Awhile back, my domain started to display "Not secure" / "Your connection to the site is not secure" warnings to visitors (it doesn't do any transactions, so nobody complained), and my helpful webhost explained that I should get or buy a SSL certificate.
The webhost said I can either buy a certificate via one of the vendors (I looked at servertastic and Namecheap) or generate one for free using instructions from Let's Encrypt.
After doing some research, a lot of the Let's Encrypt instructions seem to be aiming at webmasters who have shell access to their sites. In my case, the domain's webhost does not support shell access, and I have not used Linux-like systems for years (I only used computer lab Unix terminals in college, and that was 15 years ago). So it seems I have to try to run Let's Encrypt via Windows.
I have the following questions:
Are the "Windows / IIS" clients under Let's Encrypt refer to someone generating SSL certificate on a Windows server or a regular PC? Does "Windows" refer to the host OS (that hosts the domain) or the OS which the user uses to generate the SSL certificate?
The host said it would generate a certificate Signing Request (CSR) for my domain, and I would use to purchase the SSL certificate. If a certificate is generated using the aforementioned clients under Let's Encrypt, is the CSR process still necessary? Would I just hand over the SSL certificate to the host?
Hi @EWarren, and welcome to the LE community forum
Normally, the ACME client is run on the same system that will be using the cert.
It helps in automating the renewal process.
But technically, when using DNS authentication, the ACME client can be run from any system [anywhere on the Internet].
If the HSP has any familiarity with LE, they should be able to facilitate the entire process from within your specific host.
If they are new to the entire "game", they can find plenty of integration information online.
[if they are at all interested in automating the renewal process, that would be very beneficial]
That said, you could probably do the entire cert authentication manually [and even use their CSR].
Again, that's not recommended; As that would make the automation of the renewals impossible.
The more information you can provide the better we can advise you with/from.
My domain webhost (it is a blog mostly of writings) informed me of the following:
Let's Encrypt and other free certificates are only partially supported. The customer needs to generate the SSL certificate manually and provide it to the host for installation. Then the customer would renew it every 90 days by repeating the process.
The site is hosted on a server which I only have FTP rights. There is no remote access nor shell access. It is Linux if I am not mistaken.
If I understand the process correctly (from my own research, since I didn't want to bother webhost support for handholding me on non-troubleshooting issues), I would use one of the ACME clients to generate a SSL certificate on my own local machine (it is Windows 10, but I thought about learning Linux and installing it on a partition), work with the host on generating a Private Key/Certificate Signing Request (CSR), and hand over the SSL certificate to the host for installation.
I don't mind the generating certificate every 90 days process - if I learn the process and take good notes, I should be able to repeat it every 90 days.
Ok, well their process is a outdated/clunky but you can make it work. A lot depends on whether you are allowed to upload your own private key, or whether you need to only use their CSR file.
The process of ordering a cert from Let's Encrypt requires validating your domain, so whichever tool you use you need to either present a particular response via http (e.g. `http:///yourwebsite.com/well-known/acme-challenge/) or use DNS validation (present a particular TXT record called _acme-challenge with a different value every time you validate). In your case http validation is going to be difficult or impossible, because your local machine doesn't host the website for that domain. In which case, DNS validation might work. Ideally you use an automated method but manual methods do exist as well.
Certbot & Linux
You can use the standard certbot app on windows or linux, it doesn't matter in this case. If you want to learn linux try switching on WSL (Windows Subsystem For Linux) and install Ubuntu from the windows store etc.
As you are on Windows, I also work https://certifytheweb.com (which is a windows GUI), and to do what you need using that you would:
create a new managed certificate, either add the domains yourself (this will generate a new private key and use it's own CSR) or use a custom CSR (Certificate > Advanced > Signing & Security).
You then need to choose DNS validation from the Authorization tab and see if one of the automated providers will do what you need or if you need to use the Manual DNS option.
You then click "Request Certificate" to begin your certificate order.
If that all works OK you can add a Deploy to Generic Server task under Tasks, set the output file paths to somewhere on your machine then save and hit the play button to run the task, this will export the certificate to the files you want. You can then upload those files as required.
You can also do the same using certbot, win-acme or Posh-ACME, they just have different options/processes.
An alternative to using your own Let's Encrypt cert is to use something like Cloudflare (free) to host your DNS and proxy your site, that way you get https automatically (and you can then choose to also have https enabled on your real server, or not). This involves signing up, adding your domain, transferring DNS records then repointing to cloudflare nameservers with your domain registrar.
I am able to get Certbot to run (using certbot --manual --preferred-challenges dns certonly -d [my domain]), and it would proceed to the DNS TXT record phase of the verification process.
Awhile back I changed the DNS registrar configuration, and the host would need to update the DNS TXT record on my behalf (I forgot for what reason), I proposed to the host on the following process:
I would run the certbot command
I would send the DNS TXT string to host to update
I would complete the command's verification process after 2 is completed
My host told me the following:
The private key can be stored on the server for you which we will then provide you with a CSR which you will use in your certificate creation.
You can create the private key locally and provide all 3 pieces (certificate, private key, intermediate certificate) together.
I found the private key under certbot\keys, and I found the CSR under certbot\csr. I assume cerbot will tell me where the certificate's location after generation. However, what is the intermediate certificate? Is it the same as CSR? I don't see it under cerbot's directories.
Finally, the host's CSR processes requires filling out information such as city, state, and country, but certbot only asked about the email. Is there a risk that the CSR from certbot would not meet the host's standards, since it doesn't asks about city, state, country?
You don't need the CSR from the host. You can just use Certbot to generate the certificate and send the private key, certificate and intermediate cert to your host. Even if you'd use a CSR which would include all that other info, Let's Encrypt wouldn't include it into the certificate anyway.
That said though: please contemplate about changing webhosting provider to one which has Let's Encrypt support out of the box. These kind of manual procedures are NOT recommended, as they are a hassle to begin with in the first place and even more because you'd need to do it at least every 3 months, but ideally every TWO months. Let's Encrypt is meant to be automated which this obviously is not.
Oh and if they'd offer you can also buy a certificate to forgo with all the hassle, just laugh at them. Laugh at them very hard. There are numerous hosting providers providing free Let's Encrypt certificates without any hassle. You can find a list here: Does My Hosting Provider Offer HTTPS? | Certbot
Yes, even though the host is very helpful, there may come a time when the domain would need shell access, etc, for development work (the host only allows FTP), and that would require a different host provider. If / when that time comes, I will consider a host from the Certbot list.