Get Free SSL From LetsEncrypt, Export PFX to Cert, Verify DNS via Txt Record
How to Get Free SSL from LetsEncrypt for Website ?
LetsEncrypt provides Free SSL to protect website and provide green pad lock to encrypt all communication between user and server over secured http. But Getting a certificate is not that easy as described in various articles, specially in case where Hosting provider does not provide you SSH access, and there is no much help available to use Certbot in manual mode. Read this section on LetsEncrypt website :
Without Shell Access
If your hosting provider doesn’t want to integrate Let’s Encrypt, but does support uploading custom certificates, you can install Certbot on your own computer and use it in manual mode. In manual mode, you upload a specific file to your website to prove your control. Certbot will then retrieve a certificate that you can upload to your hosting provider. We don’t recommend this option because it is time-consuming and you will need to repeat it several times per year as your certificate expires.
What is the Solution then ?
There are various ACME ((Automated Certificate Management Environment) client List available in different language and different platforms like Windows, Unix, etc. But here we require one that could generate SSL Certificate on our own Personal computer like desktop or laptop then we could choose to upload on web server hosting provider via Plesk. We preferred win-acme (.NET) client which is based on .Net and support wildcard option like *.yourdomain.com, simply download the zip and extract to a folder. Now open command prompt in Administrator mode and navigate to folder containing wacs.exe, execute this exe to get step by step guide to generate SSL. Contact us using form to get more info on how to use this exe, even though it is self explanatory in nature.
Unable to verify DNS after adding TXT Record, or, TXT Record Added not getting reflected ?
This is a major challenge while validating DNS TXT record to verify your ownership. Basically, there are two SSL option, one is per domain and sub domain and another is Wildcard which supports all of your subdomain, which is comparatively good as one certificate does all job. Whereas first option requires http challenge to place a file in root of your webserver, under wellknownserver, but Later option to get wildcard SSL requires DNS verification via TXT Record.
So in case you are also facing above issue, you must be doing it at wrong place. Adding TXT record to your Registrar does not work once you hosted your content on web-server somewhere else, i.e., your registrar is different and hosting provider is different. So, Navigate to DNS setting on plesk and Add record over there _acme-challenge as TXT Record and value provided by above exe. It will reflected in fraction of seconds, so there should no problem in verify the ownership there.
Generated PFX but Plesk ask to upload Cert Files, How to export CERT from PFX file downloaded from LetsEncrypt ?
So irrespective of ACME clients chosen, they will give only PFX file which comprises both Public key and private key, but that PFX is not compatible with Plesk. So how to proceed ?
1 In order to generate certificate or export cert file out of pfx, you will need to install OpenSSL, so choose any OpenSSL Windows client from Official OpenSSL website. We went with second option Win64 OpenSSL v1.1.1g EXE, 63MB Installer available on slproweb as it provides 64bit client and step by step Wizard to install and register relevant DLL.
2. you will need to update Path Environment Variable to installed directory to make it available all where like this :
3. Test if above config went well, by putting openssl on any screen., this will return below like screen
4. Copy your PFX file somewhere else, so that original file remains the place where it was downloaded.
and Navigate to location it has been copied to :
5. Run these 3 Commands to export PFX to Cert
pkcs12 -in sample.pfx -nocerts -out private.key
pkcs12 -in sample.pfx -clcerts -nokeys -out certificate.crt
rsa -in private.key -out private-decrypted.key
6. Now upload decrypted private key and certificate to your plesk, No need to provide Bundle-Cert as that is optional :
Comments