How to request (not necessarily install) an SSL certificate for a website running under Windows on a server using Apache

I access my websites via Firefox and Windows 7. My ISP's server runs Apache (or maybe it's Apache Mod). No connection with Linux.

1 Like

I'm still a bit confused... :confused:

If you can run commands on the web server, then you can run certbot (or other ACME client) to obtain a cert via HTTP authentication. OR if your server runs PHP, there might be a program for that (CertSage).

If you are away from the server (like on your PC), then you can run an ACME client for that OS - but it won't be able to do HTTP authentication (because the request will go to the IP of the name)...
So you will have to use DNS-01 authentication.

2 Likes

My server (actually, it's not mine, it belongs to my ISP) runs PHP (which I use often) so thanks for the tip re CertSage. I've accessed their website, so this might be the solution.

I'm not sure that I can "run commands on the web server", whatever that means. I'm a DOS/Windows person and innocent of Linux. I did download the certbot installer and got a bunch of files in "\Program Files (x86)\Certbot" -- something involving Python -- which led nowhere. There's a certbot.exe in the bin folder, but it won't run without some Python dll. Obviously this is not the way to go.

I may have more luck with CertSage. I'll let you know.

2 Likes

Apache is just web server software. It runs on an operating system such as Windows or Linux. It sounds like your ISP manages your web server in which case it most likely runs on Linux whether you realize it or not.

2 Likes

Actually it seems my ISP is a portal to the company which manages the hosting of the (shared) server. My ISP has recently adopted a new hosting company -- I forget the name -- that's how distant I am from the actual server. I normally just write the HTML/PHP/CSS (plus some C) code I need to run my sites. An SSL certificate is pretty much beyond my understanding -- I just need them to get HTTPS.

1 Like

I tried to access certsage.com in Firefox and got a blank screen. So I used Opera and got a GoDaddy site-availabe message. After more mucking about I found
CertSage ACME client (version 1.1.0) - easy webpage interface, no commands to type, root not required'
And followed the directions for putting certsage.txt (renamed to certsage.php) in the root directory of my site (on my server). But when run this script it told me that it could not create the CertSage folder one level higher up. So I did this manually and set the unix read and write permissions. Still no luck. So I accessed that script on Opera, and the page comes up looking like it should:
CertSage ACME client (version 1.1.0) - easy webpage interface, no commands to type, root not required (but the Code box is empty). So I filled in my email address and the domain name for the certificate and clicked on "Proceed", and got the message "Trouble -- code was incorrect". It seems the code required was assumed to be in the upper-level CertSage on my server which it (what was it?) could not create. Madness!

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

I'm the author of CertSage.

That's because certsage.com is a domain name I own that doesn't currently have a website attached to it. :wink:

You found the official download and put it in the correct directory. :heart:

CertSage is configured by default to create its data directory one level above the webroot directory due to the cPanel directory structure. You can open certsage.php with a text editor and modify the dataDirectory variable on line 16 to point to any directory you wish. It's important that certsage.php have full permissions for the directory you choose while that directory not be accessible from the internet because that's where CertSage will write code.txt (which you'll need for the Code box), your ACME account keys (account.key for the production environment and account-staging.key for the staging environment), the responses from the ACME server (responses.txt), your full-chain certificate (certificate.crt), and your certificate's key (certificate.key).

This is the line:

$dataDirectory = "../CertSage";

Sorry about the confusion. Unfortunately when trying to design a simple product to be friendly for very inexperienced users, some assumptions had to be made. I'm very grateful for the feedback as it gives good indications of where clarifications can be made going forward. :slightly_smiling_face:

Were you able to get your certificate?

2 Likes

Thanks for your advice. I've been experimenting with specifying different $dataDirectory's in certsage.php which are above the website root directory. (Remember that my server is running Apache.) I use FileZilla (running under Windows 7) to access files and folders. When I go up one directory from the website root directory (call this X) I see several directories, including "www" which is my website root directory, also "tmp" (which is empty). I can use FileZilla to create a directory "CertSage" in X, or the same in "X/tmp", etc. I've done this for several of these possible directories (as specified in certsage.php). However, I believe I need to set read/write permissions for them. I try to do this in FileZilla but can't. When I run certsage.php it seems to recognize them but apparently can't write to them, and (if I am not mistaken) it needs to write a file called code.txt. Even if I can create a file called code.txt, the PHP script can't write to it. At least, that's how I see things now. I may need to try more.

2 Likes

Trying some more ... I set $dataDirectory (in certsage.php) to "..\CertSage" (the default) and created a "CertSage' directory in X (the folder containing "www" which is my website root directory). This time I managed (using FileZilla) to set the permissions for "CertSage" to 777 (so certsage could read and write to it). Then (using Opera) I ran certsage.php and it recognized the directory "X\CerSage", saying "Code -- Contents of this file: -- ../CertSage/code.txt" I then filled in the email address and domain name (www.fractal-timewave.com) fields, clicked on "Proceed" and got " Trouble... code was incorrect" Well, that's progress, I suppose.

1 Like

BTW my site currently has an SSL certificate obtained from ZeroSSL. This is free for the first 3-month period, after which they charge $10/month for renewals, which (since I'm broke) I can't afford to pay (and I need two certificates not just one). That certificate expires at the end of this month.

1 Like

Keep in mind that code.txt changes every time certsage.php is accessed/processed. This can sometimes pose problems with certain setups. Here is the same version of CertSage without the code.txt requirement for you to try:

certsagenc.txt (24.3 KB)

4 Likes

As before, by directory X I mean the directory above the root directory of my website. I downloaded certsagenc.txt, renamed it to certsagenc.php and uploaded to the root directory of my site. It first objected that it could not create required directory or code.txt but I did this manually, to get X\CertSage and I was able (using FileZilla) to change the permission to 777. I ran certsagenc.txt, clicked on Staging mode and the required SSL files were nicely created in X\CertSage (6 of them including certificate.crt -- none of them have r/w permission set, though I was able to copy X/CertSage to a subdirectory).

Then I tried to do the same with certsage.php, creating X/CertSage manually and giving it permission 777. In certsage.php I selected 'Staging', entered email address and domain name as above, clocked on 'Proceed' and got the message "code was incorrect". Same thing happened when I selected 'Production'.

I'm using certsage.php in Opera (using http://). It seems not to work in Firefox. When that PHP file is requested via http:// in FF it is changed to https:// -- I don't know if that makes any difference. This is driving me mad.

1 Like

I don't know whether the certificate.crt file and the other 5 files that I got (somehow) using certsagenc.php would work for my site, but I tried to download them from the server (and then give them to my ISP to install). But lthough FileZilla lets me set permissions for the containing directory to 777 it does not allow me to do the same for certificate.crt and the other files in that directory, so a download attempt gives a "permission denied" error. And, as I said above, I am unable to get similar files using certsage.php. So it looks like I can't get the certificate for my site in this way. The two that I got from ZeroSSL expire in 3 days, and I can't afford to renew them at $10/month.

1 Like

I forgot to mention that when I use certsage.php in Production mode (after filling in the email address and domain name) I get the message "Trouble ... code was incorrect" -- presumably because FileZilla does not allow me to set a read or write permission for the file code.txt.

1 Like

Close, but looks like CertSage is not the solution in this case.

To preserve my sanity I'll let the SSL certificates for my two domain expire, and seek another way.

1 Like

As an side I often suggest Cloudflare for this sort of thing (where updating certs on your actual web host is difficult).

You move your DNS hosting (so cloudflare becomes your DNS nameserver host) to them, which is easier than you might think, then you automatically get https for any DNS records that are 'proxied' (with the orange cloud logo in their control panel).Cloudflare DNS hosting is free. You then keep your website with the existing host but all web traffic goes via cloudflare, which also protects your website against certain denial-of-service attacks etc.

There are pros and cons to this but I find it quite useful for some scenarios.

3 Likes

Sorry for not responding sooner. I was technologically crippled last weekend. Keep in mind that certsage.php and certsagenc.php are the exact same code except that certsagenc.php does not require code.txt. You should be able to generate production certificates with certsagenc.php without any issues. If you wish, you can have CertSage simply set the file permissions to whatever you need. Here are the lines to modify in certsagenc.php:

Line Files Affected
256 responses.txt
389 account.key, account-staging.key
647 certificate.crt
651 certificate.key

You typically shouldn't need to download the two account key files, but if you ever need to do so, you will need to delete the two account key files in order for CertSage to recreate them with the new permissions.

2 Likes

Thanks. Actually I was able to generate a production certificate for one of my sites using certsagenc.php but FileZilla would not allow me to do anything with the files. That may be because I managed (don't ask me how) to have them placed in the directory X/CertSageNC/Certsage -- where X is the directory one level above the root directory of my website, which is named "www" on my server.

I suspect that I should have been able to place them in the subdirectory of my root directory named ".well-known/acme-challenge/" (but what would I know?) then I could probably be able to copy the certificate files and send them to my ISP for installation.

BTW my ISP tells me that the server that their hosting provider uses runs on Oracle Linux. Which of these Linuxes is close to the Oracle Linux: Debian? Ubuntu? Fedora? FreeBSD? Centro? Duvuan? openSUSE?

2 Likes

You should just let certsagenc.php keep using the same CertSage data directory that you were using before. Did you modify the permissions in the lines I mentioned above? That should give you the necessary permissions to download the files. I'm going to make those permission changes in the official next release BTW. Thanks for shining a light on that.

2 Likes

Well, that's interesting. I changed the permission value in the lines stated from 600 to 644, which, I believe, is rw-r--r-- then uploaded certsagenc.php and (when I ran it) specified www.fractal-timewave.com and fractal-timewave.com as the domain names. (Do I need to do both? Can I add another domain?)

CertSage reported 'Success' and the certificate file and four others were saved in X\CertSage as follows: certificate.key, certificate.crt and response.txt file had permission 644, and account.key and code.txt had permission 600. I tried to download all five to a folder on my site but only the two certificate.* files and response.txt came over. My ISP says that to install they 'need the .KEY file, the Intermediate file and the SSL certificate." Since, so far I have downloaded just three files; that's probably not enough for my ISP. Maybe I should change the permissions from 644 to 666 or even 777.

1 Like