Manual certificate renewal - Godaddy

I was using zerossl.com in conjunction with Godaddy and cPanel and it worked fine, and I was happy to manually renew it every 3 months.

Zerossl was providing me with the file to upload to /.well-known/acme-challenge/ as well as the certificate.

Now they are charging and I can’t afford the fee.

Can I get the certificate directly from Let’s Encrypt?
I am happy to manually renew every 3 months.
Thanks

My domains are:
bagpiper.net
joemcdonald.net
thekingsofsingh.com
thoktoberators.com

My hosting provider, if applicable, is:
GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know):
I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
cPanel

2 Likes

Let’s Encrypt has been discouraging the use of web-based browser clients, as using Let’s Encrypt in a manual way is not good. In more words: https://letsencrypt.org/docs/godaddy/

There are still some web-based clients around like https://gethttpsforfree.com/.

The official Let’s Encrypt client, Certbot, can be used in a manual way as well, and it’s available for Windows/macOS/Linux: https://certbot.eff.org/ .

You can do the equivalent of using the old ZeroSSL interface like this:

certbot certonly -d example.com -d www.example.com --manual

and it will prompt you to setup the validation files as you’re used to. Then you can upload the certificate files to cPanel afterwards.

Other clients can also do the same.

If your GoDaddy hosting comes with SSH access and you’re not afraid of the terminal, you might also be able to setup automatically renewing certificates using this guide.

2 Likes

While I agree generally with @_az, I was so angry with sslforfree.com selling out to zerossl that I wrote my own truly free web-based Let’s Encrypt client that you can find on my website that directly replaces sslforfree and zerossl. I do encourage working towards an automated solution. If you cannot because of using shared hosting on GoDaddy (like me) then at least you won’t have to contribute to zerossl’s greed.

2 Likes

Please use this to get your certificate on your laptop:

(it will renew it automatically, if you want – you should)

and then upload it manually or find some way of doing that automatically.

1 Like

Thanks!
freessltools.com worked well for me.
I recommend it for all GoDaddy clients who used to use zerossl

2 Likes

@Gowebsmarty For automatic installation into cPanel, you’ve got to pay for the premium version. I see you’re the developer for the plugin, so I’m pretty sure this is spam.

1 Like

@Osiris I’m definitely not recommending our premium version here. Thought our plugin would help at least for getting the SSL certificates for non-techy people. Hope this thread relates to getting SSL certificate and not the installation part.

This is so damn frustrating. I’ve read the letsencrypt doc about GoDaddy. They’ve provided certs for decades, at a price comparable to what is now charged by ZeroSSL (at least, if you need only need one), and I totally disagree with the doc’s statement, " it’s currently very difficult to install a Let’s Encrypt certificate."

No, it’s not difficult at all. It takes 5 minutes once you’ve made yourself a crib sheet (just noting what you did last time). Upload two verification text files, then when done, go to CPanel and paste the contents of two text files. Duh. If GoDaddy is difficult, it’s just the process of navigating GoDaddy to CPanel and identifying which security icon to click. Again, do it once, and it’s a no-brainer every 60 or 89 days. What IS difficult is finding how to renew a cert manually at LetsEncrypt, now that Zero-SSL limits us to three. (Granted, either is fine with me; I used to HAVE to use LetsEncrypt. But there’s a bug at Zero-SSL that makes it think my renewal of two certs is more than three and will not even remove from the “expired” list the one renewed cert that it did allow. Thus my return to LetsEncrypt.)

Except, I STILL cannot find my way to the manual Letsencrypt.org interface (the purple page.)

I see no security or overhead issue with manually renewing a cert, and since I’m not paying them, it’s not a profit thing. Advertising? Partnership rebates? All I can figure is it’s management’s pride, arrogance and/or prejudice. God save us from overly righteous techies. They say, “We think automated renewals are a very important part of using certificates.” Well, WE think that a 5-10 minute job beats an hour of research and bug identification every time, and doing business with the vendor of my choice is an even more important part of using anything.

2 Likes

Let’s Encrypt has never had a manual interface.

That purple website was zerossl.com. It was a third-party browser-based Let’s Encrypt client.

Then, a company called apilayer came along and bought zerossl.com out. Shortly after, they killed off the purple website, acquired their own certificate authority, and commercialized their offering.

In the same vein, GoDaddy could just as easily enable AutoSSL on their shared hosting, but they choose not to, because it would cannibalize their own revenue, as GoDaddy themselves are a certificate authority who are competing with Let’s Encrypt.

This manually renewing certificate debacle reflects poorly on pretty much everyone - ZeroSSL, GoDaddy and Let’s Encrypt, because it’s leading to frustrated users.

But please understand that Let’s Encrypt had nothing to do with old ZeroSSL disappearing, and Let’s Encrypt has nothing to do with GoDaddy refusing to offer free certificates. I am happily using shared cPanel hosting where I don’t even think about SSL because it’s all automatic.

6 Likes

I hear you. I hate ZeroSSL and really hate that sslforfree sold out to ZeroSSL. That’s why I created my own (actually free) webpage for getting Let’s Encrypt wildcard certificates at freessltools.com/freesslcertificate to replace what was stolen by ZeroSSL. While I do see the benefit of using a fully-automated client, many people do not possess the technical skills (or root permissions from GoDaddy) to use automated clients. :blush:

2 Likes

Luckily, root is not necessary for automated Let’s Encrypt certificates with GoDaddy.

2 Likes

Agreed, but digging through a bunch of random software and reading a ton of documentation then asking for help in a forum filled with very technical people can be quite daunting for your average person or small business owner who has minimal tech skills. It’s a conundrum that probably needs cleaner interfaces to solve. Meanwhile I try to bring people into the fold using Let’s Encrypt in any way possible, especially people who run in terror (or disgust) when you mention a terminal or script.

3 Likes

We really need to work on this!

1 Like

Doh. Wish I’d thought of this hours ago. I created a second account at ZeroSSL. Just needed a fresh email address and PW. Created one cert, same process as the one renewal I did yesterday, and installed it at GoDaddy. I suppose this approach violates the spirit of the “3 free certs” policy, but it’s ZeroSSL that seems to be the roadblock, and I have a total of only two certs, so I figure okay for now. Let’s see how it goes in 60 days.

1 Like

As compared to the usual procedure, it is. Let me illustrate the usual procedure:

  • install an acme client, get a certificate and let the client install it on your server, or install it yourself and tell the client how to reload the server;
  • make sure the client’s crontabs or systemd timers are running;
  • forget about it.

Do you think it is reasonable to expect people to manually update their certificate every 60-90 days? I do not.

2 Likes

This forum will help you if it can correctly identify your tech skills level (it’s more about language than actual skills, though: if I tell you “run this command” you either do, or ask what it does, or don’t trust me and ignore the instruction – all fine outcomes).

The main issue more often than not is that the people on this forum know a lot more than the random tutorials people find before coming to this forum. :smiley:

The secondary issue is that other than certbot most acme clients have really lacking documentation :smiley:

2 Likes

Not sure how people knowing things is an issue. Well, sometimes when we geek out it makes people really lost, so I suppose that could be an issue. :sweat_smile:

The way I see it, poor documentation can be a problem, but lack of user-friendliness is far worse. Most people don’t even care to understand how to install the software nonetheless how to use it. There are a number of reasons that companies like Nintendo and Apple have made billions of dollars. Exposing people to limited details has its benefits. I see two primary models with acme clients:

User-controlled-and-maintained (eg certbot, acme.sh):
Requires the user to install and configure on their hosting server, personal device, etc.

  • Pros: Greater control over process, possibly complete automation, destiny in the hands of the user (sort of, because clients change constantly and can disappear anytime)
  • Cons: Forces users to learn the client rather than the nature of what the client does (getting a certificates), drowns users’ time and energy into finding answers to why the client didn’t work with their particular system, requires development of clients of every flavor for every culture

Developer-controlled-and-maintained (eg website clients):

  • Pros: Allows users to focus on what they are trying to accomplish (getting certificates), no need to install or configure anything, almost zero failure rate due to client being tuned and running in a fully-compatible environment, user-case agnostic (no need to care about the users’ circumstances), much narrower range of questions and issues than the alternative, accessible to a much wider user-base (less technical, easy to create tutorials)
  • Cons: Less flexibility of usage, greater involvement in the certification process (a pro in some ways), difficulty automating renewals, greater repetitive burden (does create loyalty and return traffic though), destiny in the hands of the developer/maintainer (hence the screaming about zerossl and sslforfree), more rigid limitations in process (eg client can’t do things past certain points)
2 Likes

These tasks can sometimes be really daunting even to the technically-minded. They are often riddled with detailed problems and idiosyncrasies.

Do you think it’s reasonable for people to come back to these forums for a week (or more) just to get the client working for their case then come back here in a few months when something changes, again? I do not. :wink:

2 Likes

I wrote this up for someone. Figure I might as well share it here to demonstrate what an easy process looks like for just getting a certificate when you need it:

I can make this even easier than what you’ve been doing. No need to upload anything to anywhere and no files to create. You can even do it all on a smartphone while waiting for your coffee.

You’ll need 3 open browser tabs/windows to do this quickly. The first tab is your cPanel. The second tab is my website at freessltools.com/freesslcertificate. The third tab is your domain registrar account (not in cPanel) (e.g. GoDaddy). The whole process is as follows:

In the first tab, in cPanel under SECURITY click on SSL/TLS. Make sure it’s not the SSL/TLS Status that you click. Note that in any of the screens that follow there’s a link at the bottom to get back to the main SSL Manager page.

  1. Generate a private key (KEY) first of 4,096 bits with today’s date as the description.
  2. Generate a certificate signing request (CSR) with today’s date as the description. Be sure to select the key with today’s date you just generated and NOT generate a new (weaker) key.
  3. Copy the Encoded CSR over to my website in the second tab and submit it then follow the instructions on the next screen to generate your certificate. The set of instructions listed below for the third tab will hopefully get you to where you need to add the DNS TXT records with your domain registrar.
  4. Once you’ve added your TXT records in the third tab, go back to my website in the second tab and click Validate to get your certificate. If you run into issues, there’s no harm in resubmitting the same CSR and trying to Validate again once you’ve adjusted your TXT records. Almost every problem stems from not entering your Name/Host right so be sure to read the directions on the “Prove you control the domain(s)” page thoroughly. Be sure to wait long enough for the DNS TXT records to propagate through the system. This is usually very fast, but can take a few minutes especially if you need to modify them. Sometimes I’ve found that people don’t copy over the entire Value due to the presence of hyphens (-) or underscores (_), so be careful with that too.
  5. Once you Validate successfully, copy your encoded certificate then go back to the first tab.
  6. In cPanel SSL Manager, click on Certificates (CRT) then paste your encoded certificate and enter today’s date as the description then Save.
  7. Install your saved certificate from the list. THIS IS CRITICAL AND EASY TO OVERLOOK.
  8. Delete the DNS TXT records you created in the third tab and any old private keys, CSRs, and certificates in cPanel. There’s no harm in leaving them. It will just make your life more confusing later.
  9. Drink your coffee.

In the third tab, to add the TXT records these instructions are given for GoDaddy as a domain registrar (though all registrars have similar).

  1. Go to My Products and click on the domain you’re certifying.
  2. Under Advanced Options click on either Manage DNS or click on Domain Settings then under Additional Settings you’ll find a Manage DNS link.
  3. In DNS Management under Records you can add records with the ADD link at the bottom of the section. You can edit them with the pencil icons.
2 Likes

Hi @freessltools.com

it’s not the idea of this forum that you hijack every topic. And it’s not the idea that you write three replies. Please stop that.

The original question is answered.

So it’s time to close that topic.

3 Likes