Get free https (SSL certificate) for your website using letsencrypt (The basic way)
Monday, 30. December 2019 01:21 PM UTC
Getting an SSL certificate for your domain to let the visitors access your website using https (secure protocol) involves buying the certificate from a Certificate Authority (CA) which is generally expensive. For example, with PositiveSSL you can get an SSL cert for 8~9$/yr for a single domain. It may not seem that expensive at first, but if you want to do the same with all of your domains, then the amount may appear to be unreasonable. Here comes the concept of free SSL for those who don't want to spend a lot of money just to let their visitors have access to the https versions of their websites.
Let's encrypt is a great project which aims to encrypt the whole web and make https available to general public completely free of cost. It is backed by some big-name sponsors like Electronic Frontier Foundation, mozilla, Akamai, Cisco, Chrome, Facebook, SiteGround, IdenTrust etc... This project is provided by the Internet Security Research Group which is a public benefit organization.
Getting HTTPS using letsencrypt involves three steps: installing letsencrypt, generating certificate, uploading it with cpanel.
To install letsencrypt run these commands in a terminal:
This should install letsencrypt in your system.
cd /usr/local sudo git clone https://github.com/letsencrypt/letsencrypt #sudo is to get root access, sudo ln -sf /usr/local/letsencrypt/letsencrypt-auto /usr/bin/letsencrypt letsencrypt --help
It will ask you to agree some license agreements. Hit Enter for OK. It will also give you a challenge to verify your ownership of the domains. An example challenge is:
letsencrypt certonly --manual --email email@example.com -d example.com -d www.example.com
Make sure your web server displays the following content at http://example.com/.well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ before continuing: uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c
To complete this challenge, you will have to create a directory/folder (.well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ) in your remote host (generally in public_html) which will contain a index.html file with content: uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c
Another way is to create the .well-known/acme-challenge/ folder/directory and create a file inside this folder with the name uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ and put uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c as its' content.
How you do this that's upto you. You can do this in localhost then upload with filezilla or use ssh to directly create them. Whatever you do, don't put anything else on that file other than the challenge key, not html/php tag/code, nothing; only the long hash key, and also be sure not put any spaces or newlines in that file.
I am giving an example of how you can do it with ssh (in another terminal):
To create index.html:
The other method:
ssh -p port firstname.lastname@example.org #Login to remote host cd public_html #or whatever your document root is mkdir -p .well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ cd .well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ echo uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c >index.html
ssh -p port email@example.com #Login to remote host cd public_html #or whatever your document root is mkdir -p .well-known/acme-challenge cd .well-known/acme-challenge echo uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c > uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ
That's it, the challenge is complete, now hit Enter in the terminal which is running letsencrypt. You will have to complete this challenge for each of the domains provided, i.e twice for example.com and www.example.com.
After you complete the challenges you should get a success message like this:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-04-10. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Yap, the certificate is ready to be used. We just need to set it up with cpanel now.
Completing the challenge requires you to open another terminal and run ssh commands or create the index.html/index.php file by other means.
Using ssh and running a few lines of commands in a second terminal can be tedious when we need to do that for each of our domains. For this very reason I have written an expect script (lcget) to do this automatically. The script monitors the output and runs necessary commands using ssh to complete the http challenges. It minimizes all of your commands to a single command in a single terminal. For example, for the above case you could just do
and be done with. All the things would be taken care of automatically.
lcget certonly --manual --email firstname.lastname@example.org -d example.com -d www.example.com
I have written another script(letsacme) based on acme-tiny which is much simpler to use and faster compared to lcget. The only downside of the script letsacme compared to lcget is that the lcget script supports the official letsencrypt client while letsacme is a standalone client with no dependency other than Python and openssl (you will need to put your trust on it, so better look through the source code (~400 line Python)). Also you will need to run the script on remote host (don't worry, no need for root access).
The certificate is saved in /etc/letencrypt/archive/example.com directory. You can see several files here:
We will upload the certificate and private key files with cpanel and copy paste the content of chain.pem CABUNDLE (Certificate Authority Bundle).
I have moved the rest of the article in this thread as it seems to be a common topic related to a bunch of other topics.
If you want to automate the whole process (retrieving and installing certificate with Cpanel) see this tutorial.