Nico Amarilla

My personal notes on programming.

Install Lets Encrypt Certificate on Shared Hosting

The gist here is to generate the Let’s Encrypt certificate locally and install it to your server using cPanel. This is the exact steps I used for this domain.

Things Needed

  • An OS to install and run the Let’s Encrypt client. In this example I will use Ubuntu 14.04 VM on Windows.
  • cPanel access. Your cPanel should allow SSL certificates to be installed manually.
  • File upload access to the server. I used SFTP.

Installing the Let’s Encrypt Client

  1. Fire up the terminal and update Ubuntu.
    sudo apt-get update

    Then install letsenceypt client using git:

    git clone https://github.com/letsencrypt/letsencrypt

    Note: If you don’t have git installed, type: sudo apt-get install git

  2. Once its done, go to the directory where the client is installed. For me its: cd letsencrypt

 

Generating the Certificate

  1. Inside the letsencrypt directory, type:
    ./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d kosinix.com -d www.kosinix.com

    Note: Make sure to change kosinix.com to the domain of your website.

  1. The client will prompt you if its OK to log your IP. Choose Yes.

    Confirm IP logging
    Confirm IP logging
  2. Now, whatever happens, do not press anything yet or you will have to restart the generation process!

Confirming Domain Ownership

Notice that below the prompt is an instruction on how to confirm ownership of your domain:

Make sure your web server displays the following content at http://kosinix.com/.well-known/acme-challenge/xuJ_RPQbkGG356A7WRya9JiJ59Lj1dWjS7OG40oQMOM before continuing:

xuJ_RPQbkGG356A7WRya9JiJ59Lj1dWjS7OG40oQMOM.oUqbjO_-ZMUbmaC1JeWUVUrSB0ulSIDoHekYe_jffyk

The domain confirmation test
The domain confirmation test
  1. Connect to your server and create the following directory inside your server’s public directory: .well-known/acme-challenge/
  2. Inside it create a text file named xuJ_RPQbkGG356A7WRya9JiJ59Lj1dWjS7OG40oQMOM that contains the string
    xuJ_RPQbkGG356A7WRya9JiJ59Lj1dWjS7OG40oQMOM.oUqbjO_-ZMUbmaC1JeWUVUrSB0ulSIDoHekYe_jffyk

Note: The strings will be different for you.

  1. Once you are done, go back to the terminal and press the enter. LE will generate one more confirmation. Just repeat step number 6.

Installing the Certificate in cPanel

cPanel SSL panel
cPanel SSL panel
  1. Type:
    sudo nautilus
  2. Using the file browser as root, navigate to /etc/letsencrypt/live/kosinix.com
  3. Login to your cPanel. Copy and paste the SSL info from these files into the cPanel SSL panel:
    Certificate (CRT) is cert.pem
    Private Key is privkey.pem
    Certificate Authority Bundle: (CABUNDLE) or CA is chain.pem

    I used gedit to open and copy the contents of the .pem files.

    Installing the certificate in cPanel
    Installing the certificate in cPanel

    Note: You can also use the cat command to view text files in the terminal. Eg. cat cert.pem

Bonus: Redirect all request to https

Add this in your .htaccess:

# BEGIN Force SSL
# This should be the first rule before other rules
<IfModule mod_rewrite.c>
    RewriteEngine On

    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>
# END Force SSL

Additional Resources/References

18 Comments

  1. Pingback: Let’s Encrypt – Alex Caro

  2. Sam

    Let’s encrypt certificates expires in 90 days. How could we auto renew the cert with this method and put it on the server automatically?

    Reply
  3. Niklas Rosenstein

    Thanks for this article, it helped me out. 🙂 In the end I’ve been using the “webroot” plugin instead of “manual”, the only problem was that it wouldn’t wait until I copied the files to the actual webserver. I’ve ended up forking certbot and adding a “–webroot-delay-auth” option.

    https://github.com/certbot/certbot/pull/3236

    Also, I’ve looked into a method of running certbot without elevated privileges:

    https://www.niklasrosenstein.com/2016/07/using-letsencrypt-without-sudo/

    Thanks again,
    Niklas

    Reply
  4. kankorasan

    Good article and tutorial… please explain how to renew after 90 days, as I can see your site Certificate is no longer supported, and browse give alert before entering your website.

    Reply
  5. Domantas

    Thank you for the tutorial. Let’s Encrypt is great and cPanel has a handy plugin to install lets encrypt ssl certificates. For those hosting providers who use custom control panels, and has limited ssh access there is a way to use ACME php client and composer to install ssl certificate. We even created a tutorial on this topic, showing how to install lets encrypt on shared hosting: http://www.hostinger.com/tutorials/ssl/how-to-install-free-ssl-from-lets-encypt-on-shared-hosting

    Reply
  6. Gustavo Neves

    I was wondering if this would work and it does.

    Nowadays there is a LetsEncrypt cPanel plugin that makes this easier and can autoupdate certificates. But if you are not lucky to have that installed (like me) you can use this method to renew each 2-3 months manually.

    I have used https://acme.sh instead of LE’s script (I like that better). Used the webroot mode.
    I have then disabled acme’s cron job and installed the certs from cPanel’s.
    There may be a way to install the certificate from cPanel`s ssh jailbox, I will investigate into that.

    My cPanel was a bit different. I had to create a private key, create a certificate and then install those to my domain. Glad it works but I am already looking for another company that has LE builtin.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *