Pems no longer being created

My domain is: trillionpictures.com

I ran this command: sudo certbot --manual certonly -d trillionpictures.com -d www.trillionpictures.com [plus a bunch of additional domains]

It produced this output:
Waiting for verification…
Cleaning up challenges
live directory exists for trillionpictures.com-0001

My web server is (include version): Run on a local machine (Mac OS X). The hosting provider (inmotionhosting) does not support LetsEncrypt. So for all previous renewals I’ve run the above, pushing all the challenges to the proper ‘.well-known/acme-challenge’ directories, then finding the privkey.pem and cert.pem on the local machine and manually installing on through IMH’s c-panel. That’s always worked.

What’s different this time around is the .pem files are not being created on the local machine.

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.33.0

Hi,

I’m not really sure what the above error message means, but do you wish to try generate the certificate directly on the shared hosting?

This can be done if your cpanel hosting allows ssh access, and allow cPanel API.

Thank you

The IMH host is shared, so the ssh access is jailed – no root access.

If you are using acme.sh (the software in that link) you don’t need root access for that machine.

Thank you

Thanks. I just discovered that as well. BUT…

On running acme.sh --update-account --accountemail [notification-email] I get the following…

Account key is not found at: /home/[username]/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.key

Just create the file or is there code that needs to generate it?

Hi,

That key is supposed to be generated when the script first contact Let’s Encrypt API endpoints.
You could try to generate the test certificate first, then update the account email.

Thank you

Wow. Brilliant. Not quite there yet, but this is looking like a huge, welcome improvement.

Questions
1 - I’m not seeing a privkey.pem generated from all this. Perhaps that’s fine and/or would be a security issue. But its absence is a departure from what I’m familiar with. What’s the story there?

2 - In the past I’ve had to create certs for both the www. and non-www version of each domain. Is that still the case using this ‘acme.sh’ method?

The certificate and keys are stored in local (shared hosting local) folders, i think it’s under ~/.acme.sh/ then something… You don’t need to do anything about that if you are only using that certificate for your cPanel, just follow the instructions and the script should help you install that certificate to the panel automatically.

If all subdomains pointed to the same content (server), you could create one certificate contain all version (subdomain) of the site (see the following example): (The webroot path should be where your codes are stored)
acme.sh --issue --webroot ~/public_html/ -d test.com -d www.test.com

Thank you

It looks like this is all working. I’ll follow up if there’s a problem , but thank you for the quick response and solution. Again. Wow. Big improvement.

1 Like

It’s looking like the main domains all worked, but ran into some problems with the subdomains.

Didn’t see any errors in the course of running the acme.sh process, but if I http:// to any of the subdomains I get a message suggesting the domain didn’t get LetsEncrypted properly

Example (message in Chrome on MacOS):


Attackers might be trying to steal your information from
**runwithme.trillionpictures.com**  (for example, passwords, messages, or credit cards).
Learn more

NET::ERR_CERT_COMMON_NAME_INVALID```

You’ll need to run the certificate installation process individually, per virtualhost.

Thank you

That does indeed seem to be the trick!

Curious why that should be. The main domains all successfully completed in one command (they are all housed under the same root folder, not separated into sub-folders. But the subdomains also follow the same folder structure. Is there a logic to their having to be done separately?

I’m not sure how exactly it works, but cPanel ,like Nginx and Apache, need you to specify the certificate manually when you got one… It would not automatically lookup what certificate is available on the machine and apply it, which might be horrible in some way.

Thank you

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.