LE at Pair.com: Need help Generating Certificate [Resolved]

I’m on a shared server at Pair.com (Apache 2.4 and FreeBSD).

I have applied to use LE at Pair, and PairSSL support have confirmed I can use LE, and have to send them the generated Cert for them to apply manually (until they get LE automated at Pair).

Pair have emailed me the CSR I will need to generate a certificate.

I’ve never used CertBot to generate a certificate, nor used Terminal on my Mac, so can anybody give a step by step guide to generating a certificate please?

Pair are simply waiting for me to send them the certificate.

use certbot csr command

review the use of certbot in the manual

Options for modifying how a certificate is obtained

–csr CSR Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
’certonly’ subcommand. (default: None)


1 Like

Thank you Andrei,

I checked the certbot link, and it seems to be about installing CertBot on servers, which is something I’m not allowed to do at Pair shared hosting.

How else can I generate a certificate to pass to pair support to install?

I find very little on the Getting Started page about simply downloading CertBot onto my Mac, and making the certificate.

I’m clearly not geek enough to use this yet.


Maybe you could generate the cert using the provided CSR and DNS authentication.
Which can be done away from the server.

1 Like

Maybe I’m missing something, but if they generate and manage the private key, then they are in a much better position to complete the challenge than you are.

It’s completely backwards that they control the web server and DNS and then make you send in a CSR and hand them a certificate. It’s their job and they have much better control. Their suggested workflow seems oddly awkward.

try www.zerossl.com

Note you should be aware that you need to complete a challenge to prove you own the domain (for example upload a file)



I agree with both @WinstonSmith that the workflow they propose is not really optimal (they could do it themselves more easily) and with @ahaw021 that ZeroSSL is likely to satisfy their proposed workflow. Remember that you’ll have to repeat this process at least every three months! Maybe you could also ask them at the same time whether they would be prepared to set up some kind of automation on the hosting side for you, or otherwise deepen their level of support for Let’s Encrypt.

1 Like

Thank you Winston, I appreciate your comments, but in Pair’s defence, they say they are working on implementing the automated incorporation of LE, meanwhile they are charging for their own PairSSL service to take this chore off the hands of punters like me :slight_smile:

I have already written privately to Kevin (who owns pair) to nudge him to do the best thing, and I’m sure he will soon.

Meanwhile, I’m stumped.

Thank you rg305, I’ll look into that after checking out Andrei’s zerossl.com suggestion.

So far so good… I sent the key I made at zerossl to Pair, and I’m waiting for them to complete the challenge, as I don’t have access to the directory to place the verification file.

Zerossl asks me not to click Next until the file is in-situ, so we have to wait patiently.

Thank you Seth, I appreciate everyone’s comments, but I don’t want to paint Pair in a corner.

Kevin is a good bloke, and he will do the right thing soon, I have already written to him, and as I mentioned above: Pair are “working on” implementation of LE, I am asurred.

Okay, I’m making progress.
I created the challenge file and put it in the public directory as designated by zerossl.com, and pressed the NEXT button, and it worked, I got the Domain-crt.txt which I have now emailed to Pairssl to install for me.

They are just waking in Pittsburgh on Sunday morning, so we still need patience :slight_smile:

I have already switched all my html files to https on my desktop HD ready to upload once the cert is installed and site switched to enable ssl.

Then we shall see.

1 Like

Pair.com just confirmed the SSL Certificate is now installed.
I tested and it works :slight_smile:

Now I have to repeat the process for my two sub-domains, until next January, when hopefully wildcard certificates are ready at LE.


1 Like

well done

i would suggest looking at certbot on your webserver which should make the passing of the challenges a bit more automated.


1 Like

Thanks for your help Andrei, much appreciated. :smile: )

Actually, passing the challenge was easy, after I realised +I+ was supposed to make the challenge directory in my own public directory (I’d been waiting, assuming Pair had to put that somewhere I don’t have access.)

Perhaps I also misunderstood about Certbot too, I’ll check again if I can install that in my own shared web space at Pair, but the Cerbot webpage is daunting to non-geeks like me and your Zerossl.com suggestion was what got me along the way.

1 Like

Everything is functioning as it ought to, and we are now listed in the major SE’s as an https site for the first time, which boosted us to the top of our niche in G, even above their beloved Wikipedia page :slight_smile:

I’m just wondering if this entry in my site raw logs is anything to do with using LE and Zerossl?

(I edited the full IP and removed the time) The IP is Savvis/ Qualys:

64.41.200.xxx - - [09/Oct/2017] “GET / HTTP/1.1” 200 13406 “-” "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"
64.41.200.xxx - - [09/Oct/2017] “GET /?SSL_Labs_Renegotiation_Test=User_Agent_May_Not_Show HTTP/1.0” 400 3955 “-” “-”

Let's Encrypt? Not directly. ZeroSSL? I don't know, maybe.

Someone -- maybe you? -- must have run Qualys's SSL Labs test on your website. (It's a great service!) I haven't used ZeroSSL, so i don't know if it automatically does an SSL Labs scan, or encourages you to.

If you posted your site name and an HTTPS related issue on the forum, one of the other posters here might have done it to help determine what was going on. (This thread was about getting a certificate, rather than something going wrong while trying to use a certificate you already have, so that sounds unlikely.)

Maybe someone from pair support did it.

Thanks Matt, you’re spot-on… it was me.

I recognise the testing page now you remind me.

Domain and all sub-doms get a nice Green A.

BTW: The owner of Pair.com has replied to my email confirming they will soon have LE automated for all accounts, and are running a special offer including SSL for free. (I can’t see that on their site or in their newsletter, so maybe it is a Special Offer in the pipeline?)

To clarify - ZeroSSL does not do any outbound connections. The online client runs in your browser and the only connections established are between your browser and Let's Encrypt API endpoints. Let's Encrypt verification servers may request specific verification files if you have selected HTTP verification method, but that's it.

Looking at the address there, that is definitely Qualys netblock, so indeed @PeaceComesFree seems to have run a check on himself :slight_smile:

P.S. Personally I find Qualys check rather useful, however I believe it targets users with a certain level of knowledge, so for those less technically aware I would probably recommend Mozilla SSL Configuration Generator and Cipherli.st as proper starting points regarding configuring the server in the right manner.

1 Like

Yes, you are both correct, I simply ran the Qualys SSL Test myself right after I set up the new protocol to ensure it was working properly, and was chuffed to get the Big Green A on all the domains.

The server level configuration was done by Pair (my web host), I sent them the SSL Cert by email after generating it on ZeroSSL.

Hopefully, they will be more automated by my renewal time in January. If not, I'm making precise note ready to repeat the whole drama.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.