InMotionHosting Shared Hosting - How to LetsEncrypt my domain


#1

Based on this link, I’ve gotten as far as

  • Putting the two files at /public_html/.well-known/acme-challenge
  • Generating the following files locally on a MacOS cert1.pem, chain1.pem, fullchain1.pem, privkey1.pem

I’m in cPanel>SSL/TLS (Hosting provider is InMotionHosting), looking at 4 options:

  • Private Keys (KEY) (Generate, view, upload, or delete your private keys.)
  • Certificate Signing Requests (CSR) (Generate, view, or delete SSL certificate signing requests.)
  • Certificates (CRT) (Generate, view, upload, or delete SSL certificates.)
  • Install and Manage SSL for your site (HTTPS) (Manage SSL sites.)

What next?


Filemaker Server -- Certificate shows alert "can't verify the identity of [domain]'
#2

Hi @ovunque,

Probably the two options that let you “upload” things will be appropriate to let you upload privkey.pem (for the private key) and fullchain.pem (for the certificate). Then you should be able to enable HTTPS for that site.

cPanel also has a feature called AutoSSL which, for most users, is far preferable to this method, because it will do everything for you automatically on the server side. If you generate the certificate locally as you’ve just done, you’ll need to repeat this process at least every 90 days because that’s when Let’s Encrypt certificates expire. I suggest most people try to use the AutoSSL feature instead of generating certificates locally, if at all possible, just because it will be so much more convenient if it works.


#3

Thanks Schoen,

RE AutoSSL: I didn’t see it anywhere in InMotionHosting cPanel. IMH is notoriously unaccommodating when it comes to LetsEncrypt.

I managed to make progress since the original post wit the help of this link (in French) and made the following connections between the IMH page and the LetsEncrypt pem files:

  • For IMH’s “Private Keys” upload the privkey1.pem
  • For IMH’s “Certificates (CRT)”, upload cert1.pem
  • OR use IMH’s “Install and Manage SSL for your site (HTTPS)”. There you’ll find 3 inputs:
    • “Certificate: (CRT)”: Enter contents from cert1.pem.
    • “Private Key (KEY)”: Enter contents from privkey1.pem.
    • “Certificate Authority Bundle (CABUNDLE)” can leave blank or use fullchain1.pem

In following the above steps I was able to get one domain up and running with HTTPS://

I’ve also got a number of parked domains, went back and re-ran certbot, and all went well. I’ve got all the sites, original and parked up and running with LetEncrypt. (Thanks to you / the above postings)

Remaining questions:

  • I got a note when setting up that accessing mail[domains] via SSL will likely pull up a certificate prompt. I don’t use that domain, but in case it comes up, is the solution to include those in the CLI call:
    (example:
    ~/letsencrypt/letsencrypt-auto --debug certonly --email [myemail]@[mydomain] -a manual --rsa-key-size 4096 -d [MyDomain] -d www[MyDomain] -d mail[MyDomain])?
    (in other words mail[MyDomain] as one of the -d option entries)
  • What is CSR all about?

Thanks again


#4

Great! You should be aware that if you didn’t use either fullchain.pem or chain.pem, your configuration will be missing the intermediate certificate, which can cause problems with some browsers but not others. You could check with the site tester at https://www.ssllabs.com/.

Yes, that’s right. The thing to be careful about here is that you will then also have to prove your control of the mail domain, in the same way that you proved your control of the others. That would require you to be able to create the /.well-known/acme-challenge on a web server running on that machine. But perhaps you don’t currently have such a web server running there?

A CSR is a file that contains a request to a certificate authority to issue a certificate.

They are used internally by almost all CAs, but some CAs require users to generate them and some don’t. Let’s Encrypt also uses them internally, but most users using an automated client will not see the CSRs that were used behind the scenes.

The main use for CSRs with Let’s Encrypt is if you have a device or hosting provider that generates its own keys (that doesn’t allow or recommend for keys to be uploaded/imported). In that case, the device or hosting provider can also generate a CSR that requests to use its existing key. When that CSR is used to request a certificate from Let’s Encrypt, the resulting issued certificate will refer to the appropriate public key for which the device or hosting provider already knows the private key. Then the certificate can be imported without the need to import a private key at the same time.


#5

Thanks! Very helpful. I just ran the sslabs server test and got a B grade. I uninstalled then re-installed the certificate, filling in all three inputs under the IMH “Install and Manage SSL for your site (HTTPS)” page.

  • “fullchain.pem” was not accepted. Error was “The CA bundle does not match the certificate.”
  • “chain.pem” was.

I re-ran the sslabs test and didn’t see an improvement.

LMK if you have any insights there.

Additionally, looking to install this for a Filemaker Server host running at a location that only has an IP address, not a domain name. I’ll test in a few moments but wanted to ask: can LetsEncrypt be set up IPs or does there have to be a domain name?


#6

There has to be a domain name.

They might be expecting the files to be pre-combined in a different way… maybe you can see if you can find any documentation for what they’re expecting. It’s strange that if chain.pem was uploaded successfully you’d still see an intermediate certificate error, though. (Maybe you should make sure that SSL Labs is actually re-running the test and that you’re not just seeing the previous time’s results?)


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.