I believe I’m doing everything correctly, all though when I try to install certificates manually through cpanel, it doesn’t seem to work… For instance, I upload the crt file and it shows up as an R3 domain that cannot be installed… I open the crt file in a text editor and noticed it shows 2 separate certificates - meaning --begin certificate-- “code” --end certificate-- --begin certificate-- “code” --end certificate-- I go ahead and copy it all, manually pasting it and cpanel says its an invalid certificate…
What am I doing wrong? How do I fix such thing, so I can generate certificates and install them properly?
Hi, sorry I don’t know much about cpanel (or GoDaddys support for that). Thanks for sharing that article link, I’ve not seen something go into that much detail before although some of it seems to be adapted from our own documentation.
A CSR (Certificate Signing Request) uses a private key held on your server to produce a specification for the certificate you want Let’s Encrypt to produce. To use a custom CSR file with Certify The Web (instead of having app generate one behind the scenes) click on your managed certificate and go to Certificate > Advanced > Signing & Security and click Choose Custom CSR… and browse to the file you have downloaded from GoDaddy. Once selected this will pre-populate things like the domains, signing algorithm etc. Then order your certificate again using “Request Certificate”. Once that has completed OK you should have compatible cert.
In your deployment task you may need to specify a fullchain.pem (or fullchain.crt) file path instead of just chain.pem but that varies. Note that .crt and .pem are kind of the same thing (pem encoding is the actual format, .crt is just an indication of what the file might contain).
In the attached photo, I can select the domain that is specifically receiving the certificates (which is the default url | domainname . com) and manually paste the certificate code into there designated box. CRT, KEY, CABUNDLE. The only code that works and is able to install is the private key. Is there something I’m missing in regards to the file path set up? Or is the Certify program not able to generate these specific certificates?
Doing a CSR is just one way that cPanel can accept a cert. It won’t work for Let’s Encrypt, though.
Let’s Encrypt is very much about complete automation. I took a look at that article and it doesn’t automate anything about the cPanel aspect. Meaning you would have to manually do the cPanel part every 2-3 months.
If it can be at all helped, I strongly recommend against any manual method that you have to perform more than once in a while. Certify can automate this kind of thing if you run the webserver on the same machine, but hosted remotely… I would recommend a more native solution.
If you have jailed shell access, I recommend the acme.sh project. It will set everything up and create a cronjob in cPanel to do renewals similar to Certify with a hands-off approach.
That said, the files that Certify generate should work. You might want a different deployment task that gives only the cert and not the chain.
EDIT: I almost forgot. There was a controversial change with acme.sh where it defaults to ZeroSSL. If that bothers you, you can set new certs to default to Let’s Encrypt using acme.sh --set-default-ca --server letsencrypt after the initial install step.
I don’t know, can you screenshot your task configuration in Certify? It can produce all of these files using Deploy to Generic Server or Deploy to Apache, or using multiple Export Certificate tasks.
Hi! I’m new here, but not to the topic, in general or specifically GoDaddy.
I just got the basics going for my own hosting using GoDaddy API for DNS control.
Haven’t found any automation for the certificate updating, but it should be simple
using the cPanel API. The “first install”, and later updating of “sub domains” may
be too complex to be worth doing – but it IS possible.
GoDaddy cPanel does allow FULL CONTROL of the 3 pieces (Key, CSR, and cert).
Select SSL/TLS from your cPanel homepage/dashboard, and you’ll get this:
If I get any reaction/interest from folks needing further, I’ll provide it, but I am not
interested in writing an “article” about it – I DO grant permission for others to use
whatever I provide for the public good. I wouldn’t mind being credited for it.
Hi, by all means share your API solution here if you like, you could automate it using:
One or mode Deployment Tasks to get the PEM files you need (e.g. fullchain.pem and privatekey.pem using Deploy to Generic Server or Export Certificate tasks).
A scripting task (Powershell etc) to push the files via the API.
Note that you shouldn’t need the CSR file if you are using the generated Private Key file, the CSR is generally used where you don’t have control of the private key.
Actually, a “good” CSR provides good information. IIRC, some/all of it is required for Extended Validation (is that still a thing?) certs. • Organization (O): The name of a company or organization. • City/Locality (L): The name of a city or town. • State/Province (S): The name of a state or province.
• Country (C): A two-letter country code.
Thanks, please try not to resurrect old threads unless you have something super important to add. People working with custom CSRs have generally heard of these fields before.
CSRs for Let’s Encrypt and other popular ACME CAs will have these fields ignored by the CA as they are not performing Extended Validation and are not certifying that any other these things are true and valid. Broadly, only the SAN list, key type and Must-Staple flags are relevant to Let’s Encrypt etc. If you are using a private CA or an EV enabled CA then they may be used but this app won’t populate them for you.
