Where do I go to start the SSL certificate renewal process on Let's Encrypt?

#1

My SSL certificate expired yesterday and there is a GIANT warning on my pages telling visitors that someone may be trying to steal their information.

My domain is: https://www.coremagazines.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: GoDaddy

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like
#2

Do you remember how you got the last cert?

You mention “GoDaddy” and “cPanel”.
Is there an option to get/renew a cert in the panel?
Have you emailed/spoken with GoDaddy?

1 Like
#3

I logged into the section to manage the certificate but it only confirms that my certificate has expired. They told me that I have to go to the company that issued the certificate. The email alert that I signed up for, works for GoDaddy-issued certificates. So I didn’t get an alert.

1 Like
#4

I actually had to initiate the original request to GoDaddy. It seems they are holding on to the renewal instructions for dear life.

2 Likes
#5

Well the current cert is useless.
Can you delete it and start over?

1 Like
#6

It’s worse than useless because it is actually interfering with my readership/clientele. Those visitors may not come back to my site because of the message.

What I found out:
Sometime during the last 3 months, they’ve (GoDaddy) stopped honouring the Certificate Requests and are now sending people to Certbot for that part of the process.
That’s why when you do a search for Let’s Encrypt documentation it brings you to that section – but it doesn’t explain why you’re there.

Now I have to read all the Certbot information to figure out what to do and how to do it.

1 Like
#7

If they said you should use certbot, then I can help you with that.

Is certbot already installed?
Can you login with SSH?

1 Like
#8

This is what they actually said in a generic message in “Help”. And this is based on a NEW certificate not a renewal. But I guess I need to do a new one.

“Generate your certificate signing request (CSR). Let’s Encrypt recommends generating your certificate through Certbot but this is not supported on GoDaddy’s cPanel Linux hosting . Instead, you will need to use a third party client to generate your Let’s Encrypt certificate. GoDaddy and Let’s Encrypt do not control or review these third party clients and cannot guarantee their safety or reliability. You can find a list of available options under the Browser section.”

1 Like
#9

For long term ease-of-use, you may want to change that plan (to one that includes it) or change hosting providers.
For now…
Are you able to install certbot on that system?
Otherwise, it will be a very manual process every <90 days…

1 Like
#10

I wouldn’t mind the manual use if the instructions were clear.
For the system, I chose Apache and Other UNIX.
Not sure if that’s right.

1 Like
#11

If so, please show:
lsb_release -a
or
uname -a

1 Like
#12

How did you install the cert last time?

I’m not sure you will be able to install cerbot onto that system - it may be “shared” hosting.

If NOT, I’m putting together a (makeshift) step-by-step for you to get a signed cert ASAP.
Must haves:

  • access to OPENSSL
  • ability to copy file private key and public cert into the system (probably in cPanel)

[in a secure location - execute the following]

 Step#1: openssl req -out rsa.public.csr -new -sha256 -newkey rsa:2048 -nodes -keyout rsa.private.key.pem
         Or Step#1 split into two separate steps (optional):
                Step#1A: openssl genrsa -out rsa.private.key.pem 2048
                Step#1B: openssl req -new -sha256 -key private.key.pem -out rsa.public.csr
 Step#2: Send CSR to cert signing authority.
        [you can use a site like freessl.org - ensure you click "I have a CSR" (page 2)]
        The "verify type" can be either DNS or FILE (do you recall which you did last time?)
       [If you have questions or doubts just ask]

image

 Step#3: Recieve a signed public certificate.
 Step#4: Load public cert and private key into cPanel.
1 Like
#13

  1. SSH into the server
    SSH into the server running your HTTP website as a user with sudo privileges.
    –Is SSH some kind of FTP? I have direct access to the server.

  2. Install Certbot

1 Like
#14

Yes, it is shared hosting.

1 Like
#15

SSH is NOT FTP.
SSH is Secure SHell
Programs like PuTTY or Terminal or WinTerm or SSH

1 Like
#16

In Ubuntu Linux:

apt install ssh
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  ssh
0 upgraded, 1 newly installed, 0 to remove and 14 not upgraded.
Need to get 5,204 B of archives.
After this operation, 106 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 ssh all 1:7.6p1-4ubuntu0.3 [5,204 B]
Fetched 5,204 B in 0s (11.3 kB/s)
Selecting previously unselected package ssh.
(Reading database ... 104752 files and directories currently installed.)
Preparing to unpack .../ssh_1%3a7.6p1-4ubuntu0.3_all.deb ...
Unpacking ssh (1:7.6p1-4ubuntu0.3) ...
Setting up ssh (1:7.6p1-4ubuntu0.3) ...

What O/S are you using? [Windows, Mac, Linux]

1 Like
#17

Certbot gave me a list of instructions for auto renewal. But I chose Other Linux , not Ubuntu Linux from the list.
Here is the link: https://certbot.eff.org/lets-encrypt/pip-apache.html

1 Like
#18

And where are you going to put any files?
And how?

I’m missing a step…

Those instructions are to be executed on the server.
Do you have access to execute anything on the server?

The system responds to SSH, so there is hope for that path:

ssh www.coremagazines.com
The authenticity of host 'www.coremagazines.com (23.229.197.96)' can't be established.
RSA key fingerprint is SHA256:x7B+tYlgu9iFK/1L72M7wgJqAbNv5HADK0KbCdPWFeU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'www.coremagazines.com,23.229.197.96' (RSA) to the list of known hosts.
root@www.coremagazines.com's password:
1 Like
#19

It refers to a Command Line.
I have an idea but I don’t want to screw up my site.

I think I will pay for the SSL certificate, although it feels like extortion, because my site is literally being held hostage. I have time left on my account and the other options are not practical or reasonable right now.

Thank you so much for helping me with this. I really appreciate it, rg305.
Have a great evening.

2 Likes
#20

Although… indirectly - I do think so too.
Almost every transaction I’ve had with GoDaddy has always left a bad taste in my mouth.
[case in point - they TOOK $69.99 to help be obtain a domain yesterday - and all they did was take my money - but let’s not get sidetracked]

You can better use that money to upgrade your hosting plan.
Or simply put your site behind a free CloudFlare account.
The users would see HTTPS and your backend could be HTTP or HTTPS.

1 Like