Hello! I deploy small sites for webcomic artists at Hiveworks and some of our artists use their own hosts. In one case we have a comic called White Noise that uses a host called A Small Orange. When the artist asked them directly they were told that to get a Let's Encrypt certificate manually and they would install it.
From the Getting Started page I believe what I need to do is use Certbot locally to create a certificate for this artist manually then send it to them. But I want to make sure there isn't something else I should be doing here. I do want to try and sell A Small Orange on supporting Let's Encrypt more directly but in the meantime I want to check with everyone here about what I should do (is there an FAQ I should send them?), since I don't often work with SSL certs and how to make them manually.
I can login to a root shell on my machine (yes or no, or I don't know): I don't believe so
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes, Cpanel 70.0.69
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not used yet.
Edit: artist gave me cpanel access and I'm seeing options for uploading a cert (by manually inputting one or uploading a .crt) and then applying it to one of their websites. I assume I generate the cert using certbot, but since I mostly deal with frontend/template work I want to make sure I'm not screwing anything up.
The Let's Encrypt certs are only good for 90 days. They are often renewed after 60 days so any required "manual" action would be this frequent. The ACME protocol used by Let's Encrypt is optimal for automation of cert renewals.
ACME protocol requires you to demonstrate "control" of the domain name you seek a certificate for. This more commonly is done by running a client (like Certbot) on the domain server. But, some clever combinations of server and DNS config can be used to allow alternate setups (like using http redirects or DNS CNAMEs). I mention this to highlight that you will need to be, um, intimately engaged with the sites you seek certs for.
At least for the site on A Small Orange I think @griffin will be helpful. He is the author of a client that helps specifically with cPanel setups. He is a frequent visitor to the forum.
Maybe start with just this one site and see how it goes.
Thank you all very, very much. I mostly fiddle with frontend so I'm very grateful for all this information. And wow@griffin CertSage did exactly what I needed! I generated a cert and added it inside their cpanel.
I still want to try and talk to their host in hopes that they'll integrate Let's Encrypt more directly so this artist doesn't have to manually generate certs every 90 days. So I'm going to show them this wonderful thread, the links you've all shared with me, and the incredible suggestions you've given me.
If anyone has any other threads that provide good rundowns of why a host should support Let's Encrypt or any advice on how to communicate with hosts as I've never done this before, I'd appreciate it. But you've all already done so much - thank you again!
My understanding is that cPanel has good automated requesting and installation of TLS certificates built in, and that any hosting provider that doesn't use it has specifically removed it in order to either attempt to "upsell" you to their paid TLS services by explicitly making it hard to do, or is just outright incompetent. I've not actually used cPanel myself, though, so I might not be understanding the dynamics completely.
There were several threads by @tlrenkensebastian along those lines which had some good advice and links to articles in them I think you could use, though some of it is focused more on convincing the site owners rather than the hosting companies:
Aw, thanks Peter! I'm so glad that you still remember my efforts after all this time. In fact, one of the reasons I've come back to the forums is that I'm attempting to remember how I phrased such a "Hey, your site doesn't have a TLS and if you don't know how to get one, you can get one from LE" email. As I continue to do research for my master's project and just in general navigate around the web I've been sending out these kinds of messages to webmasters and organizations and have been met with some success in at least getting the people to think about why they don't have a cert and how easy it might be for them to have one. Unfortunately there's not enough data for me to consistently have an email template for this but the process endures.
First off, welcome to the community and thank you for being the kind of person who wants to help spread the word. Even if using LE to generate certs for their customers might not be the way the host you're speaking about ends up going about doing it, the fact that you want to bring this up to them is super-critical and helpful towards the overall ISRG mission. So thanks!
When it comes to speaking to orgs and trying to convince them to do a thing that they didn't think about doing previously, I think the best way to get them to at least consider it is to describe how much benefit they will gain as an org by changing their existing methods. In other forum posts, I've mentioned avoiding communication barriers and there are tons of research papers out there that summarize them and provide tips on how to avoid them. It might not hurt to also read up on Leverage Points in a system and try to figure out which leverage point would be the most helpful to push on to get them to make that procedural change.
Good luck and have fun! (Also, Hiveworks is awesome.)