You don't need a CSR file. CertSage generated a CSR when it requested your certificate, but didn't save it because it is completely unnecessary once you've acquired the certificate. I'm not quite sure why they're having such difficulty installing the certificate. Tell them to use the first certificate in certificate.crt as the certificate and the second certificate in certificate.crt as the CA bundle. Obviously, certificate.key should be used as the private key. If they need help, direct them to this thread.
3 Likes
I get this reply: http://www.ralfslab.net/pics/nobundle.png
1 Like
Fair enough. I used the certsagenc on your server to request a new certificate for you that covers both ralfslab.net and www.ralfslab.net since the one you requested only covered ralfslab.net. I then downloaded the new certificate from the link on the left side of this page:
Here is your new certificate:
certificate.pem (1.8 KB)
Here is the CA bundle with the root certificate included:
cabundle.pem (3.7 KB)
You'll need to download your new certificate.key from your CertSage folder since I don't (and never should) have access to that.
Full certificate history for ralfslab.net:
https://crt.sh/?q=ralfslab.net
3 Likes
I sent them he bundle and received this reply:
"I have tried to install the new CA bundle you have provided, however, it does not match the SSL certificate. Please see the screenshot below:
Please be advised that the CA bundle should be initiated on the Certificate file."
I cannot follow what is happening any more.
1 Like
Where did you/they get that certificate? It's clearly a staging environment (fake) certificate and NOT the certificate I provided in the l link in my post above.
You also posted a screenshot of part of your private key, which is a security risk.
6 Likes
@rabb, all of the files (certificate, CA bundle, and private key) should be kept in sync, because their contents are inter-related. If the host is trying to update only one of the files without the others, that may not work (as @griffin alluded to, the certificate that appears in that screenshot from the host is not the same certificate.pem that he uploaded to this forum in the post above, and indeed is not a publicly-trusted certificate at all).
3 Likes
All I did was send them the cabundle.pem as an attachment. They wanted a bundle so I gave them one. I didn't send them the certificate.pem and I don't know how they got the private key.
Could you explain to me exactly where each item should end up.
1 Like
- The
certificate.pemthat I provided goes in the Certificate box per the screenshot you provided. - The
certificate.keycurrently in yourCertSagedirectory goes in the Private Key box per the screenshot you provided. - The
cabundle.pemthat I provided goes in the CA Bundle box per the screenshot you provided.
Your screenshot looks like it's cPanel.
4 Likes
That screenshot is the one CD sent me. It is their screen...dunno what or how.
Incidentally, CD charge min of $79 to add ssl to any of their sites. Do you think that might have something to do with all these hassles?
1 Like
Unfortunately there is an incentive to fill the process with unnecessary hassles. If you provide CD with exactly the correct certificate, private key, and CA bundle (all together) and they "struggle" to install them, that's a problem.
3 Likes
If possible, I would advise switching to a less hostile hosting provider. Your current provider has a financial interest in making you pay $79 which means making it as difficult as possible to use free options.
There is a great list of providers that support automatic Let's Encrypt, so just one button for you to enable it and renewals are handled completely automatically.
5 Likes
Look, I regard myself as being a reasonably computer literate person and one who regularly fiddles with hardware, writes complicated programs and helps others out of trouble. But computing has many facets and until now, I have had little reason to look into the finer points of security, in particular the ssl process. What I have found on reading about the subject is that those who want to advise and instruct have little idea about how to do just that. I am probably just as guilty as anyone when helping others in that I invariably start using words that are completely foreign to the person on the other end. The trouble is, every branch of computing has developed its own often quite complex terminology which invariably includes a host of unfamiliar acronyms. When one wants to investigate any one of those, one soon finds that the explanatory article contain even more acronyms, which need more investigation and so on. The result is a kind of chain reaction of acronyms and a totally confused reader. Soon there will be more acronyms than car number plates.
Now, with regard to my website, its root directory has a number of subs including one labelled ssl, another ssh and another called cpanel. It now has certsage as well.
The ssh one contains two keys and the ssl folder has three subs, 'certs', 'csrs' and 'keys'. Is this a standard layout or is it just the design of my particular host? What I am not clear about is precisely where the various components of the entire ssl bundle should be located. Can somebody please advise in simple terms.
You are using cPanel. That much is quite evident. The screenshot you provided and the folder structure you mentioned are all clear indicators.
The keys in the ssh folder are used for securely accessing your server via SSH. They are created in that folder via the SSH Access tool.
The certs, csrs, and keys folders in the ssl folder are populated via the SSL/TLS tool.
The CertSage folder contains (up to) these files:
code.txt - Entered into the Code box to prevent unauthorized certificate requests
account.key - ACME production account key
account-staging.key - ACME staging account key
responses.txt - HTTPS responses from the ACME server for debugging
certificate.crt - Your leaf certificate followed by the CA bundle certificates
certificate.key - Your leaf certificate's private key
The necessary process is exactly as I've described in excruciating detail here:
Given that many of the more senior members of this community, myself included, have successfully aided thousands of help-seekers from all walks of life from all over the world to acquire and utilize SSL certificates for myriad applications and situations, I find your assessment lacking in application within this community. Admittedly, SSL certificate usage is a niche area of computing, but the detail and guidance provided within this thread should be well more than adequate at this point to write an entire blog article on the subject.
5 Likes
I don't think it's possible to explain what needs to be done to enable TLS in any simpler terms, there is an inherent level of complexity involved with setting up TLS that everyone here is running against.
With TLS no longer being optional in today's threat landscape, this is exactly why there is a push for automation.
3 Likes
I am not using the same 'cpanel' shown in your post. I don't have such a thing anywhere on my computers. I use the root directory of Filezilla which includes a cpanel folder that is nothing like yours.
http://www.ralfslab.net/pics/rootdirectory.jpeg.
I have been trying to translate your instructions into something applicable here.
1 Like
I should have been more clear, so I apologize. Your hosting provider Crazy Domains is using cPanel to manage your hosting package. The screenshot you posted is from a different package/version of cPanel than mine (GoDaddy). If you provide them with exactly the certificate.pem and cabundle.pem files I've given to you from this post (along with certificate.key from you CertSage directory):
CD should have no problems installing your certificate. This is assuming that no new certificate has been generated since the one I generated so that the private key has not been overwritten.
4 Likes
where should I install my certificate.key. In their /ssl/keys folder or somewhere safer?
You can't really install anything. Your hosting provider needs to do that per the instructions I've already given.
3 Likes
Okay...but you said they should never be given my private key. Is that not the certificate key? If not, where is my private key? I still don't get it.
1 Like
You should never give a 3rd party your private key (i.e. nobody but you and your server and inherently the hosting provider should know it), your server needs the private key to function. The Certificate is comprised of two parts, the certificate and the private key.
The private key is generated on the server, either by an ACME client (Which should be CertSage if i'm following this correctly)
certificate.key is your private key
certificate.crt is the CA bundle including the certificate's public key
4 Likes