This topic is a mix of some other topics (see “related” at the bottom) and I just want to create a new topic, because this is something which may be a big question asked by many people.
So let’s image a scenario:
Your website is hosted by a share-hoster.
You only have FTP(S) access to your webspace.
You can receive mails sent to your domain name.
You can execute CGI/Phyton scripts in your webspace (often only under a special path like /cgi-bin)
At a special website of the share-hoster you can input your certificate credentials, which will be applied to your site.
You have no:
SSH or any other console access
direct access to the configuration files of your webserver
The last requirement is necessary, because otherwise you have of course no chance to use your own certificate. But in this example certificates from StartSSL (StartCom) are currently possible, because StartSSL only requires mail validation.
However LE does it another way and there are already a few different authentication methods available. But most of them require SSH access as you have to execute the LE client and let it configure your webserver. Obviously, because of the restrictions listed above this is not possible.
So what way would be possible to get a LE certificate (manually)? After you got it you can just copy & paste it into the web interface of your hosting provider.
If you somehow got a LE certificate (with a method I'm trying to find out in this thread) you can copy and paste the whole certificate (not only the file hashes) in your web interface for managing this.
Just note that there is a separate thread tracking direct cPanel integration:
Because one thing is still missing in this approach: You have to renew the certs, so either you have to do this step every 90 days or you can automate it e.g. by using another method.
You don’t need to touch your DNS… Simply install LE on your local machine, and use the manual mode to generate the required verification data locally, and then copy it onto your web server. LE can then authenticate those files, and it will generate your certificiate. Then manually install it. Easy
Failed authorization procedure. www.mpike.me (dvsni): unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge, miapike.me (simpleHttp): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://miapike.me/.well-known/acme-challenge/dDXC1Sd48FemfgGHEh8mSfG2mygdOvor03uqXhWsqWg [104.28.21.181]: 404, mpike.me (simpleHttp): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mpike.me/.well-known/acme-challenge/6atlFt6a99NpVPpItCqUSkI4QoYyU9B-KovqbteuVxg [198.91.83.64]: 404, www.miapike.me (dvsni): tls :: The server experienced a TLS error during DV :: Failed to connect to host for DVSNI challenge
IMPORTANT NOTES:
- The following 'tls' errors were reported by the server:
Domains: www.miapike.me
Error: The server experienced a TLS error during DV
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain contains
the right IP address. Additionally, please check that you have an
up to date TLS configuration that allows the server to communicate
with the Let's Encrypt client.
- The following 'unauthorized' errors were reported by the server:
Domains: miapike.me, mpike.me, www.mpike.me
Error: The client lacks sufficient authorization
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain contains
the right IP address.
Putting manual on the end (rather than auth) results in an unknown option, any ideas?
Viewing the error log shows it fails to load the challenge because it receives a Forbidden error despite the file being accessible in a web browser, I’ve made a post about it here
Sorry, I can’t really help with that stuff - I had no idea it was so picky about content type!
I use the webroot authentication method that creates the files manually in the right location.
well I didnt install the cert yet but I got it on my raspi.
in short it went like this:
run ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -a manual
push agree to an agreement then enter the domains I need and for each domain the following:
agree to the logging of the Client IP
make a text file url123 which is accessible at example.org/.well-known/acme-challenge/url123
with the content
textabc
and the header set to text/plain which can be done using the following .htaccess code:
<Files *>
ForceType text/plain
after you pasted the data at the URL specified and verified you can access it you press enter for the verification and go on to the next domain (if any)
I dont see any problems with manual auth, pretty straight-forward process.
for the certs themselves I actually have access to the config of my “server”, my Windows PC to be exact and I will try pushing the cert into it later but the certs and keys are stored in /etc/letsencrypt/live/ attention you need root to access this.