Simple and Clear Directions

wow - $400 for 14 websites. I’m not sure you chose optimally there. Switching from GoDaddy to an equivalent provider that supports Let’s Encrypt shouldn’t cost you more than a couple of hours of time in transferring the sites / dns over.

I think you're still misdirecting your concern here. The limitation is only, and entirely, with your (former) web host.

Let's Encrypt provides a Certificate Authority that issues certificates for free. That CA uses an open protocol which allows lots of people to develop software to automatically obtain and implement certificates. If you're running your own server, especially on a Unix-like operating system, the odds are very high that you can use any of a dozen different pieces of software to obtain, implement, and renew certificates from Let's Encrypt, and once you have it set up, it will renew automatically, pretty much forever.

The problem is that you aren't running your own server. Instead, you have your websites hosted elsewhere. That means that your web host has control over a lot of issues, and you have much less control than if you were running your own server. A "good" (in this regard) web host will have a nice, pretty control panel, with a switch, knob, or checkbox to obtain a Let's Encrypt cert--and there are many who do this at no additional cost. An "OK" web host will at least allow you to upload the appropriate certificate files--this can be a hassle, but it can still provide you with SSL for your site at no cost. But then there are "bad" web hosts, which charge a significant extra sum to do SSL at all. GoDaddy is one of these, it seems. There is literally nothing Let's Encrypt can do to change this situation. You, and other (former) customers like you, are in the best position to effect change here, by leaving them for another host. If enough customers do this, hopefully they'll realize that charging extra for baseline-level privacy and security is a bad business decision.

serverco please tell me the names of a couple that host for free.

Have a look at Web Hosting who support Lets Encrypt - there are a number there that also provide free hosting. It depends what your complete requirements are as to which is best for you. Are you comparing with a specific godaddy hosting plan ? ( I didn’t think they had free plans ) .

Please suggest a host that has this. It would be ideal for me.

See the following thread for a list of web hosts that support Let's Encrypt:

hi geomcd1949

i understand that this can be confusing

not to confuse the issue more but there are options outside of letsencrypt to achieve what you want

services like CloudFlare https://www.cloudflare.com/ will provide you with HTTPs encryption to a point and there is no need for the backend (godaddy) to support SSL.

It’s also free and has a bunch of other great features (such as bot blocking etc)

the service is free and there are paid plans as well.

in terms of making things easy - well encryption is not easy. and there are plenty of people who get it wrong. It’s about horses for courses and if you do not have the acumen or skillset then it’s good to explore options (cloudflare being one)

I wish I had come across this thread sooner. Maybe I could have saved the OP some money.
They don’t make it easy, but if a GoDaddy hosting account is on a Linux server that uses cPanel, then it is possible to use 3rd party SSL certs, including LE’s.

The OP has already done the move, and spent the money, so it will not help him, but others are likely to find this thread, so I’ll lay it out anyway.

To install a Let’s Encrypt SSL cert on GoDaddy, go through this process: {Replace my_domain_name and my_domain_name.com with the appropriate name for your domain.}

Log into your cPanel
In the 8th section “Security”, click on "SSL/TLS"
Under the heading “Private Keys (KEY)”
– Click on "Generate, view, upload, or delete your private keys."
Under the section “Generate a New Private Key”
– Select the key length you want
– Enter a Description, if you choose
– Click on "Generate"
On the new page you are presented with the newly generated private key.
You should copy everything inside the top gray box and save it to a file on your own computer, maybe my_domain_name.key
By everything I mean the top line:
-----BEGIN RSA PRIVATE KEY-----
and the bottom line:
-----END RSA PRIVATE KEY-----
and all the “gobble-gook” between. The second box contains a host of mathematical stuff that may have some use, but I’m clueless what, and you don’t need it for an LE cert.

Now click on the link “Return to SSL Manager” at the bottom of the page.

Back on the SSL/TLS page, under the heading “Certificate Signing Requests (CSR)”
– Click on the link "Generate, view, or delete SSL certificate signing requests."
Under the heading of “Generate a New Certificate Signing Request (CSR)”
– Use the “Key” drop-down to select the private key you just created.
– In the “Domains” text area, enter the name, or names, you want covered by the cert.
One per line, you probably want at least my_domain.com and www.my_domain.com, and you may want to include others, such as blog.my_domain.com, or store.my_domain.com, etc.
Be aware that LE has a limit of 100 names per certificate, and even though the instructions on cPanel mention “wildcard” domains, LE does not support them, so do not include *.my_domain.com in you list of names.
Also, it is probably unwise to include other domains, such as my_other_domain.com in the list. Allowed by LE, but probably creates other problems for you.
Finish filling in the rest of the boxes in that section, except “Passphrase” which is not used by LE.
Then click on “Generate” at the bottom.
Again, you get to a new page with two gray boxes. Copy everything in the first box and save it to your own computer, maybe as my_domain_name.csr
Click on “Return to SSL Manager” at the bottom again.

In a new window/tab/browser go to zerossl.com
Click on "ONLINE TOOLS"
Under the “FREE SSL Certificate Wizard” heading, click on "START."
Fill in the “Email” box. Yes it’s optional, but without it LE cannot send you an email to remind you when the cert is close to expiring.
Open the file you saved the csr into and copy everything there and paste it in the text area that says “Paste your CSR or leave it blank to generate.” That is the lower-right box.
Check the two “Accept” boxes under that text-area.
Click on “NEXT” in the upper-right section.
After a while, how long depends on your computer, the lower-left box will be filled with a new key.
That is your Account key with LE, NOT the private key for your domain.
You will need that to renew the domain cert later. You can also use that Account key when creating certs for other domains later by pasting it in that box when you are pasting the CSR in its box.
Copy all of that and save it on you computer.
Except for using that Account key here, it sould never leave your computer.
– Do NOT upload it or copy it to your server.
– DO SAVE it someplace safe, and back it up!
Once you have saved that Account key, click on the “NEXT” button again.

Next, on the Verification page, you are given the names of files to create, and the data to put in them.
There will be one file for each domain name you listed when generating the CSR.
Using FTP, or the cPanel file manager, create each of the named files, with the given data.
The instructions on that page are pretty clear.
Once you have created all those files click on the “NEXT” button one more time.
You should now be on the final page, "Your certificate is ready!"
Copy everything in the small box and save it to your computer. Maybe as my_domain_name.crt.
Go back to the cPanel page, which may have timed-out, log in again and return to the SSL/TLS page if needed.
Under the heading “Certificates (CRT)”,
Click on the “Generate, view, upload, or delete SSL certificates.” link.
Under the heading “Upload a New Certificate”,
– Paste the CRT that you just saved from the zerossl site in the big text area.
– Enter a description if you choose.
– Click on "Save Certificate"
On the screen showing success, click “Go Back” then on the bottom of that page, click on the “Return to SSL Manager”

Under the last heading “Install and Manage SSL for your site (HTTPS)”, click on the “Manage SSL sites.” link.
Under the “Install an SSL Website” click on the “Browse Certificates” button.
A dialog box shows up with the certificates you have on the server, probably just the one.
Select the radio button next to the one you want to install and click “Use Certificate”.
The dialog closes and the boxes are pre-filled with the information you have already saved onto your computer, so click the “Install Certificate” button.
You should get a notice of success, clicking “Ok” will reload the page and show the installed certificate(s).
You may have to repeat the Browse and Install steps for each domain you named in the certificate, especially if you have other certificates already covering some of them.

That should be the end of it all.

For renewals you can repeat the process, skipping the CSR and KEY generation, and including the Account key on the zerossl site.
Then using the cPanel file manager, copy/paste the new cert contents into the file /ssl/certs/xxxxxx
The actual filename will be the domain name, with “_” instead of “.” and a long GUID number.
Alternatively, you can use FTP to upload the saved CRT file, using that long name.

Not “automated” in any fashion, but it is available, and it does work.

The initial cert has to be installed the long way, because the “Installing” near the end is what causes their server to reload the host definition.
After that, the process could be automated, once someone has taken the time to extract the needed, unique, filenames from the server.

I imagine GoDaddy makes good revenue from the sale of certs, so I don’t look for them to ever enable the cPanel functionality for LE that I believe is now commonly available.
At least they don’t charge to “install” a 3rd party cert like some other sites do.

I have been with them over a decade, and reluctantly have decided to move on. Their service has always been good for me, but their price structure is no longer competitive (registration, hosting, or other services.)

Sorry for the belated help George.
Best wishes for those still with them, and hope this helps others later.

GypsyPriest - Hallelujah, brother, and thank you! The hardest part of flying a jet/turbine helicopter is starting it. The flying part is easy. But what most don’t realize is that starting the aircraft is a procedure, while the flying is the skill. And the best pilots in the world ALL use a checklist to start their machines.

The host I switched to has a 30-day money back policy, so I’m reverting to GoDaddy. They do indeed have some drawbacks mentioned above, but when I need hand-holding, I can get them, on the phone, 24/7/52.

Again, thanks very much for the time it took you to write the list. Much appreciated!

Always willing to help where I can with my limit knowledge in this area. That’s why this is called “Community Support.”

that's nice. have fun.

Hi @gypsypriest,

Thank you very much for taking the time to write up these detailed instructions to help GoDaddy users. I'm sure a lot of people will find them useful.

In terms of the two boxes in the cPanel interface, they actually contain exactly the same information, only the first one is in machine-readable format and the second one is in human-readable format. So the first one is used when configuring a computer to use the certificate, while the second one describes what the certificate says. It's possible to convert between the two representations although there are only published software tools from going from the machine-readable form to the human-readable form, rather than the other way around.

The human-readable information is also the same information that you'll see in a browser when visiting a page that has that cert enabled, if you look at Tools / Page Info / Security / View Certificate / Details (in Firefox) or lock icon / Details / Security / View Certificate / Details (in Chromium or Chrome).

If I understand you correctly, then you missed what the GoDaddy page displays in the second box after generating the private key. Rather than the human readable version of the cert's data, it is the numbers crunched to generate the key and shouldn't ever be shown by the browser. Actually, with anything beyond a trivial key length, most home computers couldn't decode those numbers in any realistic time frames anyway.

For a newly generated, and never to be used key, get the following results

Private-Key: (4096 bit) modulus: 00:c6:33:ce:96:c4:d9:15:6f:02:5b:25:c2:68:ed: 1d:32:68:57:5a:b4:07:d5:8f:db:66:0d:cc:3b:4c: 3b:f0:d4:80:72:d7:c6:66:52:4e:1a:45:74:3c:e2: 10:69:d8:76:ee:db:0a:44:30:66:f5:34:a8:d9:b3: 7a:72:54:48:ed:00:75:c7:33:57:95:c3:44:c4:61: 3d:5f:98:d8:88:20:80:6e:af:c1:0f:a2:37:23:9d: c2:81:cd:56:4b:e6:f0:3a:f5:b9:f8:db:bf:10:77: 2b:45:6c:54:90:33:b0:0f:21:ce:66:66:d4:57:66: 53:37:f2:c2:16:91:f8:67:05:dc:33:e0:4d:e1:58: 0e:b8:47:a4:5c:58:36:9e:39:68:57:e7:e4:01:02: 59:8f:8e:0c:39:23:82:7d:1e:94:c2:e4:da:4e:ff: 55:02:a7:64:8c:34:25:25:be:49:fc:2b:51:dd:c6: e1:03:5e:37:09:65:65:bf:19:00:7a:76:6e:e9:8b: 73:05:b8:7b:ea:1c:bc:4e:20:9b:29:92:aa:66:4b: 17:35:b2:fd:12:56:dd:0a:0b:bc:45:d8:b3:28:3f: a9:11:3c:0b:f2:d5:00:f5:b1:9c:8f:6a:66:22:bf: 59:1f:32:73:17:bb:a5:9f:29:01:d1:27:78:08:75: cf:47:ac:74:57:dc:bd:3f:6f:8b:ca:c8:cd:43:55: 00:95:f9:4e:0b:8f:c0:e8:25:4b:be:f8:15:f5:ec: 34:9b:b0:88:16:06:95:a5:3f:0a:19:65:ff:7b:eb: a1:6f:2d:c5:ce:5b:35:cc:9b:d0:74:5d:47:78:4e: 64:90:c7:f7:cc:a5:52:71:3b:32:6a:a0:31:2a:7d: 70:56:5e:83:f9:c2:d6:db:19:55:81:26:38:a7:4a: 43:78:22:24:22:57:e4:7d:99:0b:f1:56:6c:61:4d: b9:05:20:f8:7f:6f:6d:12:be:7b:51:69:96:72:57: 95:e7:60:b2:9a:d5:51:11:a7:f7:4f:70:ad:81:b3: 8c:c4:9a:53:ec:19:52:87:de:be:a3:c7:3c:41:79: b8:b1:87:ca:b3:59:d5:3a:1b:7f:64:52:25:57:75: a5:bb:02:8f:f4:48:1d:37:42:2c:fb:da:12:88:d8: ac:07:c8:c1:fc:85:1a:f3:c4:45:8a:6e:90:b4:78: 7e:94:55:be:e1:75:b2:84:78:0a:1d:1d:b5:18:1e: 09:16:c1:68:a3:7e:59:fa:9e:13:34:66:e9:5b:b5: 2a:75:d5:c3:d0:ad:3b:99:cf:1b:51:08:b7:e2:92: 89:1d:01:64:e2:b1:d0:29:22:fb:5a:47:2c:76:90: 61:81:bb publicExponent: 65537 (0x10001) privateExponent: 6d:78:4d:c1:3e:25:fc:4d:9c:ca:84:f7:74:86:8a: 1a:be:40:89:2b:68:2c:4f:51:49:73:93:7a:a8:e7: 6e:63:a0:32:4d:f5:19:ac:99:d0:ae:cd:bd:96:ca: a3:fb:57:ed:22:f3:ef:a7:a0:26:0c:98:b9:ed:04: 53:43:34:28:1a:99:f2:94:eb:ea:1e:b8:cb:92:3d: 98:a0:4d:f0:19:ab:75:f7:02:b5:c4:cd:99:91:57: cd:e3:80:a7:59:7d:13:c3:86:9c:e9:9a:04:d9:1d: 00:32:0e:1e:bb:3d:a1:8d:f5:76:df:92:a6:57:30: dd:74:ea:38:17:15:50:a9:8e:ee:e4:13:7f:c3:e8: 15:66:14:64:a0:a0:42:11:c9:0c:cc:5a:45:28:6c: 18:fa:c6:cb:84:4e:5d:16:d7:e9:31:07:56:9c:75: f2:8a:4b:e1:98:27:70:4a:42:88:d1:d0:5c:a2:ac: c2:f4:75:87:6e:06:9d:5e:8c:c2:16:c9:b9:9a:38: c4:4f:19:b9:bb:77:51:db:76:77:a6:b7:10:da:a6: 8e:15:36:eb:bb:28:48:95:24:be:9b:2a:90:af:60: 8c:d1:52:74:23:ab:6d:08:55:45:6c:e9:ce:85:4b: 0f:0d:09:3e:71:78:cf:88:91:a5:58:9c:56:67:e3: 3c:65:0b:b9:f2:29:09:97:43:eb:7b:70:03:ab:6e: 20:dd:3d:0d:fb:12:38:c6:5e:93:08:03:4e:d3:50: 00:24:3e:84:0c:e7:6c:a4:85:93:76:16:7d:13:f7: 35:68:fa:ab:0a:01:08:e1:fa:9c:51:4f:30:d1:10: 8c:ab:2f:c9:d7:40:2c:93:12:07:5e:e8:06:2c:8b: 6d:97:41:6b:9b:9a:1b:2f:71:39:87:f4:33:75:aa: db:3c:63:6c:2b:e0:5f:20:0a:51:af:03:f1:ac:41: 8b:3e:c8:15:05:e6:0e:9e:f6:fa:29:cb:41:09:6e: 3a:42:96:f7:e9:f9:0b:bf:25:f7:a5:98:1b:2a:21: b6:b8:70:6b:1b:ae:a9:61:88:7b:d8:f3:34:38:9c: fc:9f:c8:56:13:e6:02:a2:7f:e7:67:83:c4:f0:eb: b4:6c:7b:b9:11:2e:5b:e7:69:c3:c0:a5:fa:b9:84: 47:80:db:e7:63:9b:ef:84:4b:2e:01:9f:2b:ce:dc: d1:9e:bf:18:d7:94:a4:4f:5a:b2:31:cb:90:4c:f4: 37:90:30:0d:12:3c:04:f3:1c:9e:28:c7:ed:f1:62: 00:4f:68:35:73:87:a9:75:f2:95:f7:03:7c:70:8c: 04:22:de:06:be:44:fe:f5:03:7a:5d:b7:46:c6:a9: 9d:09 prime1: 00:e9:50:2b:66:f6:e2:d1:0a:8c:ce:08:af:84:1f: ad:fb:db:47:64:70:c0:e2:f7:db:9b:09:a1:dc:da: d1:cf:5a:fd:15:d2:7a:d7:5c:be:41:af:81:89:73: 10:3e:16:88:a5:db:ab:57:44:70:01:f8:c8:13:c9: a9:a0:2b:27:f5:d0:d5:50:f4:e2:83:b0:ee:66:9b: 8c:7e:f6:1b:ec:68:ce:24:45:29:0c:ad:8c:be:28: 62:5b:7d:52:61:ed:46:b9:80:80:3b:f9:30:44:cc: 1e:54:aa:9a:2f:2b:db:b1:50:ff:31:e0:f8:fe:90: f9:ea:40:95:24:d0:77:1b:77:e6:ff:2d:a4:b0:17: 9c:08:64:3b:2e:f6:b6:85:8a:f2:58:ec:9b:a7:f9: d8:5d:6e:69:60:4e:37:4a:79:a9:d5:7e:6e:b8:95: f5:10:a3:13:a1:0d:3e:ce:40:23:da:0e:12:ae:7b: 4f:88:f4:91:5c:68:eb:73:90:54:02:a7:bb:57:db: bb:9b:79:c4:74:37:c1:3c:ae:2a:74:04:de:6e:48: 43:c7:f1:0a:a3:81:e8:b4:05:9e:49:57:f6:b5:8b: 77:97:bb:7c:06:b0:33:7d:14:52:75:37:12:8c:2e: cc:1f:e7:23:84:61:73:c8:f3:47:3e:69:4a:38:bf: 62:5d prime2: 00:d9:79:a1:30:e3:c3:78:97:d7:1a:0d:7e:41:8e: be:73:80:64:ad:37:b9:f1:99:c9:fb:c7:66:dc:71: dc:1f:ea:fd:51:db:2a:60:88:51:64:30:d6:4a:30: 82:d9:40:1b:a8:7e:70:c4:c4:27:dc:58:d2:80:01: 09:99:97:5a:3d:b9:aa:8b:cc:57:7b:5e:0f:6e:12: 7a:f0:b9:d4:61:b3:a8:a5:3a:43:33:15:6f:e5:e6: e6:00:08:50:d1:67:91:0e:c3:97:74:62:a6:c0:f2: ad:19:5b:19:e0:7e:66:df:f9:b7:fa:20:5f:ea:e6: 64:1f:f6:5d:5a:36:51:2d:a3:32:21:5e:ed:c7:cf: 4f:c0:08:84:b8:21:cd:66:91:da:3a:83:2e:e4:17: 01:13:a3:1b:21:ea:d3:c4:68:90:e9:8f:0c:f9:00: b6:b0:41:c7:26:70:c6:ed:26:0b:52:55:c8:da:16: 92:a8:8c:8a:a7:e5:c2:5a:76:7e:09:c3:d5:38:7a: d7:75:29:0f:59:ea:a6:1f:32:61:25:01:2e:ba:4b: 65:b2:21:69:2f:4f:25:96:ba:a0:07:37:f0:04:c6: f9:c3:39:3a:f5:56:62:8d:b7:d7:34:f8:5c:84:9b: 31:82:29:3a:28:52:29:9d:6d:b3:c2:ab:97:1f:3a: 62:f7 exponent1: 1a:50:d0:94:6c:84:68:cf:a7:d2:15:68:b6:9e:5c: 21:6c:3a:41:39:f6:87:a3:2d:41:ef:74:32:54:fc: 15:47:4e:04:88:19:12:f1:83:04:25:a7:96:b9:43: bb:bd:0e:ec:a6:3a:4d:3d:8a:e4:ae:0a:e3:30:7b: d1:75:0c:ac:cd:41:42:40:5c:cc:3d:c8:a6:0a:25: 6e:ac:93:b9:b6:98:89:be:c3:42:8a:d0:b5:22:18: f5:f8:cc:b1:fe:f1:5b:3b:03:3b:c0:7f:91:42:f4: a8:d8:15:4b:fc:c6:6a:d9:97:ef:28:50:ed:65:ac: ca:9f:3e:33:48:d0:26:68:ff:c5:08:80:ea:db:be: dd:b3:70:79:7b:9a:5a:b5:b1:60:16:4f:f8:42:56: 05:33:ce:ee:ed:e3:8e:a2:ea:65:0a:3d:b2:d4:37: 30:09:34:cd:95:90:df:f2:9c:18:9c:3d:bf:30:69: 68:29:2d:bc:1e:99:70:0f:77:6a:55:40:ec:47:fc: 81:2c:da:db:c0:ee:2a:c9:fa:3f:db:cc:ba:e3:ab: c1:81:8e:91:a2:b5:7c:98:a5:a1:e0:2a:13:90:07: 8d:35:b8:67:88:b8:46:03:64:c9:93:cc:a3:c3:23: 82:f5:af:2b:df:52:0f:f8:60:b0:c9:6f:75:b7:20: 81 exponent2: 3f:35:42:cc:5a:e6:ad:5e:34:7e:b5:fd:44:40:a0: ca:21:3f:21:b9:58:aa:07:f0:d4:e5:17:d8:6a:9f: 78:07:6c:a9:25:f2:23:2c:7b:bb:8b:16:3d:69:ec: 1e:08:ac:01:44:fe:b1:b1:f1:83:f1:ac:fc:d7:50: 5a:fb:ca:96:b6:28:03:89:d8:c3:5a:8b:51:8a:bd: 80:ca:02:18:83:87:38:be:be:59:52:99:bb:50:68: f9:09:71:b3:eb:4e:15:e4:73:58:b8:73:8f:10:f9: 8e:ad:13:d0:53:ec:c2:9c:6a:04:a0:f4:3f:e9:c6: a0:23:92:ee:6d:6b:1a:c0:9c:09:66:f5:e5:65:33: e0:b4:99:1e:8b:74:8f:a3:44:b2:4c:fe:8b:fc:c3: ab:59:74:c1:5e:e7:3d:e6:c6:77:9b:c4:41:7b:1b: 9e:0f:00:3b:03:fc:4d:61:09:59:5c:e5:8b:bd:93: d2:b9:46:73:96:2b:ee:ef:11:a2:f4:f0:3c:02:38: 2d:2d:49:f0:f0:6a:68:16:d4:75:54:ea:a7:ea:d2: 1b:fb:e9:fe:7e:1a:86:bc:a7:56:71:c3:a9:1f:cb: e8:19:f2:30:ec:72:a8:8e:0e:56:ae:f8:f4:f1:c6: 69:f6:61:98:e6:88:81:e1:28:a6:24:09:40:62:4f: f1 coefficient: 00:dc:78:10:29:83:87:49:a4:e6:f4:ec:5e:42:7d: 63:7f:43:98:4d:9f:ed:2a:22:96:fe:f0:de:26:f8: b0:28:35:22:14:04:a1:4e:ee:7e:f1:57:6c:2d:7d: cb:d3:ed:fb:5f:61:44:ef:7f:ce:9b:6f:fc:ad:93: 04:80:f2:2a:d7:70:09:8e:cf:9e:2d:4f:13:53:a1: 55:1c:c9:f9:b8:d0:88:28:1d:13:5f:72:72:21:81: 73:6f:46:3f:82:94:2a:5c:38:74:96:74:e5:ec:0e: a6:e4:8e:0e:ff:31:f0:81:ce:a4:db:b2:6d:37:6c: 2a:72:35:13:38:8a:8c:28:c5:c2:aa:06:49:10:2f: 22:70:8e:ee:9e:44:f8:c3:d0:1d:f1:fc:da:42:2e: a7:7d:fa:18:25:4d:8e:c2:87:0f:21:b8:ea:05:18: e4:f9:c7:92:1b:d6:ec:7e:fe:37:a2:12:12:57:d1: 7d:ed:fb:65:35:c8:ae:e2:2d:53:6e:9e:4f:c9:73: 05:48:d0:c0:e4:6c:36:e5:16:4b:94:e9:69:65:43: 18:f3:78:e4:99:18:69:d3:d0:95:2f:fd:5f:80:89: ab:d5:02:46:f1:4e:ab:2e:d4:a5:64:54:8c:32:3c: 14:6e:35:24:37:4e:d5:ed:c1:cd:f4:40:1d:6b:aa: 86:38

I imagine that there is a way to use that in openssl, for example, to recreate the key. I know what it is, and how it's used, still, I have no idea why they would print it to the screen for the user. If the user was going to generate a private key themselves, they could just past the encoded version in the text area provided for that on the previous screen and avoid having the server generate it. And, actually, that is my preferred method since I'd rather not have anyone, even my host server, with any more of "my" data than necessary. I generate the key on a local VM and then paste it where needed.

The human readable information shown by the browser can also be seen locally using any of several "key management" programs. In Linux I use gcr-viewer, and I know Windows has something for the same funtion, just can't recall what. (Might just be a left-click option on the file, or maybe the default application for "opening" a key/cert file.) [Ok, just checked in WinXP and Windows will automatically view cert files with a crypto shell extension, showing the same info as the browser if it was on an active page.]

Totally separate note: maybe @schoen can help me figure out a way to combine certbot with shell script to semi-automate the "uploading" of the renewed certs to GoDaddy shared hosting. Those minimum level hosts do include FTP access, so it shouldn't be to awfully difficult once all the filenames and such are collected somewhere. Just a thought to help others. I'll be moving from GoDaddy by April, when my hosting expires there, but before then I can do some testing.

@GypsyPriest – Would you share the host to which you will move, and reasons why? I understand if you would rather not share. Thanks.

~George

Whilst not certbot - the GetSSL alternative client is a bash script designed specifically for that ( uploading tokens etc via FTP, or ideally SSH, SFTP ) and can upload certificates via SSH / SFTP as well if required. There is a scripting plugin for certbot which should be available shortly as well.

Note: I wrote GetSSL, so I'm not totally unbiased in suggesting it :wink:

@geomcd1949 – I would if I could. Haven’t found the new host yet. The only reason I’m leaving GoDaddy is price. I can’t justify nearly $100/yr for a sandbox! When I started with them in '04 a domain registration included a small, free, webserver. No Perl, just PHP, limited space and bandwidth, a few databases, and that was it. Perfect for a sandbox, and at a good price, too. This Spring they finally decommissioned those servers - probably long overdue - and gave the few of us left on them a free year on their new Linux/cPanel hosts. Aside from not enabling LE in cPanel, I have no other complaints, and still recommend them to others, when appropriate. As you have observed, 24/7/52 live customer service (in native English) is not to be sneezed at these days. For a commercial site I would still use them, but for a hobbyist it just isn’t fiscally responsible. I do know that I’ll have a hard time replacing them and still being happy. :frowning:

@serverco – Nothing wrong with “promoting” your work when it benefits the community. :+1:
I had encountered mention of GetSSL and have it on my radar for experiments whenever I get to that “project.” Bad thing about being a hobbyist is that the fun stuff takes a back seat to the rest of life. :frowning:
Based on what I remember in my reading on GetSSL, the hard part for GoDaddy is going to be finding the correct file(s) to move/replace. When the cert is first stored on their server it is given a sensible, but humanly worthless, name. Having already played with self-signed and now a renewed LE cert, decoding which file is which got interesting. [downloaded all of them and used a viewer to see which one was “the” one.] To replace the cert with a new one I will have to rename the new cert to lamoreaux_name_939cf_f026b_1485756120_62e543fdfa8ce80f77413ccc6b8667c7.crt and then upload it to /ssl/certs/lamoreaux_name_939cf_f026b_1485756120_62e543fdfa8ce80f77413ccc6b8667c7.crt which is, fortunately, outside the web root but accessible with their cPanel file manager, and by FTP. (Actually that’s the expired cert, but the real name. Just a little paranoia, even if the cert is served to the public regularly and the directory isn’t world accessible, I didn’t want to post the active name.)
Anyway, as a quick question for GetSSL: can it rename the cert file before, or after, uploading it? If so, then it may be a God-send for ppl in the @geomcd1949 's position. minor PITA to find all the info for setup, but easy to automate thereafter. 14 sites to automate could make it worth the effort. :>

with GetSSL you don't even need to run it on the server ( many times you don't have access / permissions even if it is just bash) so you can run it on your virtualbox, home computer or wherever. As with everything, it depends what access you have.

Yes - you can rename / upload and name the certificate to anything you want to (it's a variable set in the config) for each cert.

Alternatively you can use the cpanel API to upload through the cpanel GUI and install the updated certificate way. Either way it's perfectly possible to automate.

Whoops, thanks for the correction! I agree that there is no reason to display this information. (The less private key material is displayed, output, or copied anywhere, the better.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.