Probably the two options that let you “upload” things will be appropriate to let you upload privkey.pem (for the private key) and fullchain.pem (for the certificate). Then you should be able to enable HTTPS for that site.
cPanel also has a feature called AutoSSL which, for most users, is far preferable to this method, because it will do everything for you automatically on the server side. If you generate the certificate locally as you’ve just done, you’ll need to repeat this process at least every 90 days because that’s when Let’s Encrypt certificates expire. I suggest most people try to use the AutoSSL feature instead of generating certificates locally, if at all possible, just because it will be so much more convenient if it works.
RE AutoSSL: I didn’t see it anywhere in InMotionHosting cPanel. IMH is notoriously unaccommodating when it comes to LetsEncrypt.
I managed to make progress since the original post wit the help of this link (in French) and made the following connections between the IMH page and the LetsEncrypt pem files:
For IMH’s “Private Keys” upload the privkey1.pem
For IMH’s “Certificates (CRT)”, upload cert1.pem
OR use IMH’s “Install and Manage SSL for your site (HTTPS)”. There you’ll find 3 inputs:
“Certificate: (CRT)”: Enter contents from cert1.pem.
“Private Key (KEY)”: Enter contents from privkey1.pem.
“Certificate Authority Bundle (CABUNDLE)” can leave blank or use fullchain1.pem
In following the above steps I was able to get one domain up and running with HTTPS://
I’ve also got a number of parked domains, went back and re-ran certbot, and all went well. I’ve got all the sites, original and parked up and running with LetEncrypt. (Thanks to you / the above postings)
Remaining questions:
I got a note when setting up that accessing mail[domains] via SSL will likely pull up a certificate prompt. I don’t use that domain, but in case it comes up, is the solution to include those in the CLI call:
(example: ~/letsencrypt/letsencrypt-auto --debug certonly --email [myemail]@[mydomain] -a manual --rsa-key-size 4096 -d [MyDomain] -d www[MyDomain] -d mail[MyDomain])?
(in other words mail[MyDomain] as one of the -d option entries)
Great! You should be aware that if you didn't use either fullchain.pem or chain.pem, your configuration will be missing the intermediate certificate, which can cause problems with some browsers but not others. You could check with the site tester at https://www.ssllabs.com/.
Yes, that's right. The thing to be careful about here is that you will then also have to prove your control of the mail domain, in the same way that you proved your control of the others. That would require you to be able to create the /.well-known/acme-challenge on a web server running on that machine. But perhaps you don't currently have such a web server running there?
A CSR is a file that contains a request to a certificate authority to issue a certificate.
They are used internally by almost all CAs, but some CAs require users to generate them and some don't. Let's Encrypt also uses them internally, but most users using an automated client will not see the CSRs that were used behind the scenes.
The main use for CSRs with Let's Encrypt is if you have a device or hosting provider that generates its own keys (that doesn't allow or recommend for keys to be uploaded/imported). In that case, the device or hosting provider can also generate a CSR that requests to use its existing key. When that CSR is used to request a certificate from Let's Encrypt, the resulting issued certificate will refer to the appropriate public key for which the device or hosting provider already knows the private key. Then the certificate can be imported without the need to import a private key at the same time.
Thanks! Very helpful. I just ran the sslabs server test and got a B grade. I uninstalled then re-installed the certificate, filling in all three inputs under the IMH "Install and Manage SSL for your site (HTTPS)" page.
"fullchain.pem" was not accepted. Error was "The CA bundle does not match the certificate."
"chain.pem" was.
I re-ran the sslabs test and didn't see an improvement.
LMK if you have any insights there.
Additionally, looking to install this for a Filemaker Server host running at a location that only has an IP address, not a domain name. I'll test in a few moments but wanted to ask: can LetsEncrypt be set up IPs or does there have to be a domain name?
They might be expecting the files to be pre-combined in a different way... maybe you can see if you can find any documentation for what they're expecting. It's strange that if chain.pem was uploaded successfully you'd still see an intermediate certificate error, though. (Maybe you should make sure that SSL Labs is actually re-running the test and that you're not just seeing the previous time's results?)