thank you so much for the info ! so how can I test the default one ? and it seems the certbot can not be used with godaddy
May be the control panel with which you get the certificate originally has a settings for that?
I guess a better question even is:
.. mean exactly?
goddady said they do not offer support for letsencrypt so i must as i understood install certbot, but it not clear for me how to do so in the documentation as the documentation talks about the commands
following this guys tutorial Free SSL Certificate for GoDaddy - Install letsencrypt SSL - YouTube
So it's using a webbased, very manual approach. Two things:
- This manual approach is not recommended, but GoDaddy makes it very hard to automate things;
- The tutorial speaks about two certificates being present in the "certificate output" of PunchSalad where it currently should have three certificates in the output! So the copy/paste part of the "second" certificate should probably be "second and third" certificate.
As I said, this manual approach is not recommended. It's also very cumbersome. @griffin, a fellow volunteer on this Community, has written an ACME client completely written in PHP which can be used on your GoDaddy server and also issue a certificate! While it still contains manual parts (it should be possible to automate this on GoDaddy though, however, there are just 24 hours in a day and time is sparse, so it hasn't been developed yet..), it is much easier to work with compared to using PunchSalad. You can find the mentioned client CertSage here:
ok I understand thank you
I read in some thread here in the letsencrypt community forum, that it is possible to get shell access to godaddy server. With shell access you can freely select the ACME client to automatize the certificate issuance.
Thanks for the ping, @Osiris.
As the resident GoDaddy guy, I can say that GoDaddy has some peculiarities that I designed CertSage to cleanly handle. If you're using cPanel shared hosting, you can access a terminal through cPanel, which only appears in the Advanced section when you enable SSH. However, without root access, which you don't have, the large majority of ACME clients won't work. CertSage does not require root access.
I think you said godaddy had problem with multiple intermediate certs so they picked short chain without DST root
can they process long chain with multiple intermediates?
Not sure honestly. They handle the CA bundle fillin by themselves. I'll have to test. I always paste all three certs returned by Boulder into the certificate box, but they seem to ignore the last two. I think I'll test overriding their automatic fillin of the CA cert with the two intermediates.
thanks griffin for sharing ! I'll test it out ! so it would eliminate the problem of not safe on mobile if i installed the certificate through your script ?
CertSage is a first-party ACME client, which means that all sensitive materials, such as your ACME account and certificate private keys, are generated directly on your webserver by the client. Moreover, unauthorized parties are prevented from using CertSage on your behalf by a 96-bit random code that changes every time CertSage is run. Only someone with access to CertSage's data folder (where your ACME account keys, certificate key, and certificate are saved) can retrieve that code.
CertSage is also the simplest way to get your certificate when using GoDaddy shared hosting. You can have your certificate within minutes of downloading CertSage using your favorite web browser on your smartphone. I'm not joking when I say that I've renewed and installed a certificate using my smartphone while waiting for a latte at Starbucks.
yes i have tried it, it is great but there is a small issue, i did it first time for my main domain in the public_html, then i decided to delete it again and insert another domain inside the main domain, not a subdomain but a domain. So i tried it again and it gave me authorized failed nevertheless i have deleted all certificates and all code.txt and responses and started over. So what should i do ?
Certsage worked fine, but i am still getting the not safe on my android phone from google chrome with a https bared in red. How can we solve that?
The web server for the domain f1ian.com is still serving the short chain without the intermediate certificate "ISRG Root X1" signed by "DST Root CA X3". Have you got the proper certificate chain? Did you apply that to the web server?
@FirasHelou90, try using:
-----BEGIN CERTIFICATE----- MIIFJjCCBA6gAwIBAgISA0AFuB20aRO3s8Ad1vB1nOniMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV BAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTA5MjYwNzIx MTdaFw0yMTEyMjUwNzIxMTZaMBQxEjAQBgNVBAMTCWYxaWFuLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKZnm3GS4/xnasgzz5RFQmm0lgnGADmrOIiWVIReSk8V0ArCqCfOVwy7 0gI9qbey4U0AJckKThor8jN74x3a7VewUeSkxLawsFOCiTR3pQ9oxa0y/H9GbypDB+NuJ4xcvB8I rmuWmwlLlhI/6gBhxgY8lLxfvCkHrRwoy20AscNH9YELb7Q2ckEeXkUWAMsZ6WGFAnkvVA9L5fUv KCtf8NAFpRiHebjDpKLpbY4TYfIH/3B6f8/Q+OGziPlY5P++4NtelELklv1VhNQSCMjwo4yqpwwf rqHnFRLkD7Fef9/THt4iQ673+Qg1kxB2qkI7daJlswpEw39JNDHNT2V0rAECAwEAAaOCAlIwggJO MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/ BAIwADAdBgNVHQ4EFgQUSWC7h/ejM6ozlNyJ+LDlR+CHQG0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5j ci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wIwYDVR0RBBwwGoIJZjFp YW4uY29tgg13d3cuZjFpYW4uY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIE AgSB9ASB8QDvAHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF8ITGxugAABAMA RzBFAiEA/HZFJKb6rn9Vuu4oPNWJ88Lrzb/sBpiP60+Cbmu9x3wCIGfHsZi2KzYpZ8+ROlvieVL8 CQHP5NP9TSlWaI9qpcztAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF8ITGx 5wAABAMARjBEAiBWhrVCf//XqDEUujjASvzNfLXSsuYj9n6rAahFY3VDMgIgBErkkPmnPElrL9Ps RzX6G9gu947O479wkNMv3l8YpqEwDQYJKoZIhvcNAQELBQADggEBAFQD2aoUuRCnrdfTDIg2v2Mh tVQAa0rPoj18oWenrs4oMVfp4MoOOLWj4Sy9KAlC6PXSauN7afgrHnqzPYE094PqYsLbLGek1CDz 2DdoMSY/D/YKoW636T2p8L/6wgPpLQWU/2N8EEFcQHrw3srsWLt472Ga04vbAgAVEcd0sxGG+vK9 UOIUVzmeKezfD1FBEjfB5QM6583522AW89k3z/tADPX1P3EkEFp4pZIlAmxExFWZGwLrD3/1DiSr 3zHd6CH5BW5RTnHY7EXm12ltAVMEvdNfFgU/E88C2xDcWrGlJUsqVcg3orcIeZTmZyteMnqQgaKo voXhUQPKQI2/+dg= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X DTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFowMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxl dCdzIEVuY3J5cHQxCzAJBgNVBAMTAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA uwIVKMz2oJTTDxLsjVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWC PEKpTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLu ta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3 htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Z s5Od3FOnBv5IhR2haa4ldbsTzFID9e1RoYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB /wIBADAOBgNVHQ8BAf8EBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8v YXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gk eyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4G CCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMw MaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0O BBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAN BgkqhkiG9w0BAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8S8MXjohyc9z9 /G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfLqjBstzLhWVQLGAkXXmNs+5Zn PBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9pO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk +uyOy2HI7mNxKKgsBTt375teA2TwUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1 cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9 UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ -----END CERTIFICATE-----
It is very common with GoDaddy to have webroot directories for other domain names inside of
public_html. You need to put a copy of
certsage.php inside of the webroot directory for the other domain name as well. For example, let's say you have
anotherdomain.com and its webroot directory is
public_html/anotherdomain. You would put a copy of
public_html/anotherdomain then modify line 16 of that
certsage.php from this:
$dataDirectory = "../CertSage";
$dataDirectory = "../../CertSage";
That way CertSage will look two levels up for its data directory instead of one level up as the default. You would then visit
anotherdomain.com/certsage.php and proceed in the usual way. Note that once you acquire a certificate for any domain name, you should install it before proceeding to acquire a certificate for a different domain name since CertSage will overwrite the
certificate.key in its data directory each time it acquires a certificate for you.
GoDaddy serves the short chain by default now. I need to test with the long chain.
i don't know how you got that info, because all i know about the certificate stuff is how to set it and redirect nevertheless i am a web developer but with freelance experience not corporate