How do I obtain a certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ralfslab.net

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Crazydomains

I can login to a root shell on my machine (yes or no, or I don't know): don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Hell @rabb and Welcome to the community.

Looks like we need your help to assist you effectively.

Much of the info we need (in the questionnaire at the top of this post) is based on your agreement with carzydomains and the plan you subscribe to with them.

I would recommend you take the unanswered questions from above and ask crazydomains support team to help you find the answers.

It's OK not to know, but the volunteers here can't make wild guesses. Kinda hard to do that.

As to the title question, "How do I obtain a certificate" I have linked to some valuable information for you:

8 Likes
3

This should NOT be "403 Forbidden":

curl -Ii http://ralfslab.net/.well-known/acme-challenge/Test-File-1234
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3485
4 Likes
4

Also, your DNS has IPv6 but that connection path fails

With this:

nslookup ralfslab.net
Name:   ralfslab.net
Address: 122.201.127.129
Name:   ralfslab.net
Address: 2405:3f00:a222:bbbb:bba1:d:ffff:ffff

Should not fail this:

curl -i6 http://ralfslab.net/.well-known/acme-challenge/Test-Forum-1
curl: (7) Couldn't connect to server
5 Likes
5

IPv4 and IPv6 show different results:

curl -I6 http://ralfslab.net/.well-known/acme-challenge/Test-Forum-1
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'self'
Content-Length: 3483

root@ul18ipv46:/var/tmp/trash# curl -I4 http://ralfslab.net/.well-known/acme-challenge/Test-Forum-1
HTTP/1.1 404 Not Found
Server: nginx
Date: Sun, 10 Oct 2021 23:10:10 GMT
Content-Type: text/html; charset=iso-8859-1
Vary: Accept-Encoding

LE prefers IPv6 when present.

3 Likes
6

@rabb Yeah, nevermind my -6 IPv6 failure. Something has gone wrong with my own IPv6 outbound. The problems @rg305 show still need resolving.

4 Likes
7

OK. I have checked with CrazyDomains and they say they will accept any SSL.

I have CSR from them and everything I need.

CrazyDomains sent me this email.

quote"""""""""""""""'

As requested, we have generated a CSR file for your domain name
ralfslab.net. Please see the details below:

Server Software: Apache-ModSSL

CSR file :

-----BEGIN CERTIFICATE REQUEST-----
MIIC/jCCAeYCAQAwgY4xDDAKBgNVBAgMA05TVzELMAkGA1UEBhMCQVUxEjAQBgNV
BAcMCUF1c3RyYWxpYTELMAkGA1UECwwCSVQxIDAeBgkqhkiG9w0BCQEWEXJtcmFi
QGJpZ3BvbmQuY29tMRcwFQYDVQQKDA5SYWxwaCBSYWJiaWRnZTEVMBMGA1UEAwwM
cmFsZnNsYWIubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoC8P
6UF+kMFeDWfKSiTmwHQDuuWwdjYJbEgNbxkdYLSg+Vk+aakvO6YQ21r1GmJCJSyD
9213Rv3mt2OHHYUcO/I2ZSYfLlEE4Ann9RGGj3RFaHxWMe/AnOwF23vbq1mJY1HM
jYADgyYwhsrLV5VL9JH03tNKRPTxgv6IuSfG8xKLtfv3BAFwMgY9em9Xy+tbkaxQ
XfcyXtf6i1n6T6mxabf9ZJPCihOGyJWwSWahDOfeCmNHi0XZzXxtp3E67aFoHqt1
R6nVmjKw31gXLyPPAJ7xOaEWDaeCL6oEhlWdiiQL37h0rbSXEoT/PviwbV3mX1eJ
oXH7eZYAMoltZnfpxQIDAQABoCowKAYJKoZIhvcNAQkOMRswGTAXBgNVHREEEDAO
ggxyYWxmc2xhYi5uZXQwDQYJKoZIhvcNAQELBQADggEBADUJRCPS4+Rir83Wrxsu
suAGt7nU6F0XRISo+s5BWfQOYPTDEIQ40CEWObfrnv0KY5TVCCjeO0sEwjylg/RO
SbAv2PmThgCW04svuKSHgmSsWNleHxzP6nTUpBGqXbwx/GFsTNDa0pgxQs8I/kzS
kWT7ZMyyGw88/hmmlf5/CFv3KBNWAE2vjZ2BZMO8SHEwdyfuKhQYz3GppFRfZzPN
DhG+dSB9vNuf3hWt5lUWUZARPflffWHL23DmCXRSE+aweunQnV80nFSAQHjZ4NHV
uNAzFiAgg0MkQ9nd1AK6y/oX3+/dKh6tL7jVGyj3rJsnIwulz23nrqtShEFXIhrU
IB8=
-----END CERTIFICATE REQUEST-----

You may now provide this to where you have purchased the SSL
certificate, once it has been generated, kindly send us the zip file of
the certificate so that we can install it for you.

""""""end of quote

What happens next. I tried certbot and although it set up a folder in
.etc it didn't make my website secure.

Surely this should be a simple matter.. Why is it so complicated?

8

Welcome to the Let's Encrypt Community :slightly_smiling_face:

4 Likes
9

Even if you get a cert for that CSR...
When you try to use it, all IPv6 clients will go unserved.
You need to fix the IPv6 problem - there is only removing IPv6 from DNS if you can't fix it.

Name:      ralfslab.net
Addresses: 2405:3f00:a222:bbbb:bba1:d:ffff:ffff
           122.201.127.129
4 Likes
10

Using a CSR is traditional with other CAs but isn't normally the most convenient way to use Let's Encrypt. Let's Encrypt is designed to be automated by installing client software directly on the web server. It isn't designed to be used with manual human interaction like CrazyDomains is suggesting here. The "How It Works" page that @griffin linked to describes this in a bit more detail.

5 Likes
11

Because CrazyDomains has chosen to make it difficult for you. Usually, a shared hosting provider would provide a built-in system for TLS certificates. Preferably HTTPS is enabled by default without any action required, but some choose to have some kind of button in the configuration panel to enable HTTPS with a free Let's Encrypt certificate.

However, it seems CrazyDomains didn't implement this from their side and chose to make it difficult for you.

By the way, you can find the certbot documentation here: User Guide — Certbot 2.7.0.dev0 documentation

5 Likes
12

Not one of you people has told me what to do to get security. Crazy
domains and plenty of other servers can do it at a price but I haven't
set the site up properly yet so don't want to pay too much for it...but
I need security for some .exe applications I have written in
scientific articles and most browsers will not touch them.

So please can somebody tell me plainly and simply what I have to do next
to get an SSL certificate from you people. I have already donated to
LetsEncrypt but am starting to wish I hadn't. I'm getting the impression
that its little more than a scam. Sorry about that but since no clear
instructions are provided it is hard to think otherwise.

13

It's certainly not a scam. Also, multiple people have already posted links to the "Getting started" and "How Let's Encrypt works" documentation pages. I'm not sure how much simpler than those pages we can make it?

Did you actually read those documentation pages? If so, what wasn't clear about those pages? Maybe the Let's Encrypt crew needs to make those pages more clear.

Also notice that Let's Encrypt is all about automation which is not possible through the act of getting send a CSR by e-mail and the requirement to e-mail back the certificate. So it might be that the documentation for such methods are not explained step-for-step.

5 Likes
14

Well, other providers simply ask for money up front followed by a CSR
statement from one's web host and then do the rest.. I actually
generated a private SSH key but I suppose that''s how some of them earn
their money. Let'sEncrypt more or less leaves it to certbot, which I
tried for hours in terminal without getting a positive result.Ă‚ The
instructions might be meaningful to experts but much of the terminology
is very confusing to a newbie to this field like myself. So why can't
LetsEncrypt simply produce the zip file that crazy Domains requested?

15

With "other providers", you mean other Certificate Authorities (CA) or webhost providers? Because as far as I know, a "classic" CA would not handle the interaction between the CA and the webhost: that too would be a job for the user.

You probably mean SSL instead of SSH? Because SSH is something altogether. Assuming you did mean SSL: if your webhost has send you a CSR for you to use, there's no need to also generate a SSL private key yourself: the public key embedded in the CSR is part of a public/private keypair where the private key of the keypair is to be used by your webhost and already present at your webhost.

You're not required to use certbot. Certbot is just one of MANY ACME clients available. See ACME Client Implementations - Let's Encrypt for a non-exhaustive list of ACME clients.

That's unfortunate. We can give you more help, but personally I would very much like to see what you've already tried and what you already know. For example, you already have certbot installed, right? What did you try and why didn't that work?

This is not to annoy you, but most of the time it's not possible to give a "one size fits all" instruction.

Let's Encrypt only provides their services through the ACME API: everything is automated. Even the certificates generated for the use of Let's Encrypt themselves is generated through their public API. No human issuance of certificates is possible.

Also, as already explained in the "How Let's Encrypt works" documentation linked above, Let's Encrypt requires PROOF of ownership of the hostname. See the challenge type documentation also linked above on how Let's Encrypt validates that proof of ownership.

6 Likes
16

[Osiris] Osiris https://community.letsencrypt.org/u/osiris Community
leader
October 11

rabb:

Well, other providers simply ask for money up front followed by a
CSR statement from one's web host and then do the rest..

With "other providers", you mean other Certificate Authorities (CA) or
webhost providers? Because as far as I know, a "classic" CA would not
handle the interaction between the CA and the webhost: that too would be
a job for the user.

rabb:

I actually generated a private SSH key but I suppose that''s how
some of them earn their money.

You probably mean SSL instead of SSH? Because SSH is something
altogether. Assuming you did mean SSL: if your webhost has send you a
CSR for you to use, there's no need to also generate a SSL private key
yourself: the public >key embedded in the CSR is part of a
public/private keypair where the private key of the keypair is to be
used by your webhost and already present at your webhost.

No, I meant an SSH key. I was instructed to do that.

rabb:

Let'sEncrypt more or less leaves it to certbot, which I tried for
hours in terminal without getting a positive result.

You're not required to use certbot. Certbot is just one of MANY ACME
clients available. See ACME Client Implementations - Let's Encrypt
https://letsencrypt.org/docs/client-options/ for a non-exhaustive list
of ACME clients.

I don't want a list I just want to know how to use one of them. there
are no step by step instruction anywhere.

rabb:

The instructions might be meaningful to experts but much of the
terminology is very confusing to a newbie to this field like myself.

That's unfortunate. We /can/ give you more help, but personally I
would very much like to see what you've already tried and what you
already know. For example, you already have certbot installed, right?
What did you try and why >didn't that work?

Certbot is apparently installed but the only way I can access it is via
the terminal. I did that and went through the procedure...it eventually
gave an error message and I gave up. It has installed

This is not to annoy you, but most of the time it's not possible to
give a "one size fits all" instruction.

rabb:

So why can't LetsEncrypt simply produce the zip file that crazy
Domains requested?

Let's Encrypt only provides their services through the ACME API:
everything is automated. Even the certificates generated for the use of
Let's Encrypt themselves is generated through their public API. No human
issuance of certificates is possible.

Also, as already explained in the "How Let's Encrypt works"
documentation linked above, Let's Encrypt requires PROOF of ownership of
the hostname. See the challenge type documentation also linked above on
how Let's Encrypt validates that proof of ownership.

I understand that but like I said, there is a lot of detail that is very
hard to follow but no actual step by step instructions about what to
actually do.Ă‚ It has set up a folder on my .etc folder but I don't know
how that relates to making my website secure.

17

Ok, so it seems you have shell access to your server and Certbot is installed. Perhaps a VPS?

Anyway, can you paste the error you received here? Along with the command you ran that caused the error

3 Likes
18

If you want a ridiculously easy way to get a Let's Encrypt certificate, just use CertSage (the ACME client I authored) rather than certbot. CertSage fits well with hosting providers that like to do things "old school".

3 Likes
19

OK thanks, I will try that when i get a chance...I'm changing to another
computer.

3 Likes
20

I have tried certsage and it doesn't want to work. It claims the code I
obtain from 'code.txt' is wrong. There is no security section on my
cpanel and no way to generate a new key. I have found both certificate
keys anyway on my webroot/ssl folder.

What is going on? I have already donated.

2 Likes