My server provided me csr to get ssl from letsencrypt

My domain is: www.workinio.com

I ran this command: I asked my server provider working under Server Version: Apache/2.2.31 (Unix) mod_ssl/2.2.31 OpenSSL/1.0.1e-fips
modSSL

who said that : "You can provide the CSR certificate to lets encrypt : http://spam.hgfix.net/6306782.txt

The server CSR certificate is added in link

You can provide it to them

They will generate SSL certificates you can provide us with that certificates we will install on our server"

so how can I get those ssl certificates now?

1 Like

That's not how Let's Encrypt works. Let's Encrypt is fully automated and does not sign CSRs manually for users such as yourself.

Please read some basics about Let's Encrypt:

and

1 Like

Welcome to the Let's Encrypt Community :slightly_smiling_face:

In addition to what @Osiris correctly mentioned, your certificate signing request (CSR) does not include a subject alternative name (SAN) list, so any resulting certificate would cover workinio.com, but not www.workinio.com (or any other subdomain of workinio.com).

You can verify this here:

https://redkestrel.co.uk/products/decoder/

It’s certainly not how Let’s Encrypt designed their CA to work, and not the encouraged way of issuing certificates — as you said they’re automated — but it’s perfectly possible to have a CSR file signed by Let’s Encrypt, providing the person/client submitting the CSR file can validate control of the domain(s) contained in said CSR.

I myself have been issuing certificates for my UniFi CloudKey using the following command

certbot certonly --manual --csr /path/to/csr --preferred-challenges dns

Certbot documentation can be found here

1 Like

Notice how I said "manually"? Of course the ACME server signs CSRs... That's an intrinsic part of the ACME protocol. But that's not manually, as in, a person is involved.

Well, you said Let’s Encrypt doesn’t sign CSRs for users, but provided s/he can validate control of the domain (perhaps using the DNS challenge?), s/he can get the SSL certificate issued and can then provide it to their host, which is what s/he wants.

Of course they will need to do the same process at least once every 90 days, but the way I see it, it’s possible.

I flagged/hid some posts in this thread that didn't contribute to helping the original poster. proclient, sorry about that; this was not the reception you should have expected, and I hope the rest of this thread did give you enough information to go on. If not, please don't hesitate to reply. We'll keep helping you out.

2 Likes

As noted by @gusta you can specify a CSR file using the options shown (see also --csr User Guide — Certbot 1.15.0.dev0 documentation). It's quite common to have to specify a CSR if you don't really control the server (so you are not in control of things like webserver configuration etc), which seems to be the case here.

This is indeed a manual process because you will need to complete the http or DNS challenges (using certbot) to get your certificate files, and you will need to repeat it every time you need to renew your certificate, which you will likely find is an inconvenience. You may wish to investigate other hosting options including running your own server on a cloud hosting platform (AWS LightSail, Google Cloud etc), or use a web host that offers free certificates included in the hosting bundle.

I'm assuming your host does offer certificates but they may not be zero cost and that's what has led you down this (fairly complex) path.

1 Like

Thanks all the contributors for they time, detailed and kind answers. As I am not a specialist, I understand that I don't have solution at this stage to have it directly automatically done. It will be too time consuming and even obscure to start looking for another host and move the site I am trying to built now. Question is then, what should I request my host to do (with which link) as their request is not feasable?

1 Like

Since your hosting provider seems to control things, you would probably be best off running certbot on your own computer and fulfilling one or more dns-01 challenges, which will require you to add one or more TXT records to the DNS for your domain name each time you request a certificate. This way, the certificate and its private key are saved to your own computer and can then just be SECURELY given to your hosting provider. Be careful to protect your private key by being sure to transfer it over some secure means, like SSH, to your hosting provider's webserver. From there, your hosting provider can install your certificate and private key for you.

The certbot command you would use would like something like this:

certbot certonly --manual --preferred-challenges dns -d "workinio.com,www.workinio.com"

Follow the onscreen prompts from there. You will be asked, among other things, to accept the Subscriber Agreement and enter an email address where you want to receive your certificate expiration notifications.

1 Like

Hi there @griffin, top of the mornin' to ya! Changing ones DNS zone is often more difficult than using FTP to put a file on the website. I recommend using the http-01 challenge if possible over the dns-01 challenge any time! We should ask @proclient which is a better option. Also, I think it's probably the easiest method to use the CSR provided by the sites support team.

@proclient The best thing your host could do, is offer Let's Encrypt certificates automatically and for free. If that isn't an option, you could go through with the CSR option. I do have a question for you though: what is easier for you:

  1. add a TXT record with a specific value to a specific DNS label in your DNS zone editor; or
  2. add a certain file with specific contents (which you could make with Windows Notepad for example) and make it available on your site in a specific folder, with the same software you'd put files on your website.
1 Like

The CSR the hosting provider provided doesn't have a SAN list and thus doesn't cover www.workinio.com.

Maybe @proclient could ask their website support for:

  1. If it's indeed possible for @proclient to provide the certificate and private key without using a CSR from the support team (and use the method you're describing, although I would use the http-01 challenge if at all possible);
  2. if the above is not possible, ask the support team for a new CSR which includes the www subdomain too.
1 Like

Makes sense to me. :slightly_smiling_face:

I was suggesting to skip the hosting provider initially by just providing them with the private key and certificate. Your suggestion is wise though in that the private key would already be with the hosting provider and thus never be put at risk in the process.

@proclient

If you use a CSR file provided by your hosting provider (named your.csr as an example here), the certbot command you would use would look something like this for dns-01 challenges:

certbot certonly --manual --preferred-challenges dns --csr your.csr

or something like this for http-01 challenges as @Osiris was suggesting:

certbot certonly --manual --preferred-challenges http --csr your.csr

Alternatively (and possibly a lot easier), you might be able to just use the CertSage ACME client (of which I am the author and @Osiris is a generous contributor) to get your private key and certificate right on your hosting provider's webserver then tell your hosting provider to install them. Does your webserver support PHP? If so, this option could save you mountains of time.

1 Like

great thanks for your answer, unfortunately I dont get their content.
On the other side the host is pissing me off because they dont reply to your propositions that I have shared. They keep on saying that "We have installed letsecrypt for customers and by getting certificate copy from them.
Unfortunately above steps wont work on our server since we do not have letsencrypt script.
Only solution is to get certificate copy from them"

regarding the manual manipulation you proposed I should do, I dont think I will be able to do, or I will need additional 6 months to have it done. The easiest for beginners would be the solution for me.

1 Like

My CertSage software should simply involve uploading one file to your server, renaming it, visiting a webpage, and hitting a button. It's designed to be the easiest way imaginable to get a Let's Encrypt certificate. If that's of interest to you, I can send you the full instructions. As long as your hosting provider supports PHP, which most do, you should be able to have you certificate in minutes.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.