Install letsencrypt ssl certificate in a shared hosting (The basic way)

Applicable To: Shared server/hosting
Updated: Fri 14 Oct, 2016 GMT

Let's encrypt lets you to get https for your website for completely free. It's the easiest way to get SSL certificate free of cost which will be recognized by major browsers. This tutorial goes through the steps that need to be done to get and setup a free SSL certificate for your shared Cpanel hosting. Even though we are talking about Cpanel, it's not exclusively only for Cpanel users, the way described here to get the certificate will work for other cases too if the required conditions are met (which are necessary in all cases).

Preview

Objectives:

  1. Install letsencrypt in your local machine.
  2. Get a certificate for your domain using letsencrypt.
  3. Install the certificate for your domain using cpanel.

What is letsencrypt:

image for Let's Encrypt

Getting an SSL certificate for your domain to let the visitors access your website using https (secure protocol) involves buying the certificate from a Certificate Authority (CA) which is generally expensive. For example, with PositiveSSL you can get an SSL cert for 8~9$/yr for a single domain. It may not seem that expensive at first, but if you want to do the same with all of your domains, then the amount may appear to be unreasonable. Here comes the concept of free SSL for those who don't want to spend a lot of money just to let their visitors have access to the https versions of their websites.

Let's encrypt is a great project which aims to encrypt the whole web and make https available to general public completely free of cost. It is backed by some big-name sponsors like Electronic Frontier Foundation, mozilla, Akamai, Cisco, Chrome, Facebook, SiteGround, IdenTrust etc... This project is provided by the Internet Security Research Group which is a public benefit organization.

Let's get free HTTPS for your website:

image for https

Getting HTTPS using letsencrypt involves three steps: installing letsencrypt, generating certificate, uploading it with cpanel.

Installing letsencrypt:

Requirements:

  1. Debian based OS.

To install letsencrypt run these commands in a terminal:

cd /usr/local
sudo git clone https://github.com/letsencrypt/letsencrypt
#sudo is to get root access, 
sudo ln -sf /usr/local/letsencrypt/letsencrypt-auto /usr/bin/letsencrypt
letsencrypt --help

This should install letsencrypt in your system.

Generating certificate with letsencrypt:

To generate certificate for the domain example.com and www.example.com, run the following code in terminal:

letsencrypt certonly --manual --email admin@example.com -d example.com -d www.example.com

It will ask you to agree some license agreements. Hit Enter for OK. It will also give you a challenge to verify your ownership of the domains. An example challenge is:

Make sure your web server displays the following content at http://example.com/.well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ before continuing:

uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c

To complete this challenge, you will have to create a directory/folder (.well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ) in your remote host (generally in public_html) which will contain a index.html file with content: uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c

Another way is to create the .well-known/acme-challenge/ folder/directory and create a file inside this folder with the name uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ and put uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c as its' content.

How you do this that's upto you. You can do this in localhost then upload with filezilla or use ssh to directly create them. Whatever you do, don't put anything else on that file other than the challenge key, not html/php tag/code, nothing; only the long hash key, and also be sure not put any spaces or newlines in that file.

I am giving an example of how you can do it with ssh (in another terminal):

To create index.html:

ssh -p port user@example.com #Login to remote host
cd public_html #or whatever your document root is
mkdir -p .well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ
cd .well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ
echo uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c >index.html

The other method:

ssh -p port user@example.com #Login to remote host
cd public_html #or whatever your document root is
mkdir -p .well-known/acme-challenge
cd .well-known/acme-challenge
echo uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c > uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ

That's it, the challenge is complete, now hit Enter in the terminal which is running letsencrypt. You will have to complete this challenge for each of the domains provided, i.e twice for example.com and www.example.com.

After you complete the challenges you should get a success message like this:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem. Your cert will expire on 2016-04-10. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
  • If you like Let's Encrypt, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

Yap, the certificate is ready to be used. We just need to set it up with cpanel now.

Automation of completing challenge:

Completing the challenge requires you to open another terminal and run ssh commands or create the index.html/index.php file by other means.

Using ssh and running a few lines of commands in a second terminal can be tedious when we need to do that for each of our domains. For this very reason I have written an expect script (lcget) to do this automatically. The script monitors the output and runs necessary commands using ssh to complete the http challenges. It minimizes all of your commands to a single command in a single terminal. For example, for the above case you could just do

lcget certonly --manual --email admin@example.com -d example.com -d www.example.com

and be done with. All the things would be taken care of automatically.

I have written another script(letsacme) based on acme-tiny which is much simpler to use and faster compared to lcget. The only downside of the script letsacme compared to lcget is that the lcget script supports the official letsencrypt client while letsacme is a standalone client with no dependency other than Python and openssl (you will need to put your trust on it, so better look through the source code (~400 line Python)). Also you will need to run the script on remote host (don't worry, no need for root access).

Setting up the letsencrypt certificate in cpanel:

The certificate is saved in /etc/letencrypt/archive/example.com directory. You can see several files here:

  1. cert.pem: This is the certificate.
  2. chain.pem: This is known as CABUNDLE (Certificate Authority Bundle).
  3. privkey.pem: This is the private key.

We will upload the certificate and private key files with cpanel and copy paste the content of chain.pem CABUNDLE (Certificate Authority Bundle).

I have moved the rest of the article in this thread as it seems to be a common topic related to a bunch of other topics.

If you want to automate the whole process (retrieving and installing certificate with Cpanel) see this tutorial.