How to obtain a SSL certificate from Let's Encrypt with a CSR


#1

I’m a relative newbie to WordPress (hosted on my web provider) and would like to install a SSL certificate from Let’s Encrypt on a new website. My web provider uses Plesk for my UI to my web app and through Plesk I’ve generated a CSR. Now that I have the CSR, how can I submit it to Let’s Encrypt to get a SSL from them?


#2

The LetsEncrypt client automatically creates a CSR, stored in /etc/letsencrypt/live/domain.tld/privkey.pem.

You need to have access to the servers shell to run the LE client.


#3

Thanks for you quick reply Dylan.

So I presume this means that if I don’t have access to my web provider servers I can’t run the LE client and get a SSL cert from Let’s Encrypt. Which also means that if my web provider doesn’t do it for me, I can’t get a free SSL certificate from LE for my website?
best regards,
John


#4

You CAN submit the CSR you have, which will correspond to a Private Key that is kept on the server. Not moving private keys around means less chance to slip up and have them stolen. So that’s fine. You will need to be able to prove to the Let’s Encrypt system that you own / control your domain, for a small web site owner like you that’s usually easiest by making a file appear on a URL chosen by them. If you can’t do that (some WordPress hosting options won’t let you do this, as it’s not part of WordPress itself) then you may not be able to validate without help from the provider.

https://gethttpsforfree.com/ will let you do all the steps by hand, you’ll see its second step wants a CSR pasted in. But note that you will need to connect to your provider and upload some files the first time, and then again every few months to renew by this method. Newer versions of Plesk do have an optional panel for Let’s Encrypt, where it’s just as simple as filling in your email address and clicking “I agree” then it auto-renews as needed. But your provider might not have that. Could be worth asking them, as it’s way less hassle for you, and (if you end up needing their help the other way) for them too.


#5

Thank you very much for your reply tialaramex. I went to gethttpsforfree.com site and saw what has to be done, but then once I go to get the openssl program I start to get lost. I can download the most recent zip file and then unzip, but then don’t know how to install the program. Any help on this would be much appreciated!


#6

@JPinBe, most people developing certificate software don’t think it’s appropriate for security reasons for them to possess or generate your private key. So, they require you to have a way to generate the private key yourself on a computer that you control.

I think if you’re not familiar with using OpenSSL and you don’t have access to run or install programs in your web hosting account, the better path is likely for you to get your hosting provider to upgrade Plesk to a version with built-in Let’s Encrypt support, or change to a different hosting provider. You’re certainly welcome to use the gethttpsforfree + OpenSSL method, but you may find it quite complex.


#7

Hello Schoen and thank you also for your answer. I agree with all of the above comments and I’ll get in touch with my web hosting provider about the updated PLESK. As is evident, I’m a newbie, but I still like to try and do as much as I can myself because I like the learning process, and when I have done something myself, I usually remember it better for the next time.


#8

privkey.pem, as the name suggests, contains the private key and not the CSR. Try /etc/letsencrypt/csr/


#9

If you’re using Windows, a quick and simple way to get OpenSSL installed is to just install Git for Windows (https://git-scm.com/download/win). After installing that, run the Git Bash prompt, and you can run any openssl commands in that shell.


#10

Thanks for trying to help, but despite trying hard this newbie is not there yet despite the help I am getting (much appreciated)…

I downloaded the Git for Windows and then using the commands “openssl genrsa 4096 > account.key” followed by “openssl rsa -in account.key -pubout” got the following result. So now I have the public key which I can input into https://gethttpsforfree.com/ but how do I copy the private key (that is shown by dots) so I can keep it safely?


#11

The private key is the account.key file you created.

The dots and pluses don’t represent it, they’re actually status indicators for the key generation process.


#12

Hello Cool110. My web hosting provider uses PLESK. Through it I had generated a private key and a CSR, but then I didn’t know how to go further (see posts above).

Now I’m not sure what I am supposed to do because you say “The private key is the account.key file you created”. Is this the private key generated in PLESK? I thought that the same application (OPENSSL in this case) needed to generate both my private key and the public key because they are unique together, or am I wrong?


#13

There are at least 2 private keys. The account.key file created with OpenSSL is the key for your ACME account, which you need sign the API requests when obtaining a cert and if you later need to revoke it. Any keys generated by Plesk will be the ones used with your certs.


#14

And Boulder (the Let’s Encrypt CA software) does require these keys to be separate and distinct as a matter of policy. If you try to use the same private key as both an account private key and a TLS site private key, Boulder will reject the attempt!

(Strictly speaking, since Boulder doesn’t see or access any of your private keys, I should say: if you try to use the same public key as both an account public key and a TLS site public key, Boulder will reject the attempt. Since private and public keys correspond with each other, you therefore can’t use the same private key for both purposes either.)


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.