Installation help for a non-technical person?

Perhaps if you explained to Godaddy that you have already successfully obtained the cert and only need their help with installing it, they might be more helpful? As that procedure should be the same, from their perspective, regardless of what CA you used.

Thanks mjorahan. I did explain all of that to Godaddy but they were adamant in their position. Then they started sending me emails trying to get me to purchase a SSL certificate from them.

Hi @debiwebi, the "ssl_error_rx_record_too_long" error is almost always caused by a web server that is serving HTTP on port 443 instead of HTTPS. You can check this by looking at http://smf2.ga:443/ (which should not work but does, showing that my guess is correct).

So, you have to figure out how to get the web server to actually serve HTTPS, not HTTP, on that port. I don't know specifically how to do that with your hosting environment, but that's the reason for the problem. Somehow an insecure virtual host listening on the HTTPS port has been created, rather than a secure one.

Sounds like you need a new web hosting provider. It’s one thing to not put forth the effort to explicitly support Let’s Encrypt (particularly since LE is in beta right now), but there’s simply no excuse for refusing to assist with installing a third-party SSL certificate.

2 Likes

Thank you, that was brilliant and gave me another excuse to call GoDaddy. This time they told me I can only have third party SSL if I have a VPS or dedicated server. Otherwise I'd have to purchase a Wildcard certificate from them. I have a feeling I'll be getting more "buy me" emails.

Yes, thanks, that seems to be the consensus. I see DreamHost is on the list of providers, it may be time for me to say adios to GoDaddy.

Thank you both for your input.

Sorry, I had to share this email I just received from GD:

Thanks for calling us. Let us know how we did!
Now tell us how happy you were with Andrew's service and save 25% off your next order! Feel like sharing more? You can always tweet your kudos to @GoDaddy, or post them to Facebook at GoDaddy.

:confounded:

@Neilpang, I’m sorry for repeating myself but should the certificate been working for me after I ran “issue” ?

Or is

installcert:
Install the issued cert to apache/nginx or any other server.

an important next step after issue - in general process according to the instruction?

Why did I get this:

“Run Le_ReloadCmd: service apache2 reload
./le.sh: line 1061: service: command not found”

?

service is a command that can only be used by root.

As you are a limited user, it’s not possible for you to use it.

Let me recap again.

The problem for you now is : “How to deploy/install the cert to your webhosting ?”

As far as I can remember, you must at least buy a dedicated ip from godaddy to use ssl webhosting.
Please ask godaddy support whether it is possible to use ssl by buying a dedicated ip.

There is really nothing you can do by yourself. Only Godaddy support can do that.

Do not try any useless effort.

If you decide to move away from godaddy, you must ask your new provider that “if you can use your own third party ssl certificate ?”, Maybe you will need to buy a dedicated ip too.

Thanks.

OK, thank you so much for your time. I'm looking at DreamHost right now, they seem to be the "real deal" but I do have an email out to them just to confirm that there are no hidden costs with their claim of a free cert through LE.

@Neilpang's analysis is exactly right: you do need to install/deploy the cert (not just issue it), but it's very unlikely that you can do this by yourself in your hosting environment without help from the hosting provider. Deploying certs in a server is considered an admnistrative action, so if you aren't the system administrator, they would need to give you a specific way to do it, or do it for you.

Thanks schoen. Actually GoDaddy told me even if I upgraded my hosting to a cPanel account they will not help. From here:

"Our third-party SSL support varies depending on the product.
Keep in mind, by "support" we mean only that customers can install the SSL certificate themselves —
GoDaddy does not assist with the installation itself."

Nice, huh?

If they do give you a cPanel account, there may well be a way to do it through cPanel – by “help” I meant more that that they need to choose to permit it, not necessarily that they have to actively participate. There are people with cPanel accounts on some other hosting providers who are successfully using our certs by installing them through the cPanel interface.

Yep, that's what they said. I could do it through the cPanel. And there's no cPanel for my particular hosting setup.

Thanks again.

I am not tech-illiterate, but I am by no means a server expert; hence I was drawn to this thread. It’s several months old, but hopefully some of you would be kind enough to respond.

My website is hosted on a shared web server. The host provider does not offer easy installation of Let’s Encrypt, nor will they offer customer support for it or any free certificate authority (the want to sell their own certificates), but they do allow installation and they granted me SSH access (but I have no root or sudo level access). I have determined that my shared web server has the following:

  • RHEL6, Kernel Ver. 2.6.32-573.26.1.el6.x86_64

  • Apache/2.4.23

  • OpenSSL 1.0.1e-fips 11 Feb 2013

  • CentOS release 6.8 (Final)

  • Python 2.6.6

  • cPanel 60.0.28 (AutoSSL not installed)

  • Using the “yum list installed bind” in the MacOS Terminal reveals:

     Loaded plugins: priorities, security, tsflags, universal-hooks
     EA4
     epel/metalink
     epel
     epel/primary_db 
    

I found the following web page which is for RHEL6 installation:

https://certbot.eff.org/#centosrhel6-apache

But that page makes no mention of “what directory” I should use “wget” in to install the script. Do I run that from within my Home directory? (In Home, I see “public_html” and “.cpanel” and “etc” and “logs” and “.ssh” and “lib” and so on.)

In a quest for answers, I Googled and found the following WIKI:

https://wiki.shaunc.com/wikka.php?wakka=UsingCertbotAndLetsEncryptOnCentos6

But after reading that I have 2 problems:

  1. I don’t have root or sudo access via SSH to my shared web server. I can only use SSH in the Terminal as follows:

ssh username@domain.com

  1. I don’t know if “mod_ssl” is installed, and since my web host doesn’t provide “support” for me installing Let’s Encrypt, I have to figure it out on my own. The “Test your mod_ssl installation” of that WIKI says to use the following line:

[root@menthol tmp]# apachectl configtest

But doing that yields the following:

httpd: Could not open configuration file /etc/apache2/conf/httpd.conf: Permission denied

My cPanel has a setup page for “SSL/TLS”, so would that mean “mod_ssl” is installed?

I created a directory named /files in my home directory and then switched to that (via SSH in the Terminal). I then used the “wget” line to download the 44k “certbot-auto” script into /files. After that, I performed the “chmod” line. The only thing I’ve not done yet is execute the install via “./certbot-auto” because (a) I don’t know if I need root/sudo access to do it, and (b) I don’t know if “mod_ssl” is installed.

Even if I do get everything setup eventually, what if I change my mind and want to UNINSTALL everything. Is there a script that easily uninstalls everything?

Thank you,

James

Hi James,

First, just to check, in your cPanel, within the “SSL/TLS” section do you have a “Install and Manage SSL for your site (HTTPS)” option ? This is essentially what you would need to install the cert yourself. (and yes that should mean that mod_ssl is installed )

If you have the above, then I’d suggest using one of the alternate clients since they are often easier to use when you have limited access ( i.e. you don’t have root access ). I’d suggest the Bash Clients as the most likely to be able to run easily on your account.

If you run one of the alternate clients, they should provide the three files you need to upload to your cpanel ( certificate, private key and Certificate Authority Bundle). If you copy and paste those into the “Install and Manage SSL for your site (HTTPS)” on your cPanel, then everything should work for your site over https.

P.S. If you are happy to do a little scripting, then it is possible to automate the process completely so that the upload into cPanel is also done automatically for you, but I don’t know a method in your setup that doesn’t involve a small amount of script setup / configuration.

serverco,

In my cPanel, there are only two icons pertaining to SSL:

  1. SSL/TLS
  2. SSL/TSL Wizard (not available for use with my hosting account)

When I click on "SSL/TLS" I am presented with only 3 clickable options. The text content of that entire page is as follows:

The SSL/TLS Manager will allow you to generate SSL certificates, certificate signing requests, and private keys. These are all parts of using SSL to secure your website. SSL allows you to secure pages on your site so that information such as logins, credit card numbers, etc are sent encrypted instead of plain text. It is important to secure your site’s login areas, shopping areas, and other pages where sensitive information could be sent over the web.

Private Keys (KEY)
Generate, view, upload, or delete your private keys. (clickable link)

Certificate Signing Requests (CSR)
Generate, view, or delete SSL certificate signing requests. (clickable link)

Certificates (CRT)
Generate, view, upload, or delete SSL certificates. (clickable link)

When I click on the link for "Certificates (CRT)" I see this page (screenshot).

What are your thoughts in light of this?

Thanks,

James

Hi James,

Thanks for that info, It can be done with those options.

are you happy using ssh ? if so, can you SSH onto your server and run the command “uapi” and let me know if that works ( gives info about it being a Utility to execute cPanel API calls) or if it gives a “command not found error”

If you are not comfortable using SSH, then you can still install a cert, however it would require manually copying and pasting the certificate into the cPanel interface every couple of months.

serverco,

Thank you for your continued help.

When I login via the Terminal using SSH and type "uapi" the following information is output:

uapi

Utility to execute cPanel API calls

uapi [module] [uri-key=uri-value] [uri-key=uri-value] ....
IMPORTANT: “uri-key” and “uri-value” represent URI-escaped strings.
--output=[json|jsonpretty|xml|yaml]
    The serialization format to use for output.

--user=USER
    The user to run the API call as. REQUIRED when running “bin/apitool.pl” as root.
--help
    Prints this help text.

I am by no means a UNIX expert, nor do I normally use the MacOS Terminal. However, if there is a way for me to automate the process using the Terminal and SSH, that would be more desirable to me than manually doing it every few months via cPanel.

What is the next step?

Sincerely,

James

Yes, This is why I was asking if you had access to the uapi function on your server.

As an overview you would need to;

  1. Install a script to obtain a certificate for your domain ( I'd suggest as above, one of the Bash alternate clients ). Personally I use GetSSL, however I'm biased as I wrote that one. Any of these bash scripts should work on your server, and provide files containing the certificate, private key and CA bundle.

  2. use a script to install the certificate obtained into your cPanel. The basic command is ;

    uapi SSL install_ssl domain=example.com cert=THECERTIFICATETEXT key=THEKEYTEXT cabundle=THECABUNDLETEXT

  3. set up a cron to run the above 2 items automatically

Sorry if that is a bit technical - I'm judging from your responses above though that you understand the basics of SSH etc though. I wanted to give you the overview first, then I can help with each stage where you are not sure.

serverco,

Thank you again for your reply.

In light of your kind helpfulness thus far, logic dictates that I go with GetSSL for certificate automation.

For the sake of full disclosure, I have pretty much zero experience with SSH. Sure I setup my public and private keys and can login via SSH, but I learned that in the last week. So I don't want to give the impression that I know what I am doing because I really do not. I am just determined, a student of tech, and a fast learner. I have never written a Shell script, nor do I write scripts in general.

So when you say "use a script" you mean that I need to put your "basic command" in a text file and give it an appropriate name? (Sorry, I need a little more insight on accomplishing that.)

As to CRON setup, as you may have guessed, I have zero experience with that too. But in my cPanel I see a Cron Jobs icon. Clicking that shows the screen you see in this screenshot. Should I go with that? Or do I just type the following via SSH in the Terminal and hit return?

23 5 * * * /root/scripts/getssl -u -a -q

I have an international trip schedule for the next 14 days, but upon my return I will visit this thread and follow whatever additional guidance you can kindly offer. Thank you for the hand-holding.

James W.

Hi James,

I hope you have a good trip. I'll put some more detailed instructions here for you to try on your return.

Log in via SSH to your account then add getssl by running the command

curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > ~/getssl ; chmod 700 ~/getssl

That command (in SSH, on your server) simply copies the getssl code to your server and makes it executable.

The following command does the same for a simple script to upload your cert into cpanel

curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/other_scripts/cpanel_cert_upload > ~/cpanel_cert_upload; chmod 700 ~/cpanel_cert_upload

Then run

~/getssl -c domain.com

where "domain.com" is your main domain name. this will create the config files for getssl for your domain. You then need to edit the config files for your domain. You can either do this with the editor in the file manager with cpanel, or via SSH with the command

nano ~/.getssl/domain.com/getssl.cfg

where domain.com again is your main domain name. All this file needs to contain for you is probably;

CA="https://acme-v01.api.letsencrypt.org"
ACCOUNT_EMAIL="me@example.com"
SANS=www.domain.com
ACL=('/home/username/public_html/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
RELOAD_CMD="${HOME}/cpanel_cert_upload domain.com"

where "me@example.com" is your email address, "domain.com" is your main domain and "username" is your cpanel username

you should then be able to just run getssl

~/getssl -a

and it will run and obtain a certificate for you (this is the same command you would run for renewing etc as well. it's just easier to run it manually the first time to check things rather than via a cron.

For the cron command - it's probably easiest for you to use the "Cron Jobs icon". In the top box of "common settings" you would select "once per day" which will then select the items in most of the other boxes for you. In the command box you would put "~/getssl -u -a -q" (without the quotes)