Simply obtain some files to get a cerificate

My domain is:
Excuse me, but why do you need this as long as I just want to ask some very general questions?
(I am not allowed to offer domain now.)

The operating system my web server runs on is (include version):
Win10, XAMPP Apache

My hosting provider, if applicable, is:
Me… to this.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes (or no, as you like - I can access all the files…)

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I don’t.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
That’s the point, or one of them - CERTBOT is not made for Windows. So No command line, no output. XAMMP and Apache are indeed not last versions, but «never change an running system»

Hello!

How complicated must it be to obtain an ID file I will place on my domain (I will offer not earlier), upload a ‹personal› key (file)
and then, after confirmation, get just and only a simple, single file of type CRT to paste it to Apache’s SSL-folder (and then change configuration to)?
Or, not getting a CRT, just copy-paste content to a file of that type?

I feel, reading so many information, I have to build an entire new house where I simply plan to set in a new lock to front door. How to get that lock?

BR
Eric March

Because often the topicstarter thinks the answers to the questions aren't relevant, but in fact they are. So we just ask all of them to make debugging an issue a lot easier.

While it's true Certbot was primarily developed for Linux, it is available for Windows.

There are also ACME clients available specially developed for Windows.

While offtopic I'm sure I don't agree with this statement. Security issues might arise and fixed in later versions of software, so keeping your webserver and OS up to date is very important.

It's very easy by using the ACME protocol. Not complicated at all if you're using the correct tool(s), i.e., an ACME client.

Have you also read

and

?

On the other hand, if you're look for some kind of web interface to use to create the certificate, Let's Encrypt isn't the certificate authority for you--they just don't work that way. Of course, there are plenty of other CAs who do.

Apache should require two files [or three, if your version is very old]:

• a private key file
• a cert and intermediate(s) file

Hi @Eric_March,

Basically, it was an explicit decision from the beginning of Let's Encrypt to encourage all users to use automated certificate renewal processes at all times, and not to optimize anything for other cases. The Let's Encrypt developers were concerned, among other things, that people often failed to complete manual renewal steps; we were also influenced by the desire to make certificate lifetimes very short (and possibly shorter and shorter in the future), which is hard to do without annoying users unless they have automated renewals working.

That's all part of the reason that the ACME protocol used by Let's Encrypt was developed—to be spoken by software applications on the users' web servers.

As other people have mentioned, there are some Windows-specific clients

that may work well with your setup (although it's true that no client application may be optimized for integration with XAMPP on Windows).

If there isn't anything that works well for you, I'd encourage you to get in touch with the XAMPP developers and maybe ask them to participate in this community in order to find or create a better official integration solution. People in this community are usually very interested in offering technical support to software developers to improve automated Let's Encrypt integration, and it's a very realistic possibility that that could be improved in the near future.

The manual or interactive workflow that you might be used to with other certificate authorities is not something Let's Encrypt will ever try to officially provide or support, partly because of the short-lived certificates issue. (This was discussed at great length in some threads here on this forum when Let's Encrypt first started.) So if it's specifically important to you to follow that workflow, you might want to look at different certificate authorities.

I do use so many forums, and feel to be surely old enough to know what I plan to ask. And not spread out to world.
And; I feel it impolite to be squeezed out…

A direct link (on your site?!) did not show up any obvious information to a Windows version.

Nothing I asked for directly, nothing I know, no explanation here to use that protocol.
(Again - why is it so absolutely complicated to receive a simple, single file, delivering a key as a seed?
Millions do need certificates, and there is still no easy way to get material?)

Well, I know what a certificate is, what it does; and I just want to get one, in a not complicated manor, with just now available instruments and conditions.

So why I’m so often directed to Let’s Encrypt? I understand Let’s Encrypt do create certificates? And for free.

Indeed it does. Mine expired in 2019 or so, and I now plan some tests (o.k. - just one) with a valid and accepted certificate.

With, so I understand, intention to have a server or hosted site alive. I do not have this… (to my hands)
And, I’m frustrated to hosters to sell virtual Windows servers (to use s special software not available to UNIX…), offering certificates inclusive in contract, but not be able to just deliver every year a CRT file (having got related private key). It come up to useless work to assemble copied codes from managing web page and inject it to a fucking IIS (no simple adding that code, oh no, WIN does officially need an own request process… [I learned to know to deal with simple files]). We indeed do have hosted UNIX servers, too. Smart, intelligent, simple.
So please understand why I’m unhappy to this, unhappy not to get a simple order “give me that and you will get what you want”.

But, why? There is a very simple, quite stupid order they gave us: get a CRT, place it there (and if you do not overwrite existing file refine settings to point to new file).

So, sorry, frustrated, I again simply ask:
Where to deliver a KEY file to get a CRT file or code = certificate just to save as CRT?

If, on the other hand, you order me to buy a certificate, I’m quite sure, I will get above mentioned code to help myself without any support of Let’s Encrypt. Can’t be truth, can it?

Eric March

See:

Please show the "get a CRT" instructions you are following.

Your link was not the one I followed to CERTBOT. But we may not follow this.

There are no such instructions you ask for in brief.
I learned over years to need a KEY (and a site owning verification) to get a valid CRT (or similar) created by a reliable site, and what to do with that file. On those IIS and on XAMPP’s Apache.
That’s just all.

And it is my state… Now trying WACS, no trouble to a command line system. But no request to an existing KEY, no quick telling how to verify I’m owner (by placing a file - my domain is no domain but just a «DynDNS»). (I feel to have to deliver construction plans and patents of lock of my door to receive a copy of my key, my private key.)

Eric March

And the ACME protocol has automated this for the most part. ACME clients will also generate the private key for you most of the time.

You don't need to have an actual server to use an ACME client. The computer the webserver is running on is just fine.

Well,
I rely simply to a web interface.
Why? Because I do not need nor want any software to write anything to system folders without my control. So called convenience (or comfort).

Trying WACS went funny and horrible. I got (bad) instructions to place a verification file (a known procedure), but a too intelligent software resolved my «DynDNS» to hoster’s, provider’s, main server which does not fit requirements to verify by loading that file I placed there (and I could load via dynamic DNS by browser with no problems). Deadlock. Yeah…

Eric March

But… May I be completely wrung in just using such tools? CertifyTheWeb fails in same manor to be unable to verify the file I shall place in my root (_acme-challenge.xxx)
Do I need to obtain a certificate as an immaterial object to which these tools refere creating physical files from? My sorrow, how to inject a KEY to process itself or get both KEY and raw data.

Even though if there were a web interface to give you a certificate file, a CA still cannot create a key file for you, you must create it yourself. This is forbidden by the industry standard (Mozilla: CA/Forbidden or Problematic Practices)

There are some clients that is designed for Windows. But yes, all requires you to install and configure, because Let's Encrypt is designed to run as an automatic scheduled job after getting your first certificate

If I understand this as a matter of comfort to renew certificates, I shall agree.

But where, how, to get that «first certificate» (as a n new seed) since there only does exist an outdated one? In fact no tool can verify anything which does nit exist (not longer exist) where to get an anchor?
Like getting only new camping gas when you deliver in an old, empty can. Someone does need a new filled one to start process.

Eric March

First, download a ACME client as I linked above and follow the user guide. After choosing the client, follow the client's user guide. There are some tools designed for Windows.

If I must choose for you, win-acme looks like to have decent documentation. You may have a look first.

The ACME protocol does not support a permanent "anchor".
All ACME challenge request replies must be unique to each run.
It is a very well documented, and complicated process (for security reasons,) being used by millions.
And it has been fully automated in Windows systems by very well-known working ACME clients.

The ACME protocol does not need to verify an HTTPS connection to get a cert. You would do well to read more about how this works instead of guessing and assuming.

You misunderstood… I do need an anchor for the very first time to obtain a certificate…
…since all those ›very well documented‹ procedures do not bring up any progress. (A key to be need; fine. I do have one, but not been asked for. And with no finished process I do still not know what I get delivered; certificate and key?

Then do you tell me what I do wrong.
Two tools fail in same manor to verify my site, so what to do? Indeed my «DynDNS» provider was labelled as not secure following a log. Well, yes, really, that’s why I ask for a certificate…

I feel surrounded by all the same not working instructions, none here to read and follow all information I can deliver.
Two tools which can not verify my site (obviously here not seen as a problem to can happen) can not deliver a certificate. I do use a «DynDNS», but can access my site with no problems. Verify processes seems not to be able to do same - loading a stupid file from my site.
Is no «DynDNS» allowed? Are there special settings? Or may my TXT verify file accidentally nit is coded as DOS but UTF-8? Help me to find reason such a very simple an very well documented process does fail.

Eric March

If you want help diagnosing a DNS problem you're going to have to share your domain name

I may try get a test system online, the one one I plan to get that certificate is not allowed to spread in world. Sorry.

And, excuse me, it was a bank holiday here, I followed an international bike race for hours and now get a little tired…
So I plan to follow it tomorrow.

Thanks in advance,
Eric March

If that is indeed one of your requirements, a certificate from a public CA is not suitable for you. The Public CA Certificate Transaprency (CT) requirements that have been in place for five years now result in the public disclosure of all certificates issued by public CAs.

If you can find a public CA that doesn't comply with CT, you will want to use it. All certificates issued by the Let's Encrypt CA are CT compliant.