Need new certificate

Could you please give all the possible options from the “Certificates (CRT)” and “Install and Manage…” options from the screen above? Hostgator claims the Free SSL certificate would have been renewed automatically, but perhaps something went wrong.

Edit: I’m now also seeing ZeroSSL certificates for your domain. I would not recommend that. It’s probably totally not compatible with your Hostgator Free SSL!


@Osiris
I tried ZeroSSL to check if I can install a separate SSL for the site however, It is still not working.
They’ve provided a 90-day certificate, a private and cabundle (it was installed as it says on their website) but apparently still not working.

@9peppe - I’m researching on that acme thingy (sorry again just a newbie).

Does this mean anything for you?

For our dedicated servers and VPS customers, you can enable your Let’s Encrypt SSL through WHM and your server interface. [https://www.hostgator.com/blog/resources/how-to-install-a-free-ssl-certificate/]

I dont have WHM priviledges.

I’ve tried generating certificate under the SSL/TLS management and it says this:

The certificate for “*.likeazz.com” has been created and saved in your directory. It has NOT been installed on your domain. Please note that the certificate will display untrusted in web browsers after it is installed, since it is self-signed.

  • If you would like to install this certificate now, you can do so using the Installer.
  • If you would like to install this certificate externally, copy and paste the information from the Encoded Certificate field below.

Ok. Does the installer have features related to let’s encrypt?

If not, start looking at how to access your server via ssh.

There is. I’ve generated an rsa key, but I’m a bit rusty and only able to use putty for this (if that’s enough)

Ok, you need to understand what OS and webserver runs on your vps, and if it’s a standard install or some kind of custom system.

@likeazz Open a shell and run two commands:

  • uname -a
  • ls /opt

These should give us enough information to determine what OS and what kind of machine this is.

I use the same tools you do for managing certificates. What you created is known as a “self-signed” certificate, which won’t do anything for you. As far as getting a certificate signed by Let’s Encrypt, you have options. I’m guessing you probably generated either a 2,048 bit or 4,096 bit private key using the link under Private Keys. You can next generate a Certificate Signing Request and select that key you generated. It will offer to generate a new key for you, but that key will be weaker (2048 bits) than the one you probably (and should have) generated previously with 4096 bits. From here, you have options.

  • Recommended by this community: download and configure an ACME Let’s Encrypt client (eg certbot or acme.sh) and run it in “manual mode” to get your certificate. You’ll need to utilize the DNS Editor you mentioned before to add one or more DNS TXT records to prove your ownership. There is also a file-based route too. Many of the other people in this community are more than happy to help you with doing all this.

  • One-off certificate: You can get a certificate using my website by pasting your Certificate Signing Request in the box then follow the instructions for adding the DNS TXT records just as mentioned above. This is just a web-based ACME client.

Either way you’ll get a certificate so you can follow the link under Certificates (CRT) then paste the certificate in the box and save it. You usually don’t need the CA Bundle as it’s autofilled for you. Be sure to actually INSTALL your certificate from the manager after you save it. I’ve forgotten to do that a couple of times.

Before your certificate expires again, you’ll need to decide if you want to:

  • Try to find a client you can install that will automate your renewal.
  • Repeat the process you just did to get a new certificate.
1 Like

You got them switched :wink:

File based is main, dns is only when you can’t use http-01, usually (you can’t, or you want a wildcard certificate).

No manual mode there. Never recommend manual mode without exhausting all other options :smiley:

I was saying that based on the tools presented by @likeazz. I only suggested using the private key already generated because it was already managed correctly given the tools available. The CSR generation follows because of using the public portion of the managed private key. Admittedly, the file-based approach does work much better if the script/method you’re using has access to automatically create the files, which is likely if it’s being executed on the host. It does skip a step of the process. The rest of what I’ve stated still holds though. You can be fairly certain that the SSL/TLS manager will not only store and register the private key in the proper place, but will also correctly install the certificate as well. If we’re really lucky there’s some client variation out there that can do both of these things and hopefully automate the renewal too.

What I really wish is that there were a universal API mechanism for securely accessing and modifying DNS records remotely on a limited basis. This would render almost every issue moot. :slightly_smiling_face:

10 posts were split to a new topic: Using a web-based Letsencrypt client - who owns the account key?

A post was merged into an existing topic: Using a web-based Letsencrypt client - who owns the account key?

Sorry wasn’t able to go back on this after the hullabaloo my boss gave me a break.
Anyways thanks for y’all that helped. I just find it hard for a n00b like me to renew a certificate without knowledge of shell access.

2 Likes

No worries. I’m a personal believer that you shouldn’t need to be a geek guru to get a certificate. :grin: Your help topic spun into a fundamental debate in another thread that you can completely ignore as it won’t offer any solutions for you. In my rather lengthy post above I presented two roads for you to get your cert. The one-off will get you a cert now without needing to understand really anything further, but requires a manual process. The “recommended” route will handle the process for you, but will require you to understand your configuration and get help from others here to work out the kinks.

I see that you have a ZeroSSL cert already installed. While I despise them for selling out to greed, I understand that they fill a void in the certificate world. This void I wrote my own solution to fill (and recommended above) should you find ZeroSSL too greedy or unaccomodating (like if you want a wildcard certificate to cover “anything.likeazz.com”).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.