Shared Hosting (Arvixe) no sudo, what to do?

Please fill out the fields below so we can help you better.
I'll try to do so as best as I can.

My domain is: mind-fields.com

I ran this command:
./certbot-auto --standalone --email *hidden*@gmail.com --apache -d mind-fields.com -d www.mind-fields.com -d dev.mind-fields.com

Which returns:

Requesting root privileges to run certbot...
/home/hidden/.local/share/letsencrypt/bin/letsencrypt --standalone --email hidden@gmail.com --apache -d mind-fields.com -d www.mind-fields.com -d dev.mind-fields.com
sudo: effective uid is not 0, is sudo installed setuid root?

so no sudo and I tried to go the letsencrypt-nosudo route... and the problem is at the domain.csr creation.

I ran this:
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:mind-fields.com,DNS:www.mind-fields.com,DNS:dev.mind-fields.com")) > domain.csr
I get this error:

cat: /etc/ssl/openssl.cnf: No such file or directory
unable to find 'distinguished_name' in config
problems making Certificate Request
139980369688392:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name

So I'm not quite sure what to do next as I wasn't able to find this file in my /etc/ssl/
I tried to create an empty openssl.cnf in there ... obviously to no avail. (act of desperation after countless readings and more confusion than clarity.)
though running the command (python sign_csr.py --public-key user.pub domain.csr > signed.crt) for just "domain.com" works and does create a .csr... How to identify the actual folder/file location is my issue
I've also ran into some trouble revoking the .csr but I guess we can get to that later.

I'm relatively new to the SSL DIY world though I'm capable of figuring things out on my own, looking for answer and can pick up fast.

My web server is (include version):
Server version: Apache/2.2.31 (Unix)
Server built: Oct 10 2016 16:29:23
Cpanel::Easy::Apache v3.34.6 rev9999

The operating system my web server runs on is (include version):
uname -or yields: 3.10.0-614.10.2.lve1.4.50.el6h.x86_64 GNU/Linux

My hosting provider, if applicable, is:
Arvixe

I can login to a root shell on my machine (yes or no, or I don't know):
yes, though I seem to get disconnected randomly and the client I use is Putty
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Cpanel

Thanks!
Do let me know if there's anything else I can provide to clarify the matter

It’s a bit more difficult to manage certificates when you’re on shared hosting. Have you checked with your provider to see if they offer a tool in cPanel to acquire certificates? There are a few cPanel plugins that support Let’s Encrypt.

hello @motoko
Thank for responding. I'm not sure which plugin that would be? Would you have any specific name?
The only option I have in CPanel is the SSL/TLS. There I can do the following

Private Keys (KEY)
Generate, view, upload, or delete your private keys.
Certificate Signing Requests (CSR)
Generate, view, or delete SSL certificate signing requests.
Certificates (CRT)
Generate, view, upload, or delete SSL certificates.
Install and Manage SSL for your site (HTTPS)
Manage SSL sites.

But that's the standard option I believe.
I have not yet contacted my host as I believe I've come across a couple posts on here where it's mentioned Arvixe doesn't have Let's Encrypt support.

In fact, I had started in the SSL/TLS. I had created a certificate on sslforfree dot com and loaded it in there. The problem came up when I tried to verify if SSL worked for the subdomain and one thing led to another, I figured I'd rather have more control (revoke initial cert, create new ones, renew them automatically etc...)

Hi @OrAnGeWorX,

If you don't have root, want to generate a certificate on the command line, and don't have an existing CSR, an easier option might be to use one of the other clients, especially one of the bash clients.

I think you'll have a simpler experience this way.

@schoen
Thanks for the response, I’ll get some reading done and see where this goes…
Anything specific I should be looking into?
As ar as existing CSRs, I believe the certs I initially created, when entered in the cPanel applet, did generate CSRs…
I had gone and deleted a bunch of certs through the cPanel file manager.
Please excuse the ignorance, I realize there’s so much I’m clueless about.

I hear acme.sh is good but people have had great experiences with all of the bash clients.

Well, I just meant that you weren't apparently trying to use an existing CSR. The point of that openssl req command is to create a new CSR to pass to Certbot.

It's true that every tool to get certificates in this environment creates a CSR at some point, but some of them present it to you because they figure that you'll be using it in some other tool or workflow, while others hide it from you and only use it internally.

I had gone ahead with acme.sh before i had seen you’re response. It seems it’s doing ok except for not finding netcat… I couldn’t install it either with error msg:
CRITICAL:yum.cli:Config Error: Error accessing file for config file:///etc/yum.conf

I understand now what you meant by existing CSR, my bad.

It sounds like something is a little strange about your system because you don’t have configuration files in typical places in /etc that are expected by either OpenSSL or Yum. Could you do anything to figure out what’s responsible for that? Did the hosting provider deliberately hide some of these things from you?

… Or do they in particular not want you to install system software at all because it’s shared hosting and you don’t have root? Normally yum is run as root.

Ok I see… In the acme.sh install, I get a message to install nc or netcat but only if I’m going with the standalone server option… not sure if that’s what i need
But afterwards when I reopen the terminal and try to issue the cert
I get this
[Thu Aug 24 15:58:14 EDT 2017] The new-authz request is ok.
[Thu Aug 24 15:58:14 EDT 2017] Verifying:mind-fields.com
[Thu Aug 24 15:58:17 EDT 2017] mind-fields.com:Verify error:Invalid response from http://mind-fields.com/.well-known/acme-challenge/hidden:
[Thu Aug 24 15:58:17 EDT 2017] Please check log file for more details: /home/mncdez/.acme.sh/acme.sh.log

I’m in no way capable of understand debug information

I’ll try to contact support and see what they have to say about this… I imagine I’m blocked from this as they charge for SSL and that would hurt their business

This looks like you specified the wrong webroot directory to acme.sh. (You wouldn’t be able to use standalone on shared hosting because they’re already an existing web server.) Are you able to make files under http://mind-fields.com/.well-known/acme-challenge/ yourself?

In the meantime, I guess this means that I cannot go further.
Through sslforfree dot com, I managed to secure domain.com and www.domain.com… just not subdomain.domain.com.
With acme.sh, none of the above.

I wonder why not the subdomain and I also wonder why nothing happened with acme.sh despite it claiming cert creation but no connection possible

I just tried to create a file in the folder you mentioned… it created it just fine…
there are 2 random letter/number files in there

How did you run acme.sh?

You are absolutely correct! It was indeed wrongly specified!
I managed to have that figured out, wrong subfolder as this domain is an addon domain… totally slipped my mind.
it worked for domain.com and www. not for the subdomain though…I guess it’s also got to do with the directory tree.

It might be a different web root for the subdomain.

it should be.
I’ve retried the acme.sh bash minus the subdomain and that seems to have completed without errors
I’ll attempt the subdomain cert creation seperately

It seems subdomain cert creation also completed error free.
The next step at this stage is adding the cert to the cPanel applet? Going to https://domain.com, https://www.domain.com or https://subdomain.domain.com all land on cgi-sys/defaultwebpage.cgi with error SORRY!
If you are the owner of this website, please contact your hosting provider: email…
like there is no cert

I should learn to read on before posting, my apologies…
I’m going to see how to install using the acme.sh command

@schoen: I followed the installation procedure
acme.sh --install-cert -d example.com
–cert-file /path/to/certfile/in/apache/cert.pem
–key-file /path/to/keyfile/in/apache/key.pem
–fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem
–reloadcmd "service apache2 force-reload"
obviously replacing with the proper info but it failed… specifically at reloading apache which I figure is normal considering it’s a shared hosting… but https:// still fails

I ran it in terminal with the options as described in https://github.com/Neilpang/acme.sh/blob/master/README.md

Yes, acme.sh does not install the certificate for you. You need to import it into your web server application, for example via cPanel.