Generated CSR and Private key on my debain box, uploaded private key to Cpanel of hosting provider.
And followed all steps as per https://gethttpsforfree.com/ , finally it verifies the string and i get below error.
I have verified, the public key and account key are different , i have renamed my private key to account.key
Step 5: Install Certificate (Error: Certificate signature failed. Please start back at Step 1. {âtypeâ:âurn:acme:error:malformedâ,âdetailâ:âError creating new cert :: Certificate public key must be different than account keyâ,âstatusâ:400})
You generate two public/private key pairs: one for your âLetâs Encrypt accountâ ĂĄnd a keypair for your certificate. With the latter, youâll have to sign the CSR.
and i used public key and CSR from first folder to fill step 1 and step 2 on https://gethttpsforfree.com/ and used private key from different folder to sign API as part of step 3., its throwing below error.
Error: Account registration failed. Please start back at Step 1. {âtypeâ:âurn:acme:error:malformedâ,âdetailâ:âJWS verification errorâ,âstatusâ:400}
NOTE: This website is for people who know how to generate certificate signing requests (CSRs)! If you're not familiar with how to do this, please use the official Let's Encrypt client that can automatically issue and install https certificates for you. This website is designed for people who know what they are doing and just want to get their free https certificate.
I suggest running the official Let's Encrypt client instead
I am using a free 3rd party hosting service from byet.host, because the cpanel offers an SSL/TLS Manager so that I can add my own Certificate and Private Key. I also use web redirection from various domains using freedns.afraid.org. I am following the suggestions at https://tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html, but even if I have the correct files on my web site in .well-known/acme-challenge/? the acme challenge fails with a warning:
2016-03-28 15:45:54,480:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
Does this mean that the certificate is never created? or as this is just a warning is the certificate created, I just need to locate it and then paste it into the SSL/TLS Manager on cpanel? or will this never work because I have to run some sort of acme client on the hosting service that I do not control?
Update: When I use https://gethttpsforfree.com/ I get a similar problem when trying to serve the file from the server⌠Clearly I cant run the python server because I dont have access to the command line on the 3rd party host. But I create the file and and see it if I access the web page but still the error occurs⌠I am guessing that the problem occurs because of the way that the 3rd party hosting service supports the various customers, ie I dont have an IP address of the server, rather it uses some clever scripting to make my web pages appear at a particular url.
It would be good if someone could give me a hint so that I could use letsencrypt.
Hi, The file is not accessible publically. Try to open the verification file from a web browser and see if its opening or not. If not then there is some permission issue or your server is restricting the access of the file. For me there was some htaccess issue.
@rohit1290 thanks for your suggestion. In my case the 3rd party hosting service (https://byet.host/) does not yet support Letâs Encrypt and use virtual hosting with many web sites served from one IP address. They do however support the SSL/TLS Manager so I could manually add the certificate.
When I use any of the manual or semi automatic processes the verification of the website fails.
This seems to be because the byet.host web sites are all provided by one IP address with virtual hosting providing the separate web sites from one IP address (185.27.134.121). Thus even if my web site has the correct files in http://www.herts.byethost11.com/.well-known/acme-challenge/letsencryptdemo and can be viewed using a url the Letâs Encrypt verification process attempts to access the file with the url http://185.27.134.121/.well-known/acme-challenge/letsencryptdemo and this form of direct IP address access is not supported by byet.host because it redirects to a specific website based on the www.herts part of the web site url.
I am hoping that @offsecguy has had a similar issue and am hoping that his tutorial will help me.
If not then I am forced to look for another host provider or to wait for Letâs Encrypt to verify using the website name rather than the IP address. After all as most users will access my website via a website name so it seems to me that Letâs Encrypt should verify the site ownership using the same mechanism that a user would access the web pages. Very few if any users access websites using the IP address.
Why do you think it uses the IP address only ? as far as I'm aware it doesn't. I have lots of sites hosted on the same IP address ( perfectly normal nowadays ) and Let's Encrypt works fine.
I get a 403 error if I try to go to the link you provided - which may be more the issue.
@serverco thanks for your comment⌠the plot thickens⌠I suspect that when I use Firefox to access the same link that Firefox correctly follows the redirection scripts used by byethost, but for some reason curl does not⌠you can click on the above link in Firefox and it works but as you say curl does not work.
Your hosting provider is using some sort of JavaScript-based âbrowser checkâ. Something like that naturally doesnât work well with an automated process.
So using a user agent string seems to work⌠Can Lets Encrypt servers be updated to use a User Agent String in the challenge request? Might not be as easy as that because the server then seems to want curl to support java script!
Letâs Encrypt sends the User-Agent header, although not a typical browser UA string.
Take a look at the actual response. Itâs a HTML document with JavaScript:
<html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("1f56c8b90ca7d8582bee49117055aec2");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; document.cookie="referrer="+escape(document.referrer); location.href="http://www.herts.byethost11.com/.well-known/acme-challenge/letsencryptdemo?ckattempt=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>
@pfg thanks for your help⌠I raised a support call on byet host but I do not expect them to come up with a fix. Looks like I will have to look for a new hosting provider if I want to use Lets Encrypt.