How to request a new certificate for C-Panel install

My domain is: www.hvar-digital.com

I ran this command: in C-panel Update Certificate

It produced this output: You should request a replacement certificate from Let's Encrypt ASAP

My web server is (include version): Not known

The operating system my web server runs on is (include version): Not known

My hosting provider, if applicable, is: TSOHost in the UK - owned by GoDaddy

I can login to a root shell on my machine : My access is only through C-Panel

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): C-Panel version 118.0.13

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not known

I feel lost and have been abandoned by my domain hosts.

This week the Let's Encrypt SSL certificate expired. The hosting provider no longer support Let's Encrypt, instead saying they only support a commercial SSL at £55 a year. I only blog, so only need DV.

I have little knowledge of C-Panel but can follow good, comprehensive instructions.

How do I go about obtaining and installing a new certificate please?

The hosts tech support say that I am "On your own, we will not help you". Such a nice company! Having renewed in July, I don't want to move to another host and lose even more money.

Is there a way please for me to do this myself, giving I have little knowledge about what I am doing?

Thank you for reading.

1 Like

That's not nice. It would be best to stop using this company's services, consider doing it as soon as possible. There should be plenty of options where setting up (free) TLS is as easy as a click of a button. And in some cases there is no action needed at all!

As for what you can do now? Many people had great success with CertSage:

5 Likes

If you can't get your own certificate to work (occasionally that's the case if you don't really have full control of your web server) you could also consider moving your domain DNS to Cloudflare (free).

They then proxy traffic to your site and automatically setup https, even though your original origin server is just http or a self-signed https (or you can get an "origin" certificate from cloudflare to use).

5 Likes

While I have used Cloudflare on an enterprise level and it can work well, setting up and configuring Cloudflare is far more advanced and involved than simply using CertSage. It will take years of using CertSage to equal the time investment of configuring Cloudflare. Adding Cloudflare also creates a whole set of dependencies. Yes, Cloudflare offers many benefits, but it's a considerable step to add an entire frontend service to one's architecture.

(Nothing against you, of course, @webprofusion. :slightly_smiling_face: You and I configuring Cloudflare is vastly easier than most given our experience levels.)

2 Likes

Yes, Cloudflare will probably take longer to setup but then its edge certs (once proxied) are managed automatically as well as other TLS settings. You can choose a very long life for one of its Origin CA certs (15 years is default IIRC). So, in addition to other benefits it is an auto-renewing managed TLS / cert config. Their CDN edge supports IPv4 and v6 without any extra effort.

Certsage, as helpful as it can be for some, is a manual process to be repeated frequently.

4 Likes

Let's compare, shall we. :slightly_smiling_face:

Assuming 4 hours to setup and configure Cloudflare for an inexperienced user (2 hours for an experienced user and 1 hour for an expert user). Hopefully nothing goes wrong or gets forgotten during the very involved process, which could easily double the time.

Assuming 20-30 minutes (at most) to setup CertSage (nothing to configure except custom password if desired) for any user (let's call it 30 minutes for sake of argument and reading the instructions). Given that the user has a password they remember or have ready access to, renewals should take no more than 30 seconds. Renewals could be every 90 days, but let's say 60 days for best practice. That's 6 renewals per year for a total of 3 minutes per year renewing.

So...

For an inexperienced user, it would take:

(4 hours * 60 min/hour [Cloudflare setup] - 30 minutes [CertSage setup]) / 3 minutes/year [CertSage renewal] = 70 years of using CertSage to equal the time spent on Cloudflare

For an experienced user, it would take:

(2 hours * 60 min/hour [Cloudflare setup] - 30 minutes [CertSage setup]) / 3 minutes/year [CertSage renewal] = 30 years of using CertSage to equal the time spent on Cloudflare

For an expert user, it would take:

(1 hour * 60 min/hour [Cloudflare setup] - 30 minutes [CertSage setup]) / 3 minutes/year [CertSage renewal] = 10 years of using CertSage to equal the time spent on Cloudflare

Yes, you do get other benefits with Cloudflare (that will take yet more time and understanding to configure). Even if you account time for setting reminders for CertSage renewals (and there will be other lost time over time dealing with Cloudflare too), the math still heavily favors CertSage.

And another factor...

Should the user want to change their platform or discontinue the project, their "ongoing costs" of renewals through CertSage stop immediately. They'll never recover the upfront time spent on Cloudflare.

2 Likes

Yes, well, all those estimates aside it is still a manual process. From the Let's Encrypt ACME Client recommendations (link here):

Some in-browser ACME clients are available, but we do not list them here because they encourage a manual renewal workflow that results in a poor user experience and increases the risk of missed renewals.

I'm sure you know this. I am including at as reference for others. The point about missed renewals is not only about forgetting to renew with a manual process but also needing to be aware of revocation events initiated by Let's Encrypt and reacting promptly.

We generally recommend automated solutions for many reasons. In this case the tradeoffs are many. Perhaps one person will prefer one solution while another prefers the other.

3 Likes

I beg to differ. CertSage is worlds easier to use than most (if not all) other ACME clients.

:grin:

2 Likes

I agree with the general recommendations and logic, @MikeMcQ. But for most people (not techies) operating in real time, reduced complexity and time investment matters quite significantly. They just want something that works quickly without getting a PhD in command line. Most ACME clients just aren't well-suited for the typical user. Using Cloudflare in this scenario is like bringing an F1 mechanic's jumbo toolbox to change a tire.

If they miss a renewal, they fix it in 30 seconds. Not a biggie for most small projects and businesses.

2 Likes

I agree time tradeoffs are personal.

I like @Nekit comment #2. Given this person's limited skills they could probably find a hosting site for their blog where they didn't have to worry about any of these technical details.

"Hiding" tsoHost behind Cloudflare is a full-featured option requiring more effort. But, a set-and-forget once setup.

Personally, given how they were treated I'd want to switch hosters just on principal and Certsage would be a good bridge solution until a replacement was found :slight_smile:

3 Likes

All that makes sense to me. :slightly_smiling_face:

3 Likes

@griffin Yep, fair enough! Peoples mileage will vary. Personally it usually takes me about 10mins to move a domain to cloudflare (enter domain, auto migration of records + fixup of anything in DNS that doesn't get migrated or needs cleanup up, update nameservers with registrar) but that's mostly for fairly throwaway domains and if you were migrating a business domain or something with great importance it might be more involved. I was suggesting it as a free way to stick with the current host and make cert renewal largely someone else's problem, which won't be appropriate for important domains etc.

CertSage doesn't do auto renewals?

Obviously the real fix is to either take control of your hosting and use automated renewals (possible even using Caddy etc magic away the cert management), or move to a host that does all that for you. Sticking with an awkward host isn't a long term solution, but as you say everything has an opportunity cost.

We've gone off topic :slight_smile:

3 Likes

Not yet. For awhile now (on the back burner) I've been devising an approach to automate renewals using CertSage. I'm hoping to tackle this soon. :slightly_smiling_face:

4 Likes

Thank you everybody for your detailed and reasoned replies. I don't feel I have enough skills to attempt the CertSage route and I'm not ready for cloudfare, so looks like I will have to pay the hosting company. :rage:

1 Like

As the author of CertSage, I can assure you that it will be very easy for you to use. :slightly_smiling_face:

There are many, many users of CertSage with your same hosting provider and configuration.

  1. Put certsage.txt (download here) into your /public_html folder in your cPanel
  2. Change the .txt in the filename to .php
  3. Visit http://www.hvar-digital.com/certsage.php in your browser
  4. Go into your cPanel file manager and find /CertSage folder
  5. Open password.txt and copy the contents (or change them to whatever you want to use as your CertSage password and save the file)
  6. Go back to CertSage page in your browser and put hvar-digital.com, www.hvar-digital.com, and mail.hvar-digital.com (one domain name per line) as the domain names in the box for which you want to get a certificate
  7. Paste/enter your password into the box
  8. Click the button to acquire your production certificate
  9. Click the button to go back to the beginning
  10. Install your certificate into cPanel by pasting/entering your password in that section and clicking the button
  11. Done! Enjoy your favorite beverage. :slightly_smiling_face:

To renew your cert: visit http://www.hvar-digital.com/certsage.php in your browser and repeat steps 7 through 11.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.