How do I download the domain.key once finished?


#1

In regards to: https://gethttpsforfree.com/

I used this site above many times but still coming up with nothing everytime I use it. Despite having a working ssh (open), still cannot obtain or get domain.key sent to me.

I run apache2 on debian-jessie.

When I get to step 5 Install Certificate, I use the command (scp domain.key admin@mydomain.ca:/etc/ssl/private/domain.key) to copy or have sent the domain.key. My ssh then tries to connect to my domain-name-email and asks for the password. It turns out netfirms doesn’t enable-ssh for self-hosted sites on their end. WTF? So ssh (even though working) doesn’t work for me in this situation. I’ve tried the auto-installs to no avail which is why I went with this site above.

Is there anything else I can try to do just to be able to get this much needed domain.key???


#2

Well, you could give a go to SSL Certificate Wizard at https://ZeroSSL.com. However, you’ve mentioned that SSH is not enabled for your hosting and all auto-installs have failed. Are you sure you can actually install the certificate in your particular environment (such as upload the key and the certificate into appropriate place and change the web server configuration accordingly)?


#3

You have generated domain.key on your local computet in step 2. So you already have it somewhere.


#4

Thanks guys for replying here.

@Leader, I mentioned that ssh is open above as in (open), but still wont allow me to login with ssh because my domain name provider doesn’t allow ssh unless I spend money.

Osirus - I wish I knew where exactly to look for it.

Both of you thank you for responding. I may try ZeroSSL to generate the Let’s Encrypt certificates. Too bad though that I couldn’t do this. I’ll keep trying.


#5

@OCT, in the “How do I generate this?” step, they told you to run the command

openssl genrsa 4096 > domain.key

When you ran that command, the domain.key file got created on your own computer in whatever directory your shell (command interpreter) was in.

If you are using Windows, you can find out the name of that directory by running cd at the same command prompt. If you’re on a Unix-like operating system like Linux or Mac OS X, you can find it by running pwd at the same command prompt.


#6

Thank you greatly for this schoen, and everyone here. This helps to narrow this down for me. I’ve naturally got a lot to deal with here in running my own server and hosting websites. Though I’m not complaining :wink:

I tried also testing with my own self-issued certificates so I know that that is working.

I am wondering how I could append the command above: openssl genrsa 4096 > domain.key; to save the file to someplace else that I would recognize? And if so, what would this command appendage be? Say saving it to desktop?


#7

The “> domain.key” part of that command is what does the redirection. So, if you want it to go to /path/to/domain.key, the command would be “openssl genrsa 4096 > /path/to/domain.key”. Or you could just choose the directory you want these files to be in before you start running the openssl commands.


#8

If you want to save it to the desktop, there is definitely a specific path for your desktop, but it depends on what operating system you’re running.

On Unix-like systems such as Linux and Mac OS X, you can typically refer to it as ~/Desktop, so for example you could

openssl genrsa 4096 > ~/Desktop/domain.key

on those systems. If your current directory was also your home directory, you can simplify this to

openssl genrsa 4096 > Desktop/domain.key

On Windows, it depends on the version of Windows, but see, e.g.,

For recent versions of windows it might be

openssl genrsa 4096 > C:\Users\username\Desktop\domain.key

If your current directory was already your home directory, you can simplify this to

openssl genrsa 4096 > Desktop\domain.key

Note that the slash used as a path separator is opposite between Unix and Windows (it’s the forward slash, /, on Unix, and the backslash, , on Windows).


#9

Thank you guys, I finally understand how to save the domain.key in the directory I wanted. But now there’s something wrong here after trying to obtain this certificate. During step 5 (at: https://gethttpsforfree.com/) I now get:

Step 5: Install Certificate (Error: Certificate signature failed. Please start back at Step 1. { “type”: “urn:acme:error:rateLimited”, “detail”: “Error creating new cert :: Too many certificates already issued for exact set of domains: mydomainname.ca,www.mydomainname.ca”, “status”: 429 })

It obviously verifies the domain and I prove that it belongs to me no problem, just could never as yet ever obtain the certificate. Now I probably have to wait now until I can add a new certificate, since I have too many that I cannot get anyway for some (probably stupid reason)? I don’t understand why I am getting so much grief from this.


#10

Are the certificates sent by email or something else like ssh.
I’ve both mozilla firefox and the actual google-chrome (not chromium) in an attempt at thinking that it may be just the browser.

I just haven’t been able to do this yet. Here with using the interface at : (https://gethttpsforfree.com/9) or with using ZeroSSL. Like what do I need to enable in order to get this to send the certificate to me? I already mentioned that I use Debian Jessie with Apache2.


#11

You might be able to get a copy of your certificate from the public Certificate Transparency registry, where all Let’s Encrypt certificates are published.

A web interface to search it is at

https://crt.sh/

Normally it’s not useful for the certificate recipient to download copies from there because most people who somehow don’t have their certificates also don’t have the corresponding cryptography key. But if you still have the private key, you might be able to get the certificate from Certificate Transparency and use it.


#12

@OCT, when you use gethttpsforfree or zerossl, the certificate should be presented to you inside the web interface (as a file to save from your web browser). There isn’t some other external mechanism for certificate delivery.


#13

Quick question - you don’t happen to use non-standard characters in the domain name, right? Because IDN is not yet supported.

I have also made a slight change that hopefully should give you some extended information about an error. It is past midnight though, so hopefully nothing breaks :slight_smile:


#14

@leader, hi leader, no its entered the way it should or would normally be entered in e.g: domainname.ca and www.domainname.ca. I cannot try again unfortunately, as going to crt.sh shows that the same domain name was created on the 9th and 10th of this month. And multiple times at that.

@schoen, hi Seth, so when I use the web interface, is the file that I am supposed to be waiting for actually the domain.key that was downloaded in step 2? Or how many files in total am I supposed to download?


#15

@OCT, I have not used either of these services so I don’t know exactly what text they present when providing the certificate to you. As discussed earlier in this thread, domain.key is supposed to be generated on your own computer and therefore wouldn’t need to be downloaded (unless you chose to run openssl on your web server while logged into the server over SSH).

Overall, you typically need three files in order to enable HTTPS on a web server: the domain private key, the certificate, and the chain. (Sometimes the last two items are combined into a single file.)


#16

And the fact that you got a rate limit error shows that the Let’s Encrypt CA believes that you did, in fact, succeed in getting those certificates issued; so probably either there is a bug in the web interface that you were using, or you forgot to download the certificates after they were issued, or you did successfully download them but then didn’t understand what the downloaded files were.


#17

So could be that you hit the renewals limit then …

@schoen Do you know by chance what error code is returned if that limit is hit? 400 or something else?


#18

I think I may be going of the rails here.

@schoen, I think I may have gone off the rails and ended up with my train in the ticket-office. I think that I may have been doing this the right way after all this time, but I cannot confirm this now due to having to wait. Just couldn’t wrap my head around the gui. :smirk:

When you mentioned above that the domain.key was supposed to or was downloaded (well… that was in step 2 and not the final end which is very confusing to me. I may have been saving it all along.

Is it safe to put the other two files that display in the gui, in their own files and name them accordingly?

Don’t want to drag this on but I think I got an error when I pointed apache2 to these three files when I was just starting this a few days ago. Then things got more and more confusing.

But I will wait until I can try the gethttpsforfree gui again. May be a couple of days though.


#19

@OCT, yes, perhaps the site is displaying the content of the files in order to invite you to copy and paste the data into separate files that you save yourself (using a text editor on your own computer). In that case, my use of “download” might be misleading.

They are definitely not going to be sent to you in any other way, so you have to somehow get them off of the gethttpsforfree page itself. (That is a slight contrast from domain.key, which, again, you’ve created yourself when you ran the openssl command, and which is already on your computer in whatever directory was the current directory for the command interpreter where you typed in the openssl command.)

You can download everything but the private key (domain.key, or what Certbot equivalently calls privkey.pem) from public sources. https://crt.sh/ will have a usable, working copy of the certificate, and https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem is the current chain that anything issued recently will need. Nobody else should have your domain.key because it’s meant to be kept secret (and you generated it yourself!). If you do have domain.key, you should be able to proceed using those without issuing any further certificates. If you have trouble with Apache, maybe you can ask about the specific error and somebody can help you out with that.


#20

If you hit a limit of issuing max 5 certificates for the same set of names per week, you just need to wait indeed.

It is not quite clear though what is exactly meant by “per week” - a calendar week or the sliding window of 7 days from the current point in time into the past :slight_smile: