How to obtain a certificate for a domain


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: probusashburton.org.au or www.probusashburton.org.au

I ran this command: I only have access to cPanel, not to Shell

It produced this output:

My web server is (include version): No idea, hosted with Netrigistry.com

The operating system my web server runs on is (include version): Linux

My hosting provider, if applicable, is: Netrigistry.com

I can login to a root shell on my machine (yes or no, or I don’t know): NO

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): 11


#2

Hi @alex4orly,

Your hosting provider might have disabled the cPanel feature that allows you to get a Let’s Encrypt certificate from within cPanel (because it sells GeoTrust certificates). At least, this is my impression from looking at the Netregistry support pages. I would suggest that you ask Netregistry support to confirm whether this is still the case.

The support pages do mention a less-convenient option to import an externally-generated certificate:

https://support.netregistry.com.au/articles/nr/Install-an-SSL-Certificate-on-cPanel

You can use a web-based Let’s Encrypt client to obtain a certificate and then import it this way, for example using https://www.zerossl.com/ or https://gethttpsforfree.com/. This method is much less convenient because it’s a more manual process to generate the certificate (and prove your control over the site), and because you’ll have to repeat it at least every 90 days.

The integrated support for Let’s Encrypt in cPanel would be a lot easier, but it has to be enabled by the hosting provider.


#3

Hi Schoen,

Thanks for the feedback.

Yes, through cPanel I can manually enter a certificate, my question is - where on Let’s Encrypt I can obtain the certificate to insert into the Netreistry page… The URL you are suggesting below seems to be NOT a Let’s Encrypt site??? I am confused here…

I wrote a complaint to Netregistry and wait for a feedback. I am about to publish an 8th website and consider moving them all to another host…

Looking forward to hear from you

Thanks again

Alex


#4

That’s true! Let’s Encrypt doesn’t provide a web-based service to obtain certificates, only an API that software can use to request certificates. Because of this design, there are dozens of different tools that people use to get certificates from Let’s Encrypt:

cPanel itself includes one, but it can only be used if the hosting provider permits it.

The web-based clients that I mentioned are third-party tools that use Let’s Encrypt as the back-end certificate provider.

(Certbot, which I’ve worked on, is a program to obtain certificates that’s mainly aimed at the case where you have shell access and preferably root access on the server—commonly on a VPS or dedicated server, rather than shared hosting.)


#5

OK, I followed the first link you provided me with and it brought up a new pages which I followed, here is my directory structure on the host server. I uploaded the 2 files to that directory as you can see. My website is in the public_html folder, but when I click the link I get the following error

Not Found

The requested URL /.well-known/acme-challenge/K7xShyv6ZXJgj9gp214kTlxGy2UqJdJw5Rhij5Z9RCQ was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I must be doing something wrong here???


#6

In this case it looks like you’re missing the leading dot in .well-known — it appears that you wrote well-known instead of .well-known. The dot is a required part of the directory name.


#7

When I try clicking next I get this popup error


#8

Did you start from the beginning or did you try to continue the previously-existing certificate issuance process? Normally you would have to start over.


#9

Hello again,

I managed now to create the folder with the leading dot, started the process again, got it verified OK

Downloaded the 2 files, cert and key - they are both a TXT file.

I assume I need to copy the content of each and insert it into the respective fields on Netregistry.

  1. Do I need to delete from the server the Self-generated SSL I have there from my previous attempts?

  2. Is the 90 days validity fixed, is there any other way to generate it for a whole year?

Thank you so much again for your help

Looking forward to your feedback on my above questions

Cheers

Alex


#10

Hello again,

I uploaded the files to the host, the website can now be accessed via

https://www.probusashburton.org.au/ or

https://probusashburton.org.au/

But there is no Green Padlock…

Why?

Do I have to delete the previous private Certs from the host?

Cheers

Alex


#11

Hi @alex4orly,

It looks like your site is now using a cPanel-generated certificate which must have been generated from within cPanel. This is different from the Let’s Encrypt certificate that you also created—it’s issued by a different authority and it covers more subdomains.

I don’t know how that happened, for example if you figured out how to use the built-in certification support in cPanel. However, the site currently looks OK to me and I see a padlock in my own browser.


#12

Hi Seth,

I have no idea… I copied the cert generated and inserted in through cPanel into the site

How can you tell which certificate this is?

When I tried to go to https://probusashburton.org.au/ in Chrome, Firefox or Opera - the Padlock shows up, but not in IE

Also, if I just go to probusashburton.org.au - there is no padlock…

Should I remove all the other certificates?

Thanks again

Alex


#14

Your site is fine. Internet Explorer no longer displays a padlock for secure sites at all, at least with DV certificates.

You can confirm this by looking at this very forum in each of those browsers: the other browsers will display a padlock for this site, but Internet Explorer won’t.

You can tell which certificate it is by looking at the browser’s certificate information dialog. For example in Firefox, if you click on the padlock a menu pops down and there is a “>” for more information. Clicking on the “>”, you’ll see “Verified by cPanel, Inc” (instead of “Verified by Let’s Encrypt”). (There is also a “More Information” button at the bottom of that menu to see much more technical information about the certificate, including details like its serial number, which domains it covers, when it expires, and many other things.)

There’s nothing bad about using a cPanel certificate; I’m just a bit confused about the sequence of events that led to its being used on your site. In particular, you did also successfully create a Let’s Encrypt certificate for the site

https://crt.sh/?Identity=%probusashburton.org.au&iCAID=16418

but that certificate isn’t being used on the site. Rather, the cPanel certificate is being used. That suggests to me that maybe you, or your hosting provider, did manage to turn on the feature in cPanel that automatically obtains a certificate (rather than, or subsequent to, importing the Let’s Encrypt one).


#15

Hi Seth,

Thanks again for the explanation, I never got into this topic until now.

I am attaching here a PDF with some screen shots of what I see on the various pages in cPanel - I look at it and have no idea what I am looking at, maybe this can help in understanding what is going on here???

In which country are you?

Cheers

Alex


#16

Hi Seth,

Now that SSL is implemented, the 3 button / icons on the front page are no longer loading the content…

Meeting, Activities and Members….

In IE however, I get a question bar at the bottom, if I confirm, it then loads the content

What can I do about it?

Thanks again

Alex


#17

I changed your user level so that you can now upload files. Because your user level was too low, your attachments before didn’t come through.


#18

In terms of your lightbox problem, you have Javascript URLs like

javascript:displaylightbox(‘http://docs.google.com/gview?url=http://www.probusashburton.org.au/mypdf/members.pdf&embedded=true’,{})

This is an insecure link and presumably generates a mixed content error (trying to load insecure resources inside a secure page) and so you should change it to

javascript:displaylightbox(‘https://docs.google.com/gview?url=https://www.probusashburton.org.au/mypdf/members.pdf&embedded=true’,{})

and similarly for any other links like that. Then it should render properly.


#19

Thanks,

Here is the document again

Alex


#20

Sadly, that document came out blank! Can you try logging into the forum and uploading it in a reply to the thread there, instead of replying by e-mail?


#21

I am trying to upload the PDF, but it seems this format is NOT authorized…