My domain is: http://www.ind.puc-rio.br
My web server is (include version): No idea
The operating system my web server runs on is (include version): No idea
My hosting provider, if applicable, is: the university
I can login to a root shell on my machine (yes or no, or I don't know): no
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
Our department page is done with WordPress, so we installed the "WP Encryption - One Click SSL & Force HTTPS" plugin to help generating and using the certificate. I downloaded the http challenge's verification file and put it in the right folder via FTP. However, when I try to verify, it says "HTTP verification not possible on your site as your hosting server blocks bot access. Please proceed with DNS verification." Is there any hope? We don't have access to any panel like cPanel.
If you have no access at all to the server, control panel, or configuration, you might be able to obtain a certificate but you won't be able to install it.
If this is the kind of access you have, I'd say getting a certificate is not your job. Ask whoever controls the webserver to get and install a certificate for you.
Actually, it is. The tech support told us "get the certificate and put it in /cert folder via FTP using this nameXXX.crt". But I decided to try using the WordPress plugin. What do you think? Is it possible?
Possible, it could be. It looks very complicated, tho.
And I hope that /cert folder isn't accessible from outside.
Also, I have no idea why your plugin is saying "your hosting server blocks bot access"
That's just untrue:
% docker run -i docker.io/certbot/certbot certonly --register-unsafely-without-email --agree-tos --staging --manual -d 'www.ind.puc-rio.br'
Account registered.
Requesting a certificate for www.ind.puc-rio.br
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
bLpEUZoyAbFaDevIsDLEVLsSOZF7P38uZMD_johOhzc.X9ywsett4I08Jg-X-ks3AodUv4z-QniJ_52dQ_Ls3iY
And make it available on your web server at this URL:
http://www.ind.puc-rio.br/.well-known/acme-challenge/bLpEUZoyAbFaDevIsDLEVLsSOZF7P38uZMD_johOhzc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: www.ind.puc-rio.br
Type: unauthorized
Detail: 139.82.34.45: Invalid response from http://www.ind.puc-rio.br/.well-known/acme-challenge/bLpEUZoyAbFaDevIsDLEVLsSOZF7P38uZMD_johOhzc: 404
Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Definitively /cert is not accessible from outside.
I used another server which I have ssh access and certbot to run the same command you wrote, created the file following the instructions and it worked. Now I have four files, which I have no idea what to do (cert.pem, chain.pem, fullchain.pem and privkey.pem). The tech support orientation is:
The files (certificates and keys) must be placed in the “cert” directory, in the root of your FTP.
A – The intermediate certificate, with the name “intermediate<year>.crt”;
E.g: intermediate2022.crt
B – The certificate key in the format “<site name><month>-<year>.key”;
E.g.: mysite-01-2022.key
C – The certificate with the name “<site name><month>-<year>.crt”.
E.g.: mysite-01-2022.crt
Well, it doesn't. I used chain.pem as intermediate, fullchain.pem as the certificate, and privkey.pem as the .key file.
There's another part of the instruction (that I ommited and ignored) saying that we should ask for the certificate using a .csr file, which I have, but I used nowhere...
I know I've bothered you a lot already, but I think we're doing some progress. Thank you!
Use cert.pem as certificate, fullchain is just cert+chain.
If they want to use a crs it makes no sense they would ask you to upload the private key. But there is of course a way to get the certificate using a csr, it's usually not advisable and I have no idea if that wordpress plugin supports it.
There is no good reason for you to have to do this. This is the provider's job.
Using an Acme client that can do so. Certbot can, but you lose automatic renewal, so we usually discourage doing so.
When complaining, make them realise that they are in a position to get certificates for every website they host, automatically. It's a lot easier when you control the whole server.
Just a quick update. I managed to create the certificate using a csr, and then it didn't work either. The following day I complained with them, and they replied with "Oh, we noticed you're using Let's Encrypt, so we regenerated the certificate for you and set up the automatic renewal"... ¬¬
