Obtaining .CRT, .KEY and :CA for my hosting provider

Hello there.
I am new to this and I feel very lost. The thing is that my hosting provider asks me for .CRT, .KEY and :CA because I need to install a multidomain certificate. I don’t have any idea how to get them. I tried with certbot but got lost and they only say that I need to contact my certificate provider and ask them for these files.
Please, how could I obtain them?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: davidhiram.com wondersinmotion.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: CDMON

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @deinon,

I’m a bit confused, as far as I can see in cdmon site, they offer Let’s Encrypt TLS certificates with their plans (all but microplan but I doubt you are using that). Also, you are indeed already using a Let’s Encrypt certificate for your site davidhiram.com and your site wondersinmotion.com is being redirected to davidhiram.com (in this case you have no certificate for wondersinmotion.com and you should).

So, could you please explain a bit more what is the goal, all the domains involved and why cdmon can’t issue a certificate for you when they are indeed doing that for 1 of your domains?.

Also, LE certificates are valid only for 90 days so the renewal should be automated or it could be a pain to obtain them manually, open a ticket to support, upload the obtained cert and key and wait till they apply them for your site every 60-90 days…

I think you should talk to cdmon again.

Cheers,
sahsanu

Hi Sahsanu, Thanks for your reply.
Yes, you are right. I have a certificate for my davidhiram.com domain. But I created a website in my hosting for this domain and redirected wondersinmotion.com to that website. I need a certificate for wondersinmotion.com so they say they can’t offer me a multidomain certificate. They ask me to find one and send them these files so they can install it for me.
That is the only solution they offer.
This is what they tell me in case it can help: (rough english translated)

La solicitud del certificado la tiene que realizar usted a la entidad que prefiera, no hay problema en que sea Let’s Encrypt. Una vez lo haya hecho deberá facilitarnos los archivos .CRT, .KEY y :CA que le faciliten para poder realizar la instalación en el alojamiento.

(the certificate request has to be made to the entity of your choice. There’s no problem if it’s Let’s Encrypt. Once done, you have to give us the files .CRT, .KEY and :CA that they will give yoy so we can make the install in your hosting.)

Le informamos que desde este sistema no se puede realizar en nuestros servidores. Contacte con esta empresa para que le faciliten los archivos que le hemos solicitado o descargue el certificado let’s encrypt desde otra empresa.
Al ser servidores compartidos, no se pueden realizar ese tipo de instalación para el certificado.

(being asked on how can I obtain these files for them using cerbot they say that they can’t make the install usig that system and ask me to contact with let’s encrypt to ask them for the files or downloading the certificate from another company)

Hi @deinon,

No problem with the translation, I’m spaniard ;).

Those are bad news. I don’t understand the reason they can’t create a certificate for all your domains nor even the reason why they can’t create a certificate just for your domain wondersinmotion.com and create the right redirections to davidhiram.com having both independent certificates.

Anyway, options…

Option 1: Create the cert manually

You should use an acme client to issue the certs manually, as you don’t have access to issue commands in the shared hosting you will need to issue it in another server, your own computer or using online tools. As I don’t know what you can or can’t do, I’ll recommend to use zerossl and their online tool to generate the certificate. Keep in mind that you have 2 validation methods to tell LE that you control the domains:

http method: You will need to create a file with a specific name and content inside the/web-root-for-your-domain/.well-known/acme-challenge/here_the_validation_file so this file can be accessed using http://yourdomain/.well-known/acme-challenge/here_the_validation_file

dns method: You will need to create a TXT record for your domains with a specific content. For example, if you want to issue a certificate valid for wondersinmotion.com and www.wondersinmotion.com you will need to create 2 records in your dns, _acme-challenge.wondersinmotion.com and _acme-challenge.www.wondersinmotion.com each of them with an specific content that you will get when trying to issue the cert.

Option 2: Use a free CDN like cloudflare

You could add your domain wondersinmotion.com to cloudflare, it offers free dns and cdn and using them as cdn you will get a valid certificate managed by them so you should not worry about issue nor renew it. Using cloudflare as CDN you are able to redirect this domain to the one hosted in cdmon. As cdmon is not being very helpful with this issue I think this couold be the best option in a long term. Keep in mind that you chould create an account in cloudflare and change the dns for your domain wondersinmotion.com in your registrar so they point to the cloudflare dns servers.

Option 3: Buy a TLS cert whis is valild for 1 year

You could buy a cheap tls cert for your domain, the validity for that certificate could be for 1 year so it is not a pain to renew it manually every 3 months… and follow the upload process imposed by cdmon.

Option 4: Change your hosting provider

You could try to find a hosting provider that can help you to achieve your goal.

Option 5: etc.

There could be more options regarding changing dns providers, redirections from other hosting providers, etc. but I think those options could over complicate a simple problem that should be managed by your hosting provider.

Buena suerte,
sahsanu

Thank you very much for your help.
I think the best option for me is the second one as you say.

Please, could you tell me the exact steps so I don’t make a mess?

I have created the account in cloudflare and now I’m in the step of changing DNS, but I’m not sure if I need to change the DNS for wondersinmotion.com and that’s all or as now wondersinmotion.com is redirected to my hosting associated to davidhiram.com I need to do some other step.

Please, if you help me with this I’ll be so grateful.

Hi,

For cloudflare, you’ll need to add all DNS records to cloudflare and light the cloud (click on the cloud so it will light up and show orange). After a few minutes, there should be a new cert covers the domain.

Thank you

Hi @deinon,

As @stevenzhu said, you need to activate cloudflare cdn for wondersinmotion.com and www.wondersinmotion.com

Maybe it is already activated, if so, you will see an orange cloud at the right of the domains.

imagen.png958×110 7.39 KB

Then you need to go to menu Page rules -> Create page rule and add one with the following parameters:

imagen.png776×555 25.6 KB

Save and deploy and all requests (http or https) for wondersinmotion.com/* and www.wondersinmotion.com/* would be forwarded to https://www.davidhiram.com/wondersinmotion/

Good luck,
sahsanu

Hi Sahsanu,
thanks a lot for the great tutorial.

I have just done it. I have yet 2 questions as accessing to wondersinmotion.com the browser still indicates it’s not secured.

It is because I need to wait?

Do I need to delete the domain forwarding in my hosting?

Hi @deinon,

You are welcome.

That is because your operating system is caching the ip address of cdmon so it is using it instead of the new ip address pointing to cloudflare.

If you are using windows, open a command line and execute this command:

nslookup wondersinmotion.com

If you see 46.16.61.114 then your operating system is caching the old ip. You could open a cmd (as administrator) and type this command ipconfig /flushdns so the dns cache will be removed and if you try again the nslookup command you will see the new ips pointing to cloudflare.

But I can confirm it is working:

Connecting to www.wondersinmotion.com using https:

curl -4IL https://www.wondersinmotion.com/test
HTTP/2 301
date: Thu, 10 May 2018 14:59:16 GMT
cache-control: max-age=3600
expires: Thu, 10 May 2018 15:59:16 GMT
location: https://www.davidhiram.com/wondersinmotion
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 418d44cbfe889ce4-AMS

HTTP/1.1 301 Moved Permanently
Date: Thu, 10 May 2018 14:59:16 GMT
Server: Apache
Location: https://www.davidhiram.com/wondersinmotion/
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 OK
Date: Thu, 10 May 2018 14:59:16 GMT
Server: Apache
X-Pingback: https://www.davidhiram.com/wondersinmotion/xmlrpc.php
Link: <https://www.davidhiram.com/wondersinmotion/wp-json/>; rel="https://api.w.org/"
Link: <https://www.davidhiram.com/wondersinmotion/>; rel=shortlink
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8

Checking the certificate served by www.wondersinmotion.com

openssl s_client -connect wondersinmotion.com:443 -servername wondersinmotion.com </dev/null 2>/dev/null  | openssl x509 -noout -text | grep wondersinmotion
DNS:sni164182.cloudflaressl.com, DNS:*.33kbcp.com, DNS:*.380992.com, DNS:*.arlingtonhighlands.com, DNS:*.avapelletier.tk, DNS:*.btchaber.com, DNS:*.centroybor.com, DNS:*.coinkolik.com, DNS:*.crowbase.org, DNS:*.distancebetweencities.net, DNS:*.distancy.com, DNS:*.dualarinsirri.com, DNS:*.evdennakliyateve.com, DNS:*.galvaniz.co, DNS:*.golgio.org, DNS:*.industrykhcnxb.ga, DNS:*.joshsreview-d.ga, DNS:*.meredithli.tk, DNS:*.mytownsquarelasvegas.com, DNS:*.nakliyatplatformu.com.tr, DNS:*.necessy.com, DNS:*.neyya.com, DNS:*.nlatestpdf.gq, DNS:*.osexandgodfilm.ga, DNS:*.paddockshops.com, DNS:*.paribu.io, DNS:*.paribu.xyz, DNS:*.postakoduara.com, DNS:*.sierragatehomes.ca, DNS:*.tickettapp2.com, DNS:*.ucnokta.org, DNS:*.whighbindersmovie.ml, DNS:*.wondersinmotion.com, DNS:*.ysnmail.com, DNS:*.z-nffcreview.ga, DNS:33kbcp.com, DNS:380992.com, DNS:arlingtonhighlands.com, DNS:avapelletier.tk, DNS:btchaber.com, DNS:centroybor.com, DNS:coinkolik.com, DNS:crowbase.org, DNS:distancebetweencities.net, DNS:distancy.com, DNS:dualarinsirri.com, DNS:evdennakliyateve.com, DNS:galvaniz.co, DNS:golgio.org, DNS:industrykhcnxb.ga, DNS:joshsreview-d.ga, DNS:meredithli.tk, DNS:mytownsquarelasvegas.com, DNS:nakliyatplatformu.com.tr, DNS:necessy.com, DNS:neyya.com, DNS:nlatestpdf.gq, DNS:osexandgodfilm.ga, DNS:paddockshops.com, DNS:paribu.io, DNS:paribu.xyz, DNS:postakoduara.com, DNS:sierragatehomes.ca, DNS:tickettapp2.com, DNS:ucnokta.org, DNS:whighbindersmovie.ml, DNS:wondersinmotion.com, DNS:ysnmail.com, DNS:z-nffcreview.ga

Yes, you should to avoid loops.

Cheers,
sahsanu

Ups… I see 104.28.10.176
But in my browser it appears as always (please, look at the image)

That is not related to cloudflare nor the redirection we made, that is because you have mixed content in that site… you are using a form with the action of http://eepurl.com/dt2LJb. When you visit a https page, all links, resources, etc. used should point to https sites so you should change that action to point to https://eepurl.com/dt2LJb

Note: I’m leaving now so I won’t be able to answer questions till tonigh or tomorrow.

Now it is rated as “secure”!
Thank you very much for all your valuable help.

I’m really grateful for your time. I hope you the best!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.