Saulo Silva

How to add a Let's Encrypt SSL certificate to your site on shared hosting

These are the instructions I documented for a shared hosting account, when root access is not available.

Update: if you followed these instructions previously and just want to renew the certificate, follow steps 5 through 7.

  1. SSH into your account.

  2. Generate a user account key for Let’s Encrypt.

    $ openssl genrsa 4096 > user.key
    $ openssl rsa -in user.key -pubout >
  3. Generate the domain key and a certificate request. Replace “” with your domain.

    $ openssl genrsa 4096 > domain.key
    $ openssl req -new -sha256 -key domain.key \
       -subj "/" > domain.csr
  4. Get the script from diafygi/letsencrypt-nosudo.

    $ git clone
  5. Sign the certificate by running

    $ python2 letsencrypt-nosudo/ --file-based \
       --public-key domain.csr > signed.crt

    Follow the instructions output by the script. At one point, you will be asked to run commands in a separate session.

    In the last step, you will have to make publicly accessible a file under /.well-known/acme-challenge/. Its name and contents are randomly generated, so make sure to change them accordingly. For example, if the script output the following:

    STEP 4: Please update your server to serve the following file at this URL:
    File contents: "file-contents"
    Press Enter when you've got the file hosted on your server...

    Here is how you would create the file:

    $ mkdir -p public_html/.well-known/acme-challenge/
    $ echo "file-contents" > public_html/.well-known/acme-challenge/file-name

    Once you hit enter, the script will try to access that file on your server. (If you have a Wordpress blog, you may have to temporarily disable redirects in .htaccess.) If it is successful, you should see the following message:

    Press Enter when you've got the file hosted on your server...
    Requesting verification for
    Waiting for challenge to pass...
    Passed challenge!
    Requesting signature...
    Certificate signed!
    You can remove the acme-challenge file from your webserver now.
  6. Optionally, delete the .well-known directory.

    $ rm -rf public_html/.well-known/
  7. Go to CPanel.

    1. Under the Security section, select SSL/TSL. Click on Manage SSL sites.
    2. Select the domain.
    3. Paste the contents of signed.crt into the Certificate: (CRT) field.
    4. Paste the contents of domain.key into the Private Key (KEY) field.
    5. Click on Install Certificate.
  8. Redirect HTTP to HTTPS in .htaccess:

    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

    Make sure the RewriteCond and RewriteRule directives are the first ones after RewriteEngine.

Voilà! Your site is now HTTPS-capable!

(Based on instructions from

comments powered by Disqus