I use godaddy as a web host and I’m trying to follow this guide: https://www.incapio.com/post/how-to-use-cerifytheweb-to-install-lets-encrypt-ssl-in-cpanel
I believe I’m doing everything correctly, all though when I try to install certificates manually through cpanel, it doesn’t seem to work… For instance, I upload the crt file and it shows up as an R3 domain that cannot be installed… I open the crt file in a text editor and noticed it shows 2 separate certificates - meaning --begin certificate-- “code” --end certificate-- --begin certificate-- “code” --end certificate-- I go ahead and copy it all, manually pasting it and cpanel says its an invalid certificate…
What am I doing wrong? How do I fix such thing, so I can generate certificates and install them properly?
Hi, sorry I don’t know much about cpanel (or GoDaddys support for that). Thanks for sharing that article link, I’ve not seen something go into that much detail before although some of it seems to be adapted from our own documentation.
From a quick google of the GoDaddy cpanel instructions of uploading a certificate it sounds like they want you to use a CSR file they provide: Manually install an SSL certificate on my cPanel hosting | Linux Hosting (cPanel) - GoDaddy Help AU
If you do need to use a custom CSR :
A CSR (Certificate Signing Request) uses a private key held on your server to produce a specification for the certificate you want Let’s Encrypt to produce. To use a custom CSR file with Certify The Web (instead of having app generate one behind the scenes) click on your managed certificate and go to Certificate > Advanced > Signing & Security and click Choose Custom CSR… and browse to the file you have downloaded from GoDaddy. Once selected this will pre-populate things like the domains, signing algorithm etc. Then order your certificate again using “Request Certificate”. Once that has completed OK you should have compatible cert.
In your deployment task you may need to specify a fullchain.pem (or fullchain.crt) file path instead of just chain.pem but that varies. Note that .crt and .pem are kind of the same thing (pem encoding is the actual format, .crt is just an indication of what the file might contain).
In the attached photo, I can select the domain that is specifically receiving the certificates (which is the default url | domainname . com) and manually paste the certificate code into there designated box. CRT, KEY, CABUNDLE. The only code that works and is able to install is the private key. Is there something I’m missing in regards to the file path set up? Or is the Certify program not able to generate these specific certificates?
Doing a CSR is just one way that cPanel can accept a cert. It won’t work for Let’s Encrypt, though.
Let’s Encrypt is very much about complete automation. I took a look at that article and it doesn’t automate anything about the cPanel aspect. Meaning you would have to manually do the cPanel part every 2-3 months.
If it can be at all helped, I strongly recommend against any manual method that you have to perform more than once in a while. Certify can automate this kind of thing if you run the webserver on the same machine, but hosted remotely… I would recommend a more native solution.
If you have jailed shell access, I recommend the acme.sh project. It will set everything up and create a cronjob in cPanel to do renewals similar to Certify with a hands-off approach.
That said, the files that Certify generate should work. You might want a different deployment task that gives only the cert and not the chain.
EDIT: I almost forgot. There was a controversial change with acme.sh where it defaults to ZeroSSL. If that bothers you, you can set new certs to default to Let’s Encrypt using
acme.sh --set-default-ca --server letsencrypt after the initial install step.
I don’t know, can you screenshot your task configuration in Certify? It can produce all of these files using Deploy to Generic Server or Deploy to Apache, or using multiple Export Certificate tasks.