in How-Tos

How to add a Let’s Encrypt SSL certificate to your site on shared hosting

These instructions are specifically for a shared hosting account on ASmallOrange.com, but might be useful for other providers as well.

  1. SSH into your account.
  2. Generate a user account key for Let’s Encrypt [1].
    ~$ openssl genrsa 4096 > user.key
    ~$ openssl rsa -in user.key -pubout > user.pub
  3. Generate the domain key and a certificate request [1]. Replace “example.com” with your domain.
    ~$ openssl genrsa 4096 > domain.key
    ~$ openssl req -new -sha256 -key domain.key -subj "/CN=example.com"> domain.csr
  4. Get the script from https://github.com/diafygi/letsencrypt-nosudo.
    ~$ git clone https://github.com/diafygi/letsencrypt-nosudo
  5. Sign the certificate by running sign_csr.py.
    ~$ python2 letsencrypt-nosudo/sign_csr.py --file-based --public-key user.pub domain.csr > signed.crt

    You will be asked to run commands in a separate session.
    In the last step, you will have to create a file under public_html/.well-known/acme-challenge/. Its name and content are randomly generated, so make sure to change them accordingly.

    ~$ mkdir -p public_html/.well-known/acme-challenge/
    public_html$ cd !$
    acme-challenge$ echo "file-content" > file-name

    Once you hit enter, the script will try to access that file on your server, so you may have to temporarily disable any redirects in .htaccess. If it is successful, you should see the following message:

    Press Enter when you've got the file hosted on your server...
    Requesting verification for example.com...
    Waiting for example.com challenge to pass...
    Passed example.com challenge!
    Requesting signature...
    Certificate signed!
    You can remove the acme-challenge file from your webserver now.
  6. Optionally, delete the .well-known directory.
    public_html$ rm -rf .well-known
  7. Go to CPanel.
    1. Under the Security section, select SSL/TSL. Click on Manage SSL sites.
    2. Select the domain.
    3. Paste the contents of ~/signed.crt into the Certificate: (CRT) field.
    4. Paste the contents of ~/domain.key into the Private Key (KEY) field.
    5. Click on Install Certificate.
  8. Redirect HTTP to HTTPS in .htaccess:
    <IfModule mod_rewrite.c>
    RewriteEngine On
    
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
    </IfModule>

    Make sure the RewriteCond and RewriteRule directives are the first ones after RewriteEngine.

  9. Voilà! Your site is now HTTPS-capable!

[1] Based on instructions from https://github.com/diafygi/letsencrypt-nosudo.