It produced this output:
Everything went well, got the CSR and key on my local machine, and proceeded to upload those to the host (through cPanel, v62.0.16)
My hosting provider, if applicable, is: Shared web host, no ssh
I can login to a root shell on my machine (yes or no, or I don’t know): No
I’m using a control panel to manage my site: Yes, cPanel v62.0.16
After submitting the CSR and the key, I’m prompted by the SSL function in cPanel to send an Encrypted Certificate Signing Request (that’s displayed on the same page of that cPanel function) to the Certificate Authority I want to use (which I’m guessing it’s Let’s Encrypt). Now the guide I mentioned above ends after issuing the certbot commands. Am I supposed to do something else? ATM I’m not able to connect to the site through https.
Sorry if this is all shows how much of a noob I am, never did this before.
The CSR, as you can read from the Wikipedia page linked above, is generated on the local machine, with the (also locally generated) private key, and send to the Certificate Authority (CA, in casu Let’s Encrypt). With that CSR, the CA will generate the actually used certificate.
You say everything went well, but if that is the case, certbot would also have given you the certificate, not only the CSR and private key. What was the exact and full output of the certbot command you ran?
Thanks for the reply @Osiris
I’ve looked at the logs, and it indeed said that it exported the proper private key and the certificate, though in STDOUT, I’ve got only the paths to the CSR and the key (not sure which one, most likely public), so I thought it was probably all I needed.
So now I (think) I managed to install the certificate, but now I’ve encountered another issue, but this one I’ll take it to the host, as I’m thinking it might be on their side of things.
One more question: is this certificate valid for all subdomains, or do I have to install it on each of them separately?
Congratulations!
Your certificate is stored in /etc/letsencrypt/live/example.com/fullchain.pem
(Not literally, but something like that.)
You can manually check the directory corresponding to your hostname in the /etc/letsencrypt/live/ directory for fullchain.pem. You'll need to upload that file (or the entire contents) to your control panel. It contains the certificate as wel as the intermediate certificate. Both are needed for a correct configuration of your site and most control panels will accept the entire file as "certificate". There might also be control panels which require you to separately upload both.
Yes, that’s the message I’ve got in the logs, but not in STDOUT (or not that I remember anyway).
And yes indeed, I have fullchain.pem, though I didn’t see any input field for that… so instead I uploaded cert1.pem. I’m guessing I’ll have to do this all over again?
Using the symbolic links in the /live/ directory is the safest method, as the symbolic links are automatically updated if you renew the certificate.
Yup, unfortunately, if your hosting provider doesn't offer any automatic installation of (Let's Encrypt) certificates, you'll need to go through the whole process again within 90 days (the validity of Let's Encrypt certificates).
Ugh… isn’t it possible to just uninstall the current certificate within cPanel, and install it again, with the proper file this time…?
Also the certificate seems to have been properly installed, just that I can’t access the site with https, as it thinks the certificate is supposed to be for a subdomain the host offered before I linked my own domain (jpopfantasia.cf). That’s why I said I think the problem is at the host’s end.
