Incapio - Blog Posts © 2022 by Incapio is licensed under CC BY-SA 4.0 

How to use CerifyTheWeb to install Lets Encrypt SSL in cPanel

Updated: Feb 24

Prerequisites:

You will need the following items to complete this tutorial

  1. Certify The Web Application

  2. A Web Hosting includes cPanel.

  3. A Domain.

  4. An Email Address.

  5. API Credentials.


What exactly is Certify the Web?
  • Certify The Web is a graphical user interface (GUI) for managing, requesting, and renewing certificates from Let's Encrypt and other popular (or customized) certificate authorities that adhere to the ACME (Automated Certificate Management Environment) standard. Automatic certificate management eliminates the need for you to worry about certificates because they are managed automatically and reliably. Certificate deployment to services that require them can also be highly automated.


System Requirements: (According to Certify The Web Website)

  • Typically, the programme will execute on the same server that hosts your website or service, especially if HTTP domain validation is required.

  • Windows Server 2012 R2 64-bit or later (including Windows 10). Installed Net 4.6.2 or higher.

  • Let's Encrypt Certificate Authority certificates expire every 90 days; thus, you must utilize the default Auto-Renew functionality or explicitly request a new certificate.

  • Let's Encrypt, for example, is a trusted Certificate Authority that this programme relies on. This programme has no control over service interruptions caused by certificate authorities.

Overview

You need a simple and dependable automated solution with a visual overview that is easy to use and maintain for administering SSL/TLS certificates for websites, email servers, or any other service. As your needs get more sophisticated, you'll need a scalable solution with dedicated assistance when you need it.


Simply install the app on your server, configure the domains for which you'd like to handle certificates, and let the Certify The Web app does the rest. Renewal and (optionally) deployment of certificates are handled by the Web software.


Features:

  • Install on a supported version of Windows Server for a simple setup.

  • Certificate requests, authorization, deployment, and auto-renewal are all simple.

  • Ideal for IIS-enabled Windows Servers, although it can also be used with other platforms.

  • Organize a single certificate or a thousand or more.

  • A detailed overview of the certificate request procedure and the automated deployment stages that have been planned.

  • Create certificates for single domains, multiple domains (SAN), or wildcards.

  • Automated deployment that can be customized.

  • Deployment Tasks automate common deployments such as MS Exchange, Remote Access, and Remote Desktop Services with zero scripting.

  • PEM or PFX format certificate files are required by Apache, Nginx, Tomcat, and other services.

  • Many other advanced features aid your organization's credential management.

How many certificate authorities does Certify The Web support?

  • Let's Encrypt, a free Certificate Authority is now the most popular automated Certificate Authority (letsencrypt.org). Other ACME (Automated Certificate Management Environment) Certificate Authorities, such as BuyPass Go SSL, DigiCert, or a ZeroSSL certificate authority, are available.

Is it possible to utilize Certify The Web for free?

  • Certify The Web offers a free Community Edition restricted to 5 managed certificates and is only designed for assessment. This restriction may change between updates and is intended to give a freeway for people and hobbyists to utilize the app and for business evaluation and testing. At https://certifytheweb.com/register, you can upgrade to a licenced version (which includes access to the support helpdesk email) and receive a licence key.

Get Started

Step - 1. Download and Install Certify The Web Community Edition.

  • This article will assist you in getting started and will go through some of the more sophisticated choices accessible in the software. The documentation is for the most recent version of the software. You are advised to maintain the software up to date at all times because some upgrades are required.

  • To get started with Certify The Web, download the most recent version and give it a try.

Step - 2 Register ACME account.

When you install Certify, you'll be required to register with the Certificate Authority (e.g. Let's Encrypt), which will validate and issue your certificates. If there is an issue with your certificate, they will not be able to reach you unless you supply a valid email address.

Certificate Authority, Email, ACME, Advanced, Register
Certify The Web - ACME Account
  1. Launch Certify The Web Application.

  2. Navigate to the Settings tab.

  3. In the settings tab, click on the certificate authorities section.

  4. In the certificate authority settings, click on the new account option.

  5. In the Edit ACME Account window, Choose the certificate authority(For instance, Lets Encrypt, ZeroSSL, Go SSL)

  6. In the Email Address field, type your email address.

  7. Lastly, check "Yes I Agree."

  8. Finally, click on Register Contact to finish registration your account.

Step - 3 Save the API credentials for your DNS provider.

GoDaddy API key, secret, credentials
GoDaddy API Credentials
  1. In the settings tab, click on the stored credentials section.

  2. In the stored credentials section, click on the "Add new stored credentials" option.

  3. In the Add/Update stored credentials window, choose credentials type(In this tutorial, We are using the domain(incapio.org), registered with GoDaddy) to GoDaddy DNS API.

  4. In the credentials name field, type your credentials name

  5. To generate GoDaddy API token and secret, Visit the link https://developer.godaddy.com/ and click on API Keys.

  6. Next, click create a new API key option, type the name(optional), choose the environment to production and click on next to view the key and secret.

  7. Lastly, copy-paste the API key, secret in the Auth Key and Auth secret field.

  8. Finally, click on save to store credentials.

Please note that if your API credentials change, you must update the credential settings in Certify under 'Settings > Stored Credentials' to ensure that renewals continue to work. After you've saved the credentials, you may use the 'Test' option to see if they still work.

Step - 4 Requesting a Certificate

  • The basic procedure of acquiring a certificate for your domain entails demonstrating that you manage the domain's server or DNS, and then the Certificate Authority can grant you a certificate once it is satisfied that you have completed the requirements.

  • Certify The Web can conduct this process for you automatically, either by executing the app on your domain's web server or by communicating with your DNS service provider's API. Once a certificate is issued, it can be used in a variety of ways.

  • You'll have to show that you own the domains you added to your certificate. Intranet sites (hostname only, no domain, e.g. sampleserver) are not supported, while public domain names (such as uswest.incapio.org.in) are OK.

  • HTTP Validation (http-01) or DNS Validation can be used to verify (dns-01).

Choose a method for validating domains
  • If you want to use HTTP validation, your domain must be a publicly accessible website with an HTTP service on port 80 (even if it's just for HTTP validation). If you need a wildcard certificate, you can't use HTTP validation.

  • To pass DNS validation, you must be able to create a TXT record in your domain's DNS zone automatically (usually using a DNS API from a DNS provider). You may not be able to use an automated certificate service if neither of these choices is viable for you.

Decide on a deployment strategy
  • To deal with blank hostname bindings, for example, modify the deployment mode and configure the available parameters.

What is the benefit of DNS Validation?
  • To obtain a certificate from Let's Encrypt (or any other Certificate Authority), you must show evidence that you are allowed to acquire the certificate for the domain in question (s). To prove control of your domain, Let's Encrypt offers two validation methods: http-01 (HTTP validation) and dns-01 (DNS validation) (validation over DNS).

  • DNS validation is the sole way to request wildcard domain certificates (those that cover *.yourdomain.com). If the domains you're seeking to be certified for aren't public websites or can't serve http requests on port 80, DNS Validation is extremely important.

What is DNS Validation and how do I utilise it?
  • You will be required to generate a particular TXT record in your domain's DNS zone in order to confirm your control of your domains to the certificate authority.

  • To do so, you may need to obtain the (hosted) DNS API credentials from your DNS provider's control panel, store them in the app, and then select them to be used for individual certificate requests.

  • You can develop your own DNS update script or use the Manual DNS option if your DNS provider (or custom DNS setup) does not offer an API that "Cetify The Web"can connect to (the request pauses while you manually update DNS)

What is the best way to utilise Manual DNS? 
  • If you're just getting started with wildcard domains, manual DNS changes might be the way to go (editing manually via your DNS control panel).

  • This is the least recommended choice because you'll have to change it every time you renew.

  • When obtaining a single cert for *.domain.com and domain.com, this technique can be quite confusing because you must submit two values for the same TXT _acme-challenge.domain.com record (to answer both the *.domain.com and domain.com challenge responses).

To use Manual DNS, follow these steps:

  • Manual DNS is the way you should use to update your DNS.

  • Make your first certificate request. The request will come to a halt and ask you to add a TXT record to your domain (one value for each domain or wildcard). After that, wait for your DNS name servers to complete the propagation process. If you're having difficulties authenticating, give it an hour or more to finish.

  • To resume the request and verify validity, select 'Request Certificate.'

  • If the certificate authority discovers the TXT value they requested in your DNS, they will issue a certificate and the request will proceed normally.

What are Deployment Tasks and how do I use them?
  • Deployment Tasks are a significant new feature in Certify The Web versions 5.x and higher. You can use a certificate issued by a certificate authority for its intended purpose once you have received it. This includes anything that would necessitate the use of a genuine, validated domain (such as a webserver, mail server, ftp service, remote access etc).

What exactly are Pre-Request Tasks?
  • Before you renew your certificate, you might want to perform a custom job. You might want to automate firewall updates or call a custom Web Hook/API, for example. These are referred to as 'Pre-Request Tasks.'


What is the definition of Post-Request (Deployment) Tasks?
  • After you've renewed your certificate or it's been automatically deployed, you may want to perform a variety of things. Running scripts, exporting for various server types (Apache, Nginx), copying to remote servers, and so on. These are referred to as 'Deployment Tasks.'


What exactly are Task Triggers?
  • You can set up a job to run when a certificate request is successful or unsuccessful, or you can run it manually.

Types of Files
  • A public and private cryptographic key, as well as the public 'certificate chain' used to issue the final certificate, make up a certificate. The filenames and file types used to store certificate data can be perplexing:

  • A.pfx (or.p12) file is a PKCS#12 combined container format that can hold both the certificate and the private key associated with it. The.pfx file extension is the most commonly used on Windows, and Certify's default file type. This type of file can be password-protected if desired.

  • A PEM file (often abbreviated as.pem) can be a certificate, a chain (a collection of certificates), or a private key file. The extensions.crt,.key, and.chain are occasionally used, however they are usually PEM (base64 encoded text) files with various functions. The file extensions are only there to assist you figure out what the file is for, and some of them are interchangeable.

Step - 5. Generating a Certificate

New certificate, add domain
Certify The Web - New Certificate Interface
  • In the Certify The Web interface, Click on New Certificate.

  • In the New Certificate Interface, type your display name and click on save.

  • In the add domains to certificate field, type your domain name(For instance, if you prefer to generate wildcard certificate, type *.yourdomain.com, yourdomain.com and click on the plus icon right next to the domain input field.

add domain, wildcard ssl
Certify The Web - Wildcard SSL
  • In the Pop-Up window, click on OK to add the domain.

Step - 6. Authorization

Challenge Type, DNS update Method, DNS Zone, GoDaddy DNS API, Credentials
Certify The Web - Authorization
  • In the Certify The Web interface, Click on Authorization.

  • In the Authorization settings, choose the challenge type to DNS-01

  • In the Authorization settings, choose the DNS update method to GoDaddy DNS API. (Please keep in mind that if we use the GoDaddy DNS API's DNS update method, the credentials field will automatically change depending on the credentials stored in settings > stored credentials.)

  • Also, Click on the dotted icon to update the DNS zone Id and choose your domain in the Authorization settings.

  • Finally, click on save to apply a new modification in the authorization interface.

Step - 7. Deployment

Deployment mode, certificate store only
Certify The Web - Deployment Interface
  • In the Certify The Web interface, Click on Deployment.

  • Choose the "deployment mode" to certificate store only in the certificate deployment section. (Please note by default, certificates generate through the Certify The Web has a.PFX extension, which is incompatible with the apache server. We have to convert the certificate from ".PFX" to ".crt," ".key," and. "CA. "). To convert the ".PFX." extension to be compatible with the apache server, we need to set "Tasks" parameters to deploy to apache along with the directory path. Kindly refer to the next step to apply task settings.

  • Finally, click on save to apply a new modification in the deployment interface.

Step - 8. Tasks

  • In the certify the web interface, click on tasks.

Add, Deployment tasks
Certify The Web - Tasks
  • In the deployment task section, click on ADD.

  • In the Edit deployment task window, choose the select option next to deploy to apache.

Deploy to apache, select, local, remote apache server
Certify The Web - Deploy
  • In the edit deployment task window under the general settings, set the trigger to "Run on Success."

  • In the edit deployment task window, switch to task parameters, set the Authentication to "Local(as a current service user)."

  • Create a new directory/folder on the desktop and copy the new directory path.

Task parameters, authentication, cert, key, full chain, CA chain
Certify The Web - Deployment Task Interface
  • Lastly, Paste the directory path in the "output file path for cert." append a slash at the end of the way, and type "Wildcard.crt".

  • Next, Paste the directory path in the "output file path for a key." append a slash at the end of the way, and type "Private.key".

  • Lastly, the directory path in the "output file path for CA chain." append a slash at the end of the way, and type "CA.crt".

  • Finally, Click on OK to save changes.

Step - 8. Request Certificate.

New certificate, test, domain, wildcard ssl
Certify The Web - Progress Test
  • Switch back to the "certify the web" main interface, click on the test option to view the DNS changes. If DNS API is configured accurately, we should see a success message on the screen.

  • Lastly, in the main interface, click Request Certificate to get a new wildcard SSL for your domain. Once the certificate request is made, we will observe a success message on the "In Progress" tab.

  • Finally, Switch back to the new directory on the desktop to view the certificates, copy-paste the certificate in the cPanel and install the wildcard SSL.

Conclusion:
  • The task parameters can be set before or after the requested certificate. Here are a few of the suggested alternatives.

  • Use the test option to confirm the configuration before requesting the certificate.

  • The "certify the web" task executes a task to auto-renew the certificate after 30 days. It will also save those certificates to the specified path; simply copy and paste the SSL certificates in the cPanel or any application(For instance, OpenVPN Access Server) compatible with the apache environment..

293 views0 comments

Do you need assistance? Visit Forum to join the conversation.