I volunteered to put together a website for a small, non-profit fan club. They had been using one host to deal with email for the domain (another freebie) and a separate one for the website. When I took over, I offered to deal with the email as well, but it was refused. So the DNS is split with email going one way and website the other. This means I can't use the free SSL Certificate normally offered by the host. For the past few years, I've been using ZeroSSL to generate a 90-day certificate for free and uploading the code for Certificate, Key and CA Bundle / Intermediate Certificate via Cpanel. Now ZeroSSL have stopped offering this option and want money!
I am after step-by-step instructions on how to do this. With ZeroSSL, I just added the domain name, verified the domain and it generated code. LetsEncrypt is completely impenetrable. I've searched YouTube and all sorts. My computer-boffin friend who provides the webspace for free also doesn't know how to do it.
My domain is: ZZ9.org
My web server is (include version): ?
The operating system my web server runs on is (include version): ?
My hosting provider, if applicable, is: 20i
I can login to a root shell on my machine (yes or no, or I don't know): don't know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Don't know what you mean.
I'm running php 8.1
That's not necessary. Email and websites either use different DNS resource records (RR) (e.g. the "MX" RR for email, pointing to e.g. mx.example.com) or use different hostnames (e.g. smtp.example.com or imap.example.com for SMTP/IMAP respectively compared to www.example.com for the website).
If the hostname of the website is pointing to the server doing the webserving (which it usually does) and it is publicly reachable, then you should be able to get a certificate using the http-01 challenge.
I have not heard of the control panel named "Yes"?
If you email person@example.com, it will go to whatever server is looking after the email and then gets forwarded to the recipient who might be at person@gmail.com. The person who looks after the email, also gifts them the domain registration.
If you visit example.com, you get the website which I look after via 20i. Looking back through old emails (May 2020), it seems that the email/domain name person was told to change/add DNS records in the following way:
Welcome to the Let's Encrypt Communityn @Volunteer!
(As a side note, bravo! I can't believe that name wasn't already taken.)
Author of CertSage here. Yeah, several people including myself have run into that problem lately due to some changes Let's Encrypt made that elongated the timing a bit. Try the certsage.txt mentioned in this post and let me know what happens:
Thanks for your offer of help. I'm sorry, but I can't see the certsage.text mentioned in the post you linked to. Is it different to the one in the link provided by Osiris?
As a positive note, you absolutely can get a cert for mail.example.com if that's the mail subdomain pointed at a cPanel hosting instance for example.com.
This is kind of challenging my knowledge here. But the webhosting company is 20i. I go to stackcp.com, log in and get a list of my websites. I then click to manage those websites and it takes me to the cPanel for that site.
Your CDN (StackCDN) is configured to try to validate the backend certificate (SSL connection between your server and the CDN). Since that cert is expired, you're getting the 502. You'll need to "relax" that configuration to update your cert.