It produces this output:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/finsites.app/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/finsites.app/privkey.pem
Your cert will expire on 2020-04-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew all of your certificates, run
âcertbot-auto renewâ
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
My Webserver is:
Hosting Package EnCirca cPanel Quickstart
Server Name whm
cPanel Version 84.0 (build 19)
Apache Version 2.4.41
PHP Version 7.1.33
MySQL Version 5.7.29
Architecture x86_64
Operating System linux
Shared IP Address 178.128.157.150
Local IP Address 178.128.157.150
Path to Sendmail /usr/sbin/sendmail
Path to Perl /usr/bin/perl
Perl Version 5.16.3
Kernel Version 3.10.0-1062.9.1.el7.x86_64
My Hosting Provider is:
Encirca
I cannot login to the root shell. I use cPanel v84.0
The Version of my client is Certbot 1.1.0
First of all, big thanks to all of you and all that you do!
I was able to create the SSL certificates and get everything validated without any issues. Where I am bumping into issues is with the sub-domains. The cert created above is registered on that domain already but none of the sub-domains I have picked it up for some reason. Is there an additional step required or a step I missed along the way that makes sure this cert is applied to all of the sub-domains as well?
Your cPanel hosting service already has SSL handled for you with AutoSSL. Any domain you create in your cPanel account (including a wildcard subdomain) should automatically be covered.
The certificate you see when you visit your website right now, is the one from AutoSSL.
When you ran certbot certonly ..., it didnât perform any certificate installation for you. It just produced the certificate, and leaves it to you to perform the installation (i.e. âcert onlyâ).
So, questions:
What are your subdomains that are not covered by SSL?
Do you really need a separate Letâs Encrypt certificate, given what AutoSSL is already doing for you?
The AutoSSL feature is nice, however they only provide self-signed certificates.
The sub-domains I had created were login.finsites.app, services.finsites.app, and developer.finsites.app.
Iâve uploaded a screenshot to show what I am seeing. The top level domain has âLetâs Encryptâ as the issuer, where the subdomain still has the self signed . Should I just delete the self-signed one and see if the top-level one would naturally propagate out?
AutoSSL should provide certificates signed by either Sectigo or Letâs Encrypt, depending on what your host chose.
The self-signed certificates arenât part of AutoSSL - cPanel just generates them as placeholders until a trusted certificate becomes available from AutoSSL.
Assuming that Encirca has not disabled AutoSSL, I suspect that the reason that it hasnât created a Letâs Encrypt certificate for developer.finsites.app is that the domain doesnât resolve - you havenât created a DNS record for it. Same story with login. and services..
Once AutoSSL detects that the domains can pass domain validation (i.e. the domain resolves and points to the cPanel server), it should [eventually] automatically create SSL certificates for those other domains.
And in the case that Encirca doesnât have AutoSSL available - you have to actually go and upload the certificate and private key of the wildcard certificate you generated with Certbot, and install it in the âSSL/TLS Managerâ part of cPanel.
Just generating a certificate does not automatically deploy it to your cPanel server. Youâll have to do that by hand or develop some kind of automation.
For that reason, itâs generally preferable to rely on AutoSSL.
I think that is where I became so confused. I subscribed to the dns service last night, and the SSL panel had a statement indicating that self-signed certs were being used until a valid one was installed so I assumed I had to do that. Then, right as I finished running the command lines locally to create them the âLetâs Encryptâ issue field was populated for the top-level domain. A perfect storm of confusion for me. Thanks again for your time!