Saulo Silva

How to add a Let's Encrypt SSL certificate to your site on shared hosting


These are the instructions I documented for a shared hosting account, when root access is not available.

  1. SSH into your account.

  2. Generate a user account key for Let’s Encrypt.

    $ openssl genrsa 4096 > user.key
    $ openssl rsa -in user.key -pubout > user.pub
    
  3. Generate the domain key and a certificate request. Replace “example.com” with your domain.

    $ openssl genrsa 4096 > domain.key
    $ openssl req -new -sha256 -key domain.key \
       -subj "/CN=example.com" > domain.csr
    
  4. Get the script from diafygi/letsencrypt-nosudo.

    $ git clone https://github.com/diafygi/letsencrypt-nosudo
    
  5. Sign the certificate by running sign_csr.py.

    $ python2 letsencrypt-nosudo/sign_csr.py --file-based \
       --public-key user.pub domain.csr > signed.crt
    

    You will be asked to run commands in a separate session. In the last step, you will have to create a file under public_html/.well-known/acme-challenge/. Its name and contents are randomly generated, so make sure to change them accordingly.

    $ mkdir -p public_html/.well-known/acme-challenge/
    $ echo "file-contents" > public_html/.well-known/acme-challenge/file-name
    

    Once you hit enter, the script will try to access that file on your server. (If you have a Wordpress blog, you may have to temporarily disable redirects in .htaccess.) If it is successful, you should see the following message:

    Press Enter when you've got the file hosted on your server...
    Requesting verification for example.com...
    Waiting for example.com challenge to pass...
    Passed example.com challenge!
    Requesting signature...
    Certificate signed!
    You can remove the acme-challenge file from your webserver now.
    
  6. Optionally, delete the .well-known directory.

    $ rm -rf public_html/.well-known/
    
  7. Go to CPanel.

    1. Under the Security section, select SSL/TSL. Click on Manage SSL sites.
    2. Select the domain.
    3. Paste the contents of ~/signed.crt into the Certificate: (CRT) field.
    4. Paste the contents of ~/domain.key into the Private Key (KEY) field.
    5. Click on Install Certificate.
  8. Redirect HTTP to HTTPS in .htaccess:

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
    </IfModule>
    

    Make sure the RewriteCond and RewriteRule directives are the first ones after RewriteEngine.

Voilà! Your site is now HTTPS-capable!

(Based on instructions from https://github.com/diafygi/letsencrypt-nosudo)


comments powered by Disqus