non-root SSH access without anything else.

5 Likes

Thank you for your advice. I need to read it through so that it makes sense and check out whether I can use one of the methods you suggest in my case. I don't mind manually updating an ssl certificate it is just the matter of being able to upload one. The cpanel php version my basic package comes with is version 8. I know it has PHP but I don't know what you would want me to do with it. I thought I could use ssh & putty to upload certbot but although 123reg allows me to switch access on it does not give me root access [admin] I am just a user. I know about acme clients but not which one I could use with my package. I will look into your advice. Many thanks again. Ian

5 Likes

Thanks. As I said in my first message. I have a basic cpanel package and I can access and edit key files; e.g. .htaccess and wp config etc but I have no admin rights to the site. 123reg have said I can upload ssl certificates but don't explain how to go about this as they want me to buy their ssl certificate. Thanks for asking for further information. It would be great if it clarified the situation. Ian

5 Likes

Welcome to the Let's Encrypt Community, Ian :slightly_smiling_face:

Honestly, you sound like the ideal candidate for my CertSage ACME client.

2 Likes

Ah, missed that entirely, especially as the control panel question was answered with question marks.

I too think CertSage might be interesting for you. We could ask @griffin if he already integrated cPanel automation yet :wink:

5 Likes

Two possible aids in your quest.

4 Likes

Hi @IanADCS, here's 2 links to 123reg's support pages regarding installing a SSL cert to your website.

https://www.123-reg.co.uk/support/hosting/manually-install-an-ssl-certificate-on-my-cpanel-hosting/

4 Likes

Thanks for suggesting this. It looks like a real possibility. I will try to do this once I get control back of my site... a little knowledge can be dangerous ..... Within WordPress Admin I tried to change the url to the old domain name alnwickchoralsociety [ which points to the new domain, got an error message and couldn't and I changed the web address back to the original alnwickchoralsoc and since then I have had 403 error messages and can't access wpadmin and don't know what to do from within cpanel to undo. I also have the basic WordFence plugin installed so I am not sure if that is somehow interacting but more likely just my mistake.

123reg support have just come to my aid and I now have access to my WP admin. Yippee! Thank you 123reg.

5 Likes

Thank you for the links to the help pages within 123 reg. I just know a little about this side of computing so it still is unclear I am afraid. I understand I can upload the certificates but don't know how I can get them from letsencrypt if they can not validate that I am the owner of the site. Best wishes

3 Likes

I would be very grateful if you could help me further. Your Certsage sounds exactly right for my problem but I am having problems following the instructions you sent me. Sorry. I have uploaded the certsage.txt file into the correct root directory, renamed it to certsage.php. I don't follow the next part - visit the website to get my certificate. There are two boxes to complete the first under code and the second under domain name. Please can you tell me what to put. I have tried alnwickchoralsociety.co.uk for code and for my domain name www.alnwickchoralsociety.co.uk. I have also tried the full copied text of certsage.txt. Please can you let me know how to proceed. Thank you for your time.
I think it must be to do with the acme challenge and I will look online to find out where I might be able to find the embedded code. It is just that I don't know whether I have done enough for the well know client challenge to have started.

4 Likes

The code which you need to enter in the "code" input field is the contents of the file named "code.txt" which resides in the directory "CertSage". And you can find that directory one level below the webroot which is the directory you've put certsage.txt in.

There you need to enter your hostnames, i.e. alnwickchoralsociety.co.uk and www.alnwickchoralsociety.co.uk, both separately, each on its own line.

@griffin Probably a good idea to explain more about the code field. Not everybody knows what you mean with ../CertSage/code.txt. As in, not everybody knows what .. means.

4 Likes

Thank you for your help. I am really grateful to you all. I still am struggling as I can't find the certsage directory nor one level down. On my cpanel file manager I can go up one level but not sure what you mean about down. Sorry. While you were replying to me with help I found something online and have added .well-known and .acme-challenge folders public html. I am sure I will get there in the end. Please just have patience with me as I take time to follow all your instructions / help. Many thanks and best wishes.

4 Likes

Yippee. I have found the code.txt - not sure how, just playing. I think my coffee break helped. Many thanks (:slight_smile:

Still must be doing something wrong as I continue to get the pesky "Trouble ..... code was incorrect" message.

Below the certsage code.txt there is an empty responses.txt. Should I be doing anything with this?
Why do I have two hostnames? I have tried just giving the www one but that doesn't work.

I have tried Ctrl + Insert and Shift + Insert and it makes no difference. Can I ask again how exactly should I write my host names [if I need two] on the same line - separated by a comma and with a comma at the end as above or just with a space?

4 Likes

Hi. :slightly_smiling_face:

The contents of code.txt change every time you load the certsage.php page, so you need to first open the certsage.php page then grab and paste the code then fill in your domain names, one per line, like this:

alnwickchoralsociety.co.uk
www.alnwickchoralsociety.co.uk

So just put in alnwickchoralsociety.co.uk, hit enter, then put in www.alnwickchoralsociety.co.uk.

You enter email addresses the same way, one per line. The email addresses are only used by Let's Encrypt for their notification purposes.

Oh, and you don't need to create the .well-known or acme-challenge directories. CertSage handles all that for you.

4 Likes

I think you're right. I'll try to make this clearer.

4 Likes

Are those two tiny little eyes spying on me?!?!
LOL

2 Likes

Thank you very much for taking the time to help me out. I can't quite believe it but my site now boasts the https lock!! I am really chuffed. The detailed notes were clear once I knew how to get started so I am really grateful. Many thanks and best wishes, Ian

5 Likes

You are quite welcome, my friend. :blush:

Glad it worked out! :partying_face:

Don't forget to renew in 60 days or so.

Your cert will expire in 90 days.

I don't see your cert as installed yet though from my end.

I had "soc" instead of "society" in the domain name.

3 Likes