How do I obtain a certificate

It's certainly not a scam. Also, multiple people have already posted links to the "Getting started" and "How Let's Encrypt works" documentation pages. I'm not sure how much simpler than those pages we can make it?

Did you actually read those documentation pages? If so, what wasn't clear about those pages? Maybe the Let's Encrypt crew needs to make those pages more clear.

Also notice that Let's Encrypt is all about automation which is not possible through the act of getting send a CSR by e-mail and the requirement to e-mail back the certificate. So it might be that the documentation for such methods are not explained step-for-step.

5 Likes

Well, other providers simply ask for money up front followed by a CSR
statement from one's web host and then do the rest.. I actually
generated a private SSH key but I suppose that''s how some of them earn
their money. Let'sEncrypt more or less leaves it to certbot, which I
tried for hours in terminal without getting a positive result. The
instructions might be meaningful to experts but much of the terminology
is very confusing to a newbie to this field like myself. So why can't
LetsEncrypt simply produce the zip file that crazy Domains requested?

With "other providers", you mean other Certificate Authorities (CA) or webhost providers? Because as far as I know, a "classic" CA would not handle the interaction between the CA and the webhost: that too would be a job for the user.

You probably mean SSL instead of SSH? Because SSH is something altogether. Assuming you did mean SSL: if your webhost has send you a CSR for you to use, there's no need to also generate a SSL private key yourself: the public key embedded in the CSR is part of a public/private keypair where the private key of the keypair is to be used by your webhost and already present at your webhost.

You're not required to use certbot. Certbot is just one of MANY ACME clients available. See ACME Client Implementations - Let's Encrypt for a non-exhaustive list of ACME clients.

That's unfortunate. We can give you more help, but personally I would very much like to see what you've already tried and what you already know. For example, you already have certbot installed, right? What did you try and why didn't that work?

This is not to annoy you, but most of the time it's not possible to give a "one size fits all" instruction.

Let's Encrypt only provides their services through the ACME API: everything is automated. Even the certificates generated for the use of Let's Encrypt themselves is generated through their public API. No human issuance of certificates is possible.

Also, as already explained in the "How Let's Encrypt works" documentation linked above, Let's Encrypt requires PROOF of ownership of the hostname. See the challenge type documentation also linked above on how Let's Encrypt validates that proof of ownership.

6 Likes

[Osiris] Osiris https://community.letsencrypt.org/u/osiris Community
leader
October 11

rabb:

Well, other providers simply ask for money up front followed by a
CSR statement from one's web host and then do the rest..

With "other providers", you mean other Certificate Authorities (CA) or
webhost providers? Because as far as I know, a "classic" CA would not
handle the interaction between the CA and the webhost: that too would be
a job for the user.

rabb:

I actually generated a private SSH key but I suppose that''s how
some of them earn their money.

You probably mean SSL instead of SSH? Because SSH is something
altogether. Assuming you did mean SSL: if your webhost has send you a
CSR for you to use, there's no need to also generate a SSL private key
yourself: the public >key embedded in the CSR is part of a
public/private keypair where the private key of the keypair is to be
used by your webhost and already present at your webhost.

No, I meant an SSH key. I was instructed to do that.

rabb:

Let'sEncrypt more or less leaves it to certbot, which I tried for
hours in terminal without getting a positive result.

You're not required to use certbot. Certbot is just one of MANY ACME
clients available. See ACME Client Implementations - Let's Encrypt
https://letsencrypt.org/docs/client-options/ for a non-exhaustive list
of ACME clients.

I don't want a list I just want to know how to use one of them. there
are no step by step instruction anywhere.

rabb:

The instructions might be meaningful to experts but much of the
terminology is very confusing to a newbie to this field like myself.

That's unfortunate. We /can/ give you more help, but personally I
would very much like to see what you've already tried and what you
already know. For example, you already have certbot installed, right?
What did you try and why >didn't that work?

Certbot is apparently installed but the only way I can access it is via
the terminal. I did that and went through the procedure...it eventually
gave an error message and I gave up. It has installed

This is not to annoy you, but most of the time it's not possible to
give a "one size fits all" instruction.

rabb:

So why can't LetsEncrypt simply produce the zip file that crazy
Domains requested?

Let's Encrypt only provides their services through the ACME API:
everything is automated. Even the certificates generated for the use of
Let's Encrypt themselves is generated through their public API. No human
issuance of certificates is possible.

Also, as already explained in the "How Let's Encrypt works"
documentation linked above, Let's Encrypt requires PROOF of ownership of
the hostname. See the challenge type documentation also linked above on
how Let's Encrypt validates that proof of ownership.

I understand that but like I said, there is a lot of detail that is very
hard to follow but no actual step by step instructions about what to
actually do. It has set up a folder on my .etc folder but I don't know
how that relates to making my website secure.

Ok, so it seems you have shell access to your server and Certbot is installed. Perhaps a VPS?

Anyway, can you paste the error you received here? Along with the command you ran that caused the error

3 Likes

If you want a ridiculously easy way to get a Let's Encrypt certificate, just use CertSage (the ACME client I authored) rather than certbot. CertSage fits well with hosting providers that like to do things "old school".

3 Likes

OK thanks, I will try that when i get a chance...I'm changing to another
computer.

3 Likes

I have tried certsage and it doesn't want to work. It claims the code I
obtain from 'code.txt' is wrong. There is no security section on my
cpanel and no way to generate a new key. I have found both certificate
keys anyway on my webroot/ssl folder.

What is going on? I have already donated.

2 Likes

Every time you load the webpage (certsage.php), a new code is generated and put into code.txt. This is to prevent bad actors from trying to generate certificates on your behalf. I'm assuming that you found code.txt inside the CertSage folder right above your website's root folder. You don't need to worry about generating a private key or a certificate signing request (CSR) because CertSage handles all of that for you. Once CertSage is able to successfully prove your domain ownership to Let's Encrypt (which will happen in the background after you click Proceed), your new certificate (certificate.crt) and its private key (certificate.key) will automatically be saved in the CertSage folder. Based on the information I gathered from this thread, you may need to submit that certificate and private key to your hosting provider for them to install for you.

3 Likes

If you run into any trouble whatsoever, we're here to help.

3 Likes

I have done what you suggested and received this reply":

Quote: "I tried to install the SSL certificate that you sent, however,
the CA bundle is incomplete.

Please supply a full Certificate Authority Bundle with the root
certificate included or kindly send us the zip files so that we can
complete the SSL installation."

end of quote.

Now I realize everything on LetsEncrypt is automated but surely I am not
the first person who has had this problem. I have donated to both LE and
Certsage and have received what appears to be the required
information...but clearly my web host needs more. I would be very
surprised if LE has not been asked for such information before because
many others must have done exactly what I have done and also tried to
avoid paying too much for ssl. I am getting the impression that no body
actually runs LetsEncypt and therefore nobody can do anything beyond
what is automated...and that is insufficient for many website hosts.
..or maybe I am LE's first real customer and they simply don't know what
a zipped Certificate Authority Bundle actually is. I certainly don't at
this stage but I am trying to learn how this whole system works just in
case I want to sell something online in future. I also need https to
publish some simulation programs I have written in Microsoft VBasic,
which are .exe. format and blocked by many browsers.. I don't have time
to learn Java or Python or any other one at the moment and VB is ideal
for my purpose..

The certificate.crt file generated by CertSage contains the full CA bundle as presented directly by Let's Encrypt. The last two certificates in that file are the CA bundle. If they want a single CA bundle certificate, tell them to use the second certificate in the file as the CA bundle. The first certificate in the file is your certificate.

4 Likes

That is really a failure on the side of that web host.
There are plenty to choose from that work perfectly well with automation.
See: Web Hosting who support Let's Encrypt - Issuance Tech - Let's Encrypt Community Support (letsencrypt.org)

4 Likes

If they want a single CA bundle certificate, tell them to use the second certificate in certificate.crt as the CA bundle. The first certificate in the file is your certificate.

2 Likes

That's very odd. Why would they need the root?

If they use the last two certificates in certificate.crt as the CA bundle, this is the root (yes it's supposed to be expired):

https://letsencrypt.org/certs/trustid-x3-root.pem

If they use only the second certificate in certificate.crt as the CA bundle, this is the root:

https://letsencrypt.org/certs/isrgrootx1.pem

3 Likes

Via their chat line, I sent the certificate.crt and the certificate.key.
The person I spoke to did not ask for the account-staging.key. Anyway,
I will now send that to them anyway. I gather that is all they need.
Thanks for your help.

1 Like

There is no such thing as "real customer", as Let's Encrypt is just a publicly available API offering certificates for free. Note that donating is highly appreciated, but not required.

Also note that Let's Encrypt issues more than 2,5 million certificates PER DAY: Let's Encrypt Stats - Let's Encrypt

Of those 2,5 million certs per day, probably just a handful are issued manually, like you're doing now. It's just not the intended way.

7 Likes

Your Let's Encrypt ACME production and staging account keys (account.key and account-staging.key) should never be shared with anyone. They are used to acquire/revoke certificates and are never used for installing or serving certificates.

3 Likes

As long as they understand what you've given them, they should have no trouble installing your SSL certificate. I am assuming here that you sent them a production certificate and not a staging (test) certificate.

3 Likes

I have sent them everything. Both keys and the certificate.crt. That's
what they asked for.