I have a hosting company I want Let'sEncrypt Certificates

Sarveshmrao · August 5, 2020, 2:55am

See this support article. (@9peppe)

freessltools.com · August 5, 2020, 3:11am

You should just leave the web page open on the second page with the Validate button while you add your txt records then click Validate once you're done adding the records. No need to start back at the first page to resubmit your CSR.

Sarveshmrao · August 5, 2020, 3:41am

@freessltools.com I understand that, while I do through your website but I want to integrate the same or something like yours in the client area in my hosting company website.

9peppe · August 5, 2020, 6:48am

There is one interesting bit -- the rest is usual cPanel rubbish:

InfinityFree can provide you with free SSL certificates

Are those usable? Can they provide and install them automatically?

I see another interesting bit:

Most certificate vendors will ask you to install the CA chain certificates as well. These are not supported on InfinityFree and cannot be installed.

Change provider immediately.

However, most browsers will recognize certificates from popular certificate issuers without a certificate chain as well, so you do not need the CA chain. Only certain outdated browsers may not properly recognize the certificates.

Yeah, outdated and mobile.

If you insist on using CA certificate chains, you could consider to upgrade to premium hosting, where you can install your own certificates including their CA chains, as well as get fully automatic free SSL from Let's Encrypt.

This is bullshit. Taking a free non-profit service and reselling it at a premium.

Probably legal, but it should reflect badly on those who do it.

9peppe · August 5, 2020, 6:52am

Assume they want to give Let's encrypt certificates to all their clients, without controlling their dns: they redirect .well-known/acme-challenge/ and validate via http-01 on their client''s behalf, then they install the certificate.

I suspect it's not what they do. It could be a lot easier with a website to run tests on.

(edit: we do have one, it responds 403 Forbidden and another user has issues with this hosting provider: ZeroSSL Wont verify my domain )

I hate them:
(first command from firefox console, copy as cURL)

peppe at lemure in ~ 
% curl -IL 'http://notestorage.cf/.well-known/acme-challenge/404' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:79.0) Gecko/20100101 Firefox/79.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H 'Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3' --compressed -H 'Connection: keep-alive' -H 'Cookie: __cfduid=d18a2838a301ff4f451f8d57508dbf9ca1596611667' -H 'Upgrade-Insecure-Requests: 1' -H 'DNT: 1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache'
HTTP/1.1 302 Found
Date: Wed, 05 Aug 2020 07:19:08 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: https://infinityfree.net/errors/404/
Cache-Control: max-age=0
Expires: Wed, 05 Aug 2020 07:18:17 GMT
CF-Cache-Status: DYNAMIC
cf-request-id: 045f1606b30000cd22f2326200000001
Server: cloudflare
CF-RAY: 5bdebf845d27cd22-FCO

HTTP/2 200 
date: Wed, 05 Aug 2020 07:19:08 GMT
content-type: text/html
set-cookie: __cfduid=d71a2eae98dc5b71d5d4ac2743c581d2a1596611948; expires=Fri, 04-Sep-20 07:19:08 GMT; path=/; domain=.infinityfree.net; HttpOnly; SameSite=Lax; Secure
vary: Accept-Encoding
last-modified: Sun, 02 Aug 2020 12:41:11 GMT
expires: Thu, 01 Jan 1970 00:00:01 GMT
cache-control: no-cache
strict-transport-security: max-age=15724800; includeSubDomains
cf-cache-status: DYNAMIC
cf-request-id: 045f1608e00000cd16ac91d200000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
x-content-type-options: nosniff
server: cloudflare
cf-ray: 5bdebf87c8cfcd16-FCO
content-encoding: br

peppe at lemure in ~ 
% curl -IL http://notestorage.cf/.well-known/acme-challenge/404
HTTP/1.1 403 Forbidden
Date: Wed, 05 Aug 2020 07:17:00 GMT
Content-Type: text/html
Connection: keep-alive
Set-Cookie: __cfduid=d624aa8d974e9651465376dc64510acd11596611820; expires=Fri, 04-Sep-20 07:17:00 GMT; path=/; domain=.notestorage.cf; HttpOnly; SameSite=Lax
Vary: Accept-Encoding
CF-Cache-Status: DYNAMIC
cf-request-id: 045f1412290000cd429b06e200000001
Server: cloudflare
CF-RAY: 5bdebc637c9ccd42-FCO

freessltools.com · August 5, 2020, 8:14am

I just copied and pasted that address in my browser just out of curiosity and got redirected to a 404 page. Why did you get a 403 response?

edit: I see that you got a 302 first. Guess that's the redirect, but it resulted in a 200? Was only the browser difference the cause?

9peppe · August 5, 2020, 8:29am

Yes,

Firefox gets 302 -> 200
cURL gets 403

freessltools.com · August 5, 2020, 8:31am

You were successfully redirected... to 404. God I hate it when servers are configured to do that.

Sarveshmrao · August 5, 2020, 9:45am

Anyone please tell me what I can do on this.

9peppe · August 5, 2020, 12:24pm

Probably nothing, seeing that your parent company made the system this way on purpose, to sell the possibility to get a let’s encrypt certificate.

Ask their support, please, and report back.

Sarveshmrao · August 5, 2020, 2:32pm

@9peppe
What should i ask the support?

Sarveshmrao · August 5, 2020, 2:44pm

@freessltools.com and @9peppe will this work:

for what I asked like breaking and continuing???

9peppe · August 5, 2020, 2:59pm

"Hi, I am a reseller of yours and I want to give my clients tls certificates via an ACME automated certification authority. Can you tell me what can I do to achieve such goal?"

Before telling them this, you should go on your test website (give us the address) and create a .well-known/acme-challenge/hi-peppe-im-here.html file, then check if you can open it from the web, both via human browser and via curl. (give us the address)

That's just another acme client. If one works, they all do. Which one is better for you depends on your system and your convenience.

Sarveshmrao · August 5, 2020, 3:58pm

@9peppe

Done my website is smrfreehost.ml.

Sarveshmrao · August 5, 2020, 3:59pm

@9peppe

Okay ! . Then which-ever the client everything will work. Am I right?

9peppe · August 5, 2020, 4:05pm

ok, the file is visible http://smrfreehost.ml/.well-known/acme-challenge/hi-peppe-im-here.html

this means that you can use an acme client yourself. there are several that can validate via http-01 connecting via ftp to your web space, and then use the cpanel api to install the certificates. check the acme.sh wiki.

Sarveshmrao · August 5, 2020, 4:10pm

Which article do you want me to refer in the acme.sh wiki.
I visited

9peppe · August 5, 2020, 5:41pm

I’m sorry, acme.sh can’t get certificates for remote servers, but it can deploy to cPanel. https://github.com/acmesh-official/acme.sh/wiki/deployhooks#7-deploy-to-cpanel-host-using-uapi

Getssl can get certificates for remote servers, though, via ftp: https://github.com/srvrco/getssl

If you can script a deploy script building on the acme.sh deployhook, you’re golden.

freessltools.com · August 5, 2020, 6:03pm

@Sarveshmrao @9peppe

Seems like good things have happened while I was away. I’m assuming you tested via curl as well peppe. So we’ve established that manual DNS will work and are working towards semi-automated http.

A local client in this case can:

Create a Let’s Encrypt account for each user
Generate a private key and CSR from a user’s config (which could vary per user if they have subdomains)
Perform the acme certification process including creating challenge files itself thus removing the need for manual intervention to acquire the certificate

A local client in this case cannot:

Automate DNS challenges

Is there a way for a local client in this case to:

Install a private key and certificate

9peppe · August 5, 2020, 7:11pm

You assumed wrong, my bad:

% curl -IL http://smrfreehost.ml/.well-known/acme-challenge/hi-peppe-im-here.html
HTTP/1.1 403 Forbidden
Server: nginx
Date: Wed, 05 Aug 2020 19:10:02 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
Vary: Accept-Encoding