Saulo Silva

How to add a Let's Encrypt SSL certificate to your site on shared hosting


These are the instructions I documented for a shared hosting account, when root access is not available.

Update: if you are renewing an existing Let’s Encrypt certificate, just follow steps 5 to 8.

  1. SSH into your account.

  2. Generate a user account key for Let’s Encrypt.

    $ openssl genrsa 4096 > user.key
    $ openssl rsa -in user.key -pubout > user.pub
    
  3. Generate the domain key and a certificate request. Replace “example.com” with your domain.

    $ openssl genrsa 4096 > domain.key
    $ openssl req -new -sha256 -key domain.key \
       -subj "/CN=example.com" > domain.csr
    
  4. Get the script from diafygi/letsencrypt-nosudo.

    $ git clone https://github.com/diafygi/letsencrypt-nosudo
    
  5. Sign the certificate by running sign_csr.py.

    $ python2 letsencrypt-nosudo/sign_csr.py --file-based \
       --public-key user.pub domain.csr > signed.crt
    

    Follow the instructions output by the script. At one point, you will be asked to run commands in a separate session.

    In the last step, you will have to make publicly accessible a file under /.well-known/acme-challenge/. Its name and contents are randomly generated, so make sure to change them accordingly. For example, if the script output the following:

    STEP 4: Please update your server to serve the following file at this URL:
    
    --------------
    URL: http://saulosilva.com/.well-known/acme-challenge/file-name
    File contents: "file-contents"
    --------------
    ...
    
    Press Enter when you've got the file hosted on your server...
    

    Here is how you would create the file:

    $ mkdir -p public_html/.well-known/acme-challenge/
    $ echo "file-contents" > public_html/.well-known/acme-challenge/file-name
    

    Once you hit enter, the script will try to access that file on your server. (If you have a Wordpress blog, you may have to temporarily disable redirects in .htaccess.) If it is successful, you should see the following message:

    Press Enter when you've got the file hosted on your server...
    Requesting verification for example.com...
    Waiting for example.com challenge to pass...
    Passed example.com challenge!
    Requesting signature...
    Certificate signed!
    You can remove the acme-challenge file from your webserver now.
    
  6. Optionally, delete the .well-known directory.

    $ rm -rf public_html/.well-known/
    
  7. Go to CPanel.

    1. Under the Security section, select SSL/TSL. Click on Manage SSL sites.
    2. Select the domain.
    3. Paste the contents of signed.crt into the Certificate: (CRT) field.
    4. Paste the contents of domain.key into the Private Key (KEY) field.
    5. Click on Install Certificate.
  8. Redirect HTTP to HTTPS in .htaccess:

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
    </IfModule>
    

    Make sure the RewriteCond and RewriteRule directives are the first ones after RewriteEngine.

Voilà! Your site is now HTTPS-capable!

(Based on instructions from https://github.com/diafygi/letsencrypt-nosudo)


comments powered by Disqus