Submitted the CSR and the key to the host through cPanel, asks me to send the CSR back to you

My domain is:

I ran this command:
# certbot certonly --manual (I followed this guide that you provided: )

It produced this output:
Everything went well, got the CSR and key on my local machine, and proceeded to upload those to the host (through cPanel, v62.0.16)

My hosting provider, if applicable, is: Shared web host, no ssh

I can login to a root shell on my machine (yes or no, or I don’t know): No

I’m using a control panel to manage my site: Yes, cPanel v62.0.16

After submitting the CSR and the key, I’m prompted by the SSL function in cPanel to send an Encrypted Certificate Signing Request (that’s displayed on the same page of that cPanel function) to the Certificate Authority I want to use (which I’m guessing it’s Let’s Encrypt). Now the guide I mentioned above ends after issuing the certbot commands. Am I supposed to do something else? ATM I’m not able to connect to the site through https.
Sorry if this is all shows how much of a noob I am, never did this before.

You are confusing a Certificate Signing Request (CSR) with an actual certificate.

The CSR, as you can read from the Wikipedia page linked above, is generated on the local machine, with the (also locally generated) private key, and send to the Certificate Authority (CA, in casu Let’s Encrypt). With that CSR, the CA will generate the actually used certificate.

You say everything went well, but if that is the case, certbot would also have given you the certificate, not only the CSR and private key. What was the exact and full output of the certbot command you ran?

Thanks for the reply @Osiris
I’ve looked at the logs, and it indeed said that it exported the proper private key and the certificate, though in STDOUT, I’ve got only the paths to the CSR and the key (not sure which one, most likely public), so I thought it was probably all I needed.
So now I (think) I managed to install the certificate, but now I’ve encountered another issue, but this one I’ll take it to the host, as I’m thinking it might be on their side of things.
One more question: is this certificate valid for all subdomains, or do I have to install it on each of them separately?

It also would have written something like:

Your certificate is stored in /etc/letsencrypt/live/

(Not literally, but something like that.)

You can manually check the directory corresponding to your hostname in the /etc/letsencrypt/live/ directory for fullchain.pem. You'll need to upload that file (or the entire contents) to your control panel. It contains the certificate as wel as the intermediate certificate. Both are needed for a correct configuration of your site and most control panels will accept the entire file as "certificate". There might also be control panels which require you to separately upload both.

Yes, that’s the message I’ve got in the logs, but not in STDOUT (or not that I remember anyway).
And yes indeed, I have fullchain.pem, though I didn’t see any input field for that… so instead I uploaded cert1.pem. I’m guessing I’ll have to do this all over again?

Using the symbolic links in the /live/ directory is the safest method, as the symbolic links are automatically updated if you renew the certificate.

Yup, unfortunately, if your hosting provider doesn't offer any automatic installation of (Let's Encrypt) certificates, you'll need to go through the whole process again within 90 days (the validity of Let's Encrypt certificates).

Ugh… isn’t it possible to just uninstall the current certificate within cPanel, and install it again, with the proper file this time…?
Also the certificate seems to have been properly installed, just that I can’t access the site with https, as it thinks the certificate is supposed to be for a subdomain the host offered before I linked my own domain ( That’s why I said I think the problem is at the host’s end.

I have no idea, I've never used cPanel. The file cert1.pem is probably the right certificate file, but you might miss the intermediate certificate.

Check your site at SSL Server Test (Powered by Qualys SSL Labs) and look for "chain" or "missing certificate" issues.

You might want to talk to your host about that, yes :slight_smile:

Well, I do have an option to uninstall the certificate, so I'm guessing, I can? I won't do anything until the host answers me though.

Hm, getting a "Certificate name mismatch " error, with the same diagnostics as I've gotten from Firefox. I'll now wait for the host's answer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.