Using Let's Encrypt on 3rd Party Hosting Service

Hello Rohit,

I managed to complete step 1 and step 2 on gethttpsforfree.com site, however step 3 requires running signature commands on terminal.

could you please let me know , how you completed step 3 without having access to terminal/shell

Thanks,
Praveen

That step doesn’t have to be on the server, you can use the shell on your local machine.

1 Like

Hi,

In that case do i have to generate CSR from my local machine? and use private key retrieved from local machine?

It doesn’t matter, steps 1-3 can be any combination of local and remote as long as the account key is the same in steps 1 & 3.

Hi,

Generated CSR and Private key on my debain box, uploaded private key to Cpanel of hosting provider.

And followed all steps as per https://gethttpsforfree.com/ , finally it verifies the string and i get below error.

I have verified, the public key and account key are different , i have renamed my private key to account.key

Step 5: Install Certificate (Error: Certificate signature failed. Please start back at Step 1. {“type”:“urn:acme:error:malformed”,“detail”:“Error creating new cert :: Certificate public key must be different than account key”,“status”:400})

You generate two public/private key pairs: one for your “Let’s Encrypt account” ánd a keypair for your certificate. With the latter, you’ll have to sign the CSR.

Hello Osiris,

I generated two pair of private and public keys in different directory on my debain box using below command.

openssl req -new -newkey rsa:2048 -nodes -out **********_in.csr -keyout *_in.key -subj "/C=IN/ST=Karanataka/L=Bangalore/O=smarteryou/OU=Web Administration/CN=.in"

and i used public key and CSR from first folder to fill step 1 and step 2 on https://gethttpsforfree.com/ and used private key from different folder to sign API as part of step 3., its throwing below error.

Error: Account registration failed. Please start back at Step 1. {“type”:“urn:acme:error:malformed”,“detail”:“JWS verification error”,“status”:400}

NOTE: This website is for people who know how to generate certificate signing requests (CSRs)! If you're not familiar with how to do this, please use the official Let's Encrypt client that can automatically issue and install https certificates for you. This website is designed for people who know what they are doing and just want to get their free https certificate.

I suggest running the official Let's Encrypt client instead :slightly_smiling:

Hi,

I managed to generate certificate for my site. Thank you all for your support.

Soon I will write a small tutorial to install letsencrypt on cpanel without access to hosting terminal.

I am using a free 3rd party hosting service from byet.host, because the cpanel offers an SSL/TLS Manager so that I can add my own Certificate and Private Key. I also use web redirection from various domains using freedns.afraid.org. I am following the suggestions at https://tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html, but even if I have the correct files on my web site in .well-known/acme-challenge/? the acme challenge fails with a warning:
2016-03-28 15:45:54,480:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
Does this mean that the certificate is never created? or as this is just a warning is the certificate created, I just need to locate it and then paste it into the SSL/TLS Manager on cpanel? or will this never work because I have to run some sort of acme client on the hosting service that I do not control?

Update: When I use https://gethttpsforfree.com/ I get a similar problem when trying to serve the file from the server… Clearly I cant run the python server because I dont have access to the command line on the 3rd party host. But I create the file and and see it if I access the web page but still the error occurs… I am guessing that the problem occurs because of the way that the 3rd party hosting service supports the various customers, ie I dont have an IP address of the server, rather it uses some clever scripting to make my web pages appear at a particular url.

It would be good if someone could give me a hint so that I could use letsencrypt.

Thanks

@offsecguy do you have any suggestions?

Hi, The file is not accessible publically. Try to open the verification file from a web browser and see if its opening or not. If not then there is some permission issue or your server is restricting the access of the file. For me there was some htaccess issue.

@rohit1290 thanks for your suggestion. In my case the 3rd party hosting service (https://byet.host/) does not yet support Let’s Encrypt and use virtual hosting with many web sites served from one IP address. They do however support the SSL/TLS Manager so I could manually add the certificate.

When I use any of the manual or semi automatic processes the verification of the website fails.

This seems to be because the byet.host web sites are all provided by one IP address with virtual hosting providing the separate web sites from one IP address (185.27.134.121). Thus even if my web site has the correct files in http://www.herts.byethost11.com/.well-known/acme-challenge/letsencryptdemo and can be viewed using a url the Let’s Encrypt verification process attempts to access the file with the url http://185.27.134.121/.well-known/acme-challenge/letsencryptdemo and this form of direct IP address access is not supported by byet.host because it redirects to a specific website based on the www.herts part of the web site url.

Notice that https://www.whoisxmlapi.com/?gclid=CPSYnMjhjcwCFYIW0wodp7sCcQ&domainName=www.herts.byethost11.com&outputFormat=xml and https://www.whoisxmlapi.com/?gclid=CPSYnMjhjcwCFYIW0wodp7sCcQ&domainName=185.27.134.121&outputFormat=xml are the same entries and that nslookup www.herts.byethost11.com -> 185.27.134.121

I am hoping that @offsecguy has had a similar issue and am hoping that his tutorial will help me.

If not then I am forced to look for another host provider or to wait for Let’s Encrypt to verify using the website name rather than the IP address. After all as most users will access my website via a website name so it seems to me that Let’s Encrypt should verify the site ownership using the same mechanism that a user would access the web pages. Very few if any users access websites using the IP address.

Why do you think it uses the IP address only ? as far as I'm aware it doesn't. I have lots of sites hosted on the same IP address ( perfectly normal nowadays ) and Let's Encrypt works fine.

I get a 403 error if I try to go to the link you provided - which may be more the issue.

curl -I http://www.herts.byethost11.com/.well-known/acme-challenge/letsencryptdemo 
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 14 Apr 2016 09:27:53 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Vary: Accept-Encoding

@serverco thanks for your comment… the plot thickens… I suspect that when I use Firefox to access the same link that Firefox correctly follows the redirection scripts used by byethost, but for some reason curl does not… you can click on the above link in Firefox and it works but as you say curl does not work.

Your hosting provider is using some sort of JavaScript-based “browser check”. Something like that naturally doesn’t work well with an automated process.

See http://byet.net/vb/forum/announcements/2884-checking-browser for more details.

2 Likes

curl -A “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1” -I http://www.herts.byethost11.com/.well-known/acme-challenge/letsencryptdemo
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 14 Apr 2016 09:52:00 GMT
Content-Type: text/html
Content-Length: 940
Connection: keep-alive
Vary: Accept-Encoding
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache

So using a user agent string seems to work… Can Lets Encrypt servers be updated to use a User Agent String in the challenge request? Might not be as easy as that because the server then seems to want curl to support java script!

Let’s Encrypt sends the User-Agent header, although not a typical browser UA string.

Take a look at the actual response. It’s a HTML document with JavaScript:

<html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("1f56c8b90ca7d8582bee49117055aec2");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; document.cookie="referrer="+escape(document.referrer); location.href="http://www.herts.byethost11.com/.well-known/acme-challenge/letsencryptdemo?ckattempt=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>

@pfg thanks for your help… I raised a support call on byet host but I do not expect them to come up with a fix. Looks like I will have to look for a new hosting provider if I want to use Lets Encrypt.

1 Like

Did u try gethttpsforfree.com?

I got my SSL from https://gethttpsforfree.com/, Even I am using shared server but gethttpsforfree.com worked like a charm.