Adding SSL certificate to a web server.


"Let’s Encrypt" is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).


Note: Certbot for Windows is discontinued as of Feb 2024.

Windows: open cmd prompt or Power Shell as administrator.
Windows: installing notepad++ and WinScp will help a lot.

Windows: certbot certificates  (show the SSL certificates and expiry dates on local drive)
Linux (WSL): sudo certbot certificates  (show the SSL certificates and expiry dates on local drive)

Start generating SSL certificates for a web server:
e.g. Windows: certbot certonly --manual -d pigtail.net -d www.pigtail.net
e.g. Linux: sudo certbot certonly --manual -d pigtail.net -d www.pigtail.net

Phase 1: Prove of domain control:
certbot will ask you to create a new folder/directory with a long encrypted string at
document_root/.well-known/acme-challenge/
(GoDaddy:  /public_html/.well-known/acme-challenge/ ).
Create a file "index.html" in that newly created directory.
Edit the file "index.html" such that it has exactly one line of string given by certbot (ignore all html syntax)
(note: a CRLF or LF is required at the end of the string)

certbot will ask you to repeat the above process one more time.

If prove of domain control is successful, certbot will generate SSL certificates (with 90 days validity period) and stored them at:
Windows: c:\certbot\live\
Linux: /etc/letsencrypt/live/

Phase 2: Copy and paste contents of fullchain.pem and privkey.pem via "cPanel Admin":
Invoke cPanel --- Security --- SSL --- CERTIFICATES(CRT):
Windows:  cd c:\certbot\live
using notepad++, copy and paste the content of fullchain.pem to the "Upload a New Certificate" box, click "Save Certificate",
now back to "Certificates on Server", find the new certificate line, click "Install",
copy and paste the content of privkey.pem to "Private Key" box, click "Install Certificate".


Alternative method of proving domain control.
This method can be painfully slow depending on your DNS server behaviour.

e.g. Windows: certbot certonly --manual --preferred-challenges "dns" -d pigtail.net -d www.pigtail.net
e.g. Linux: sudo certbot certonly --manual --preferred-challenges "dns" -d pigtail.net -d www.pigtail.net

Launch GoDaddy DNS manger, create "TXT records" with values (strings) given to you by certbot above.
e.g. GoDaddy example:

Use Google Admin toolbox to check and monitor the progress of DNS update.


Renew the certificate before it expires:

e.g. Windows: certbot certonly --manual  -d pigtail.net -d www.pigtail.net
e.g. Linux: sudo certbot certonly --manual -d pigtail.net -d www.pigtail.net

You may be asked again to perform prove of domain control. If successful,

Certbot will create updated certificates and store them at:
Windows: c:\certbot\live\
Linux: /etc/letsencrypt/live/

Copy and paste contents of fullchain.pem and privkey.pem via "cPanel Admin" as above.


Other places you can get SSL certificates (price varies from reasonable to "enterprise pricing"):
Comodo, RapidSSL, SSL.COM, DigiCert, Entrust, GeoTrust, GlobalSign, Cloudflare, Symantec, SSL for Free, NameCheap.