we have a hosting service (IPlan Networks from Argentina) where we have no command line access and cannot install anything on the server. We only have a SFTP connection to publish the web pages. Also, we have a Panel to access some features (CPanel). From here we can create a CSR, download it and send it to you to obtain the certificate.
My question is: can we upload the CSR manually to Let's Encrypt and obtain the certificate to be manually uploaded to the hosting (through CPanel)?
We don't see any other way to start using TLS in our page.
My domain is: www.complus-arg.com.ar
I ran this command: N/A
It produced this output: N/A
My web server is (include version): we don't know, Apache, I think.
The operating system my web server runs on is (include version): Linux
My hosting provider, if applicable, is: Iplan (Argentina)
I can login to a root shell on my machine (yes or no, or I don't know): No
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): CPanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): we cannot install a client
Technically you can, but it's convoluted and requires you to do that manual intervention every couple months (and soon as often as every month).
If your system allows for running custom PHP scripts, and for programmatic access to that cPanel for installing the certificates, you may want to explore using CertSage. Otherwise, you may want to explore using a less hostile hosting provider.
Hi,
it is a bit confusing. CPanel says that the hosting is in linux, but the error points to a Windows server. The page www.complus-arg.com.ar is into the Windows Server (it appears to be IIS).
It is the information that we received from the hosting provider.
This is why I want to do this manually (until we change the hosting).
Yes, connections using HTTPS:// to that domain are to an IIS server. But, that server currently is using a cert with a different domain name that expired long ago. Do you recognize this name? (see below)
The reason I ask is are you sure the IP address in the DNS for your domain is the correct public IP?
Subject: CN=*.comisionriodelaplata.org
Issuer: C=US, O=Let's Encrypt, CN=R11
Validity
Not Before: Jul 15 22:41:38 2024 GMT
Not After : Oct 13 22:41:37 2024 GMT
Even if you could get a certificate you would need to configure your system to use it. Do you know how you would do that?
As it's such as simple site I'd also suggest just moving it to a modern hosting platform that has automated certificates such as squarespace or wix (I don't use these services myself, just a suggestion).
While you're doing that you could simply use whatever page designer tool those offer instead of an embedded pdf, that would make the site more easily found on google etc.
we clarified all these things with the hosting provider and it is ok.
But the only way that we have to manage a certificate is by doing this manually.
So, the question is: can we generate a certificate by uploading the already createdd CSR or by crerating the key pair and cert from scratch in Let's Encrypt?
Then we can import it manually through CPanel.
Virtually all ACME clients generate private key, and CSR internally before requesting a certificate. Many of them also allow you to provide your own CSR (certbot does). This is client-side only behaviour, it does not depend on CA.
Yes. The primary reason you'd need/want a client on the webserver is if you're using an HTTP challenge. (It can also ease the installation of acquired certificates.) If you use a DNS challenge, you can utilize a client on any system. (You'll still need to install acquired certificates on the webserver.)
You may use --deploy-hook command line option in certbot to execute a script that will run whatever commands you need (e.g. ssh/scp, terraform, or API) of the destination device you need to install certificate. It's probably the best option given certificates need renewing every 2 months (1 month in the future), and doing all of this manually will be tedious.