How do I obtain a certificate

I have tried certsage and it doesn't want to work. It claims the code I
obtain from 'code.txt' is wrong. There is no security section on my
cpanel and no way to generate a new key. I have found both certificate
keys anyway on my webroot/ssl folder.

What is going on? I have already donated.

2 Likes

Every time you load the webpage (certsage.php), a new code is generated and put into code.txt. This is to prevent bad actors from trying to generate certificates on your behalf. I'm assuming that you found code.txt inside the CertSage folder right above your website's root folder. You don't need to worry about generating a private key or a certificate signing request (CSR) because CertSage handles all of that for you. Once CertSage is able to successfully prove your domain ownership to Let's Encrypt (which will happen in the background after you click Proceed), your new certificate (certificate.crt) and its private key (certificate.key) will automatically be saved in the CertSage folder. Based on the information I gathered from this thread, you may need to submit that certificate and private key to your hosting provider for them to install for you.

3 Likes

If you run into any trouble whatsoever, we're here to help.

3 Likes

I have done what you suggested and received this reply":

Quote: "I tried to install the SSL certificate that you sent, however,
the CA bundle is incomplete.

Please supply a full Certificate Authority Bundle with the root
certificate included or kindly send us the zip files so that we can
complete the SSL installation."

end of quote.

Now I realize everything on LetsEncrypt is automated but surely I am not
the first person who has had this problem. I have donated to both LE and
Certsage and have received what appears to be the required
information...but clearly my web host needs more. I would be very
surprised if LE has not been asked for such information before because
many others must have done exactly what I have done and also tried to
avoid paying too much for ssl. I am getting the impression that no body
actually runs LetsEncypt and therefore nobody can do anything beyond
what is automated...and that is insufficient for many website hosts.
..or maybe I am LE's first real customer and they simply don't know what
a zipped Certificate Authority Bundle actually is. I certainly don't at
this stage but I am trying to learn how this whole system works just in
case I want to sell something online in future. I also need https to
publish some simulation programs I have written in Microsoft VBasic,
which are .exe. format and blocked by many browsers.. I don't have time
to learn Java or Python or any other one at the moment and VB is ideal
for my purpose..

The certificate.crt file generated by CertSage contains the full CA bundle as presented directly by Let's Encrypt. The last two certificates in that file are the CA bundle. If they want a single CA bundle certificate, tell them to use the second certificate in the file as the CA bundle. The first certificate in the file is your certificate.

4 Likes

That is really a failure on the side of that web host.
There are plenty to choose from that work perfectly well with automation.
See: Web Hosting who support Let's Encrypt - Issuance Tech - Let's Encrypt Community Support (letsencrypt.org)

4 Likes

If they want a single CA bundle certificate, tell them to use the second certificate in certificate.crt as the CA bundle. The first certificate in the file is your certificate.

2 Likes

That's very odd. Why would they need the root?

If they use the last two certificates in certificate.crt as the CA bundle, this is the root (yes it's supposed to be expired):

https://letsencrypt.org/certs/trustid-x3-root.pem

If they use only the second certificate in certificate.crt as the CA bundle, this is the root:

https://letsencrypt.org/certs/isrgrootx1.pem

3 Likes

Via their chat line, I sent the certificate.crt and the certificate.key.
The person I spoke to did not ask for the account-staging.key. Anyway,
I will now send that to them anyway. I gather that is all they need.
Thanks for your help.

1 Like

There is no such thing as "real customer", as Let's Encrypt is just a publicly available API offering certificates for free. Note that donating is highly appreciated, but not required.

Also note that Let's Encrypt issues more than 2,5 million certificates PER DAY: Let's Encrypt Stats - Let's Encrypt

Of those 2,5 million certs per day, probably just a handful are issued manually, like you're doing now. It's just not the intended way.

7 Likes

Your Let's Encrypt ACME production and staging account keys (account.key and account-staging.key) should never be shared with anyone. They are used to acquire/revoke certificates and are never used for installing or serving certificates.

3 Likes

As long as they understand what you've given them, they should have no trouble installing your SSL certificate. I am assuming here that you sent them a production certificate and not a staging (test) certificate.

3 Likes

I have sent them everything. Both keys and the certificate.crt. That's
what they asked for.

How can you call it non-profit then when it must be earning about 50
million every day.

$50M/day from "selling" FREE certs?
I need to get in on that!
LOL

Let me calculate...
hmm...
2.5M times ZERO equals...
ZERO!
Wait I must not have carried all the ZEROs.
No it is still ZERO!
$ZERO/day
$ZERO/cert

FREE means FREE

5 Likes

I don't understand, where does that figure of 50 million per day come from?

3 Likes

Where does any figure come from?
ZERO can't equal any other number but ZERO.
I suppose 50M / 2.5M means they expect each cert to cost $2
But I have no idea why.

4 Likes

Your question is a complete non-sequitur; it's entirely possible for a non-profit to have lots of revenue (ask just about any private school, most hospitals, and just about any church, for example). But I like others wonder how you come up with a revenue figure of $50M/day.

3 Likes

Missed a decimal; it'd be $20.

4 Likes

Ignore my previous post (that I deleted). Sending your account key(s) to your hosting provider isn't necessary, but should be harmless since they have access to them anyhow.

4 Likes