Let’s Install a Let’s Encrypt SSL

Let’s Encrypt is a service provider that provides SSLs for your website for free. This allows you to get a valid SSL certificate for use on your site. SSLs provide secure site connections and have lots of uses. This write-up will show how to get, setup, and maintain an updated SSL.

Shared Servers

Please note that these commands are designed to run in a series, and during the same SSH session.

  1. First, be sure to find the document root for your domain
  2. Then login to your server via SSH
  3. Run the command
    curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl

    This will download the Bash script we will be using to obtain our Let’s Encrypt SSL.

  4. Next, run the command
    sed -i 's/curl -k/curl -Aagent -k/' ./getssl

    This adds a user-agent to the script which helps it to complete one of its tests.

  5. Create base configuration files for your domain by running
    domain=yourdomaingoeshere.com; ./getssl -c $domain

    Be sure to replace yourdomaingoeshere.com with your actual domain.

  6. These commands will setup your configuration file. Enter these one-by-one, in the following order
    configFile=.getssl/$domain/getssl.cfg; sed -i 's/SANS/#SANS/' $configFile
    echo 'CA="https://acme-v01.api.letsencrypt.org"' >> $configFile
    echo "ACL=('/your/document/root/goes/here/.well-known/acme-challenge')" >> $configFile
  7. Obtain the Let’s Encrypt SSL by running
    ./getssl $domain
  8. To install the SSL certificate you will need to login to your cPanel and go to your file manager, Inside your home directory, you will go to the .getssl folder and then the folder for the domain name you are working with. Download the yourdomain.crt yourdomain.key and chain.crt. Once you have them downloaded go back to your cPanel and you will go to the “SSL/TLS manager” and click “Manage SSL sites”. Once in here select the domain you want to install the certificate on from the drop down. Open the files you downloaded earlier in notepad or your preferred text editor and and paste them into the fields on the screen, The yourdomain.crt will go into the “Certificate (CRT)” field, yourdomain.key will go into the “Private Key (KEY)” field and lastly the chain.crt will go into the “Certificate Authority Bundle: (CABUNDLE)” field. Ensure you copy the entire contents of each file into these fields. Once these have been pasted in click the “Install Certificate” Button at the bottom of the page. Your SSL is now installed.
  9. Let’s Encyrpt SSL certificates only last 90 days, To renew the certificate simply SSH back into your account and run the command below.
    ./getssl yourdomain

    After Running the command repeat step 8 to install the updated certificate.

Awesome! Now you’ve got a Let’s Encrypt SSL all setup on your shared server.

VPS and Dedicated Servers with cPanel

  1. First login to your server via SSH as root If you do not have root access you can request it by following the directions here
  2. Once logged in you will want to run the command below to enable lets encrypt for AutoSSL.
    /scripts/install_lets_encrypt_autossl_provider
  3. Now that we have enabled lets encrypt we need to set your AutoSSL to use it, login to your WHM as root and go to the “Manage AutoSSL” menu, You can find this by searching for SSL in the searchbox in the upper left hand side.
  4. On the Manage Auto SSL page you will have a list of providers for AutoSSL and you will now have the option for Let’s Encrypt. Select the radio button next to Let’s Encrypt and then click save below.
  5. On the Manage Auto SSL page select “Manage Users”, From here you can enable or disable AutoSSL on a per cPanel account basis, It will be enabled for all by default, AutoSSL will check all domains every 24Hrs for certificates, You can force it to check and provision one now by clicking the “Check ‘cpuser'” button on the Manage Users page.

You now have Let’s Encrypt setup on your server.

Thoughts on “Let’s Install a Let’s Encrypt SSL

  • wow, such a turn down. Seems that inmotion don’t like to put things easy. I was specting a cpanel option like siteground has, everything automatic.

  • Lets encrypt supports wildcard domains since March. How much longer before we can access this option?
    I see users asking since then, support still suggests it is not possbile or they are not aware that lets encrypt is capable of wildcard support/
    Help please 

  • Hello,

    I want to install Let’s Encrypt certiticate through Cpanel. Is this the  same feature offeed under the Free SSL option in the CPanel ?

    Many thanks,

    Teresa Cuervo

    • The SSL from cPanel would be Comodo. If you have a VPS plan, you can choose between Comodo and Let’s Encrypt in WHM.

    • For Step 3 of the section: “Shared Servers” you can simply copy and paste that into the SSH command prompt.

  • I spent over an hour walking through these steps for my shared hosting account and it resulted in a self-signed certificate which is completely useless except for development purposes (I am new to SSL so didn’t realize that until I went through the steps on this page). No where does it say in the tutorial that it is a self signed certificate.

    Maybe I did something wrong but that is what I ended up with. So no https in Chrome.

    • This tutorial is to get a signed SSL from LetsEncrypt, During the provisioning process lets encrypt will generate a self signed certificate which will later be signed by the LetsEncrypt, Generally this only takes a few minutes but their documentation says it could take up to 48Hrs. If you wanted a simpler way to get a free signed SSL you can do so via your AMP which will provide a free signed one from Comodo Via cPanels AutoSSL.

  • Doesn’t Inmotion have the LetsEncrypt Cpanel feature that does all of this plus renewals automatically? Wow, that’s pretty inconsiderate of Inmotioin.

    • cPanel does have this feature but it is not installed by default, By default it will use the cPanel supported AutoSSL via Comodo, Its recommended by cPanel to use their AutoSSL instead as its directly supported by them and will be more reliable, If you have a VPS you can enable the LetsEncrypt feature as detailed in the second part of this tutorial. The first part of this tutorial is showing users how to use a lets encrypt SSL on a shared hosting plan in the event they prefer LetsEncrypt for their CA as the shared servers use cPanel’s AutoSSL because that is what we know will always be supported by them.

  • I receive the error below when I run ./getssl $domain
    getssl: new-authz error: {
      "type": "urn:acme:error:unauthorized",
      "detail": "Must agree to subscriber agreement before any further actions",
      "status": 403
    }
    

    Has anyone seen this before and know how to fix it?

    • Apologies for the issue with the error when you’re trying to use Let’s encrypt. This appears to be an issue that has been an issue with the Let’s Encrypt. You should post the issue in their community support section for assistance. I would recommend using the built-in Free SSL options provided with our hosting solutions if you are using an InMotion Hosting account.

  • Un fortunately did not work for me on shared hsoting

    After step 4 The getssl file contained 400: Invalid request only so the step 5 gave a result of command not found

    • Check to make sure that the GETSSL command is there. It will give you that error if it’s not executable as well. If you continue to have the problem, please contact our live technical support team as they have access to make changes on a shared server.

  • How to use this for multiple domains at once? and Can this be automated without needing to fill cert fields every 3 months

    • You would need to have a plugin for cPanel depending upon your account type – this would only be available on a VPS or dedicated server account. As this is a third party plugin we could only provide limited support for it. You may find more information from the vendor providing it. The automation you’re asking about is part of the AutoSSL option provided with cPanel. Using this option requires root access to the server. This is not available on shared servers.

  • The ACL path is wrong. Edit the file .getssl/yourdomain.com/getssl.cfg that was creaetd and remove the first forward slash in the path.  You can do this in your terminal.  Make sure you are in your home directory by entering cd ~

    Then open the file to edit:

    nano .getssl/yourdomain.com/getssl.cfg

    At the end of the file, look for:

    ACL=(‘/public_html/yourdomain.com/.well-known/acme-challenge’)

    and change it to:

    ACL=(‘public_html/yourdomain.com/.well-known/acme-challenge’)

    Ctrl-x followed by ‘y’ then enter to save.

    Then enter ./getssl $domain as you did before and this time it should not have the error.

  • Is there any way to automate Step 8?

     

    With the 90 day life on the cert, i’ve got a cron job running to run ./getssl – but I’d like to avoid manually having to cut and paste the certificate details into the SSL manager, if possible….

  • Let’s Encrypt now support wildcards…  Can you update this? Or setup another one explaining how to get a wildcard from them???

    • Thanks for your comment and recommendation. We will definitely consider improving our Support Center with your suggestion!

  • im have a issue here is what im getting 

    “getssl: for some reason could not reach http://mysite.com/.well-known/acme-challenge/5i-gxsSBYq5WwJX0CXMsuUXBPSRVk1cg5NGztfGit0Q – please check it manually

    [mysite@myserver ~]$ curl –silent –location “mysite.com/.well-known/acme-challenge/5i-gxsSBYq5WwJX0CXMsuUXBPSRVk1cg5NGztfGit0Q”

    <html><head><title>Error 406 – Not Acceptable</title><head><body><h1>Error 406 – Not Acceptable</h1><p>Generally a 406 error is caused because a request has been blocked by Mod Security. If you believe that your request has been blocked by mistake please contact the web site owner.</p></body></html>”.

    the config file looks good called and talk with support and was told to just use comodo..

    Any otheir ideas?

  • in the getssl.cfg, add this before generating the keys:

     

    SANS=”www.yourDomain.com”

    USE_SINGLE_ACL=”true”

     

    This will let you use the same certificate for both your root domain and the www alternative.

    With what I understand of how Inmotion Hosting works with SSL, this is what you have to do because you can’t upload seperate certficates for these two addresses. 

  • I keep getting 

    copying challenge token to /public_html/test/.well-known/acme-challenge/9Ns0GfwvF2tt2-8GZ6Mdy0yEHIwIdX4ayHdF4gkrweI

    mkdir: cannot create directory `/public_html’: Permission denied

    getssl: cannot create ACL directory 9Ns0GfwvF2tt2-8GZ6Mdy0yEHIwIdX4ayHdF4gkrweI

    And, with a reseller account, I can’t get root access.

    Is it my error, or can’t get there from here?

     

    • I would check the user that you are running the commend with. You’ll want to SSH and run these commands as the user that owns the domain. If you are using the correct user, it is possible the permissions may need to be reviewed to ensure the user can write to that directory.

    • I just changed to https. Then I went to Whynopadlock.com and got the following error message about the ONE image I uploaded to my site.;

      An image with an insecure url of “http://zayantecreekpress.com/wp-content/uploads/2017/12/DSC00010.jpg” was loaded via the javascript file: https://zayantecreekpress.com/wp-content/themes/zerif-lite/js/parallax.js?ver=v1 on line 192. The insecure URL may not be directly contained in the script file and may exist elsewhere.
      You may need to contact your web hosting provider for assistance. This URL will need to be updated to use a secure URL for your padlock to return.

    • From what the error is indicating, it seems that the script for the theme you are using is loading a non-https version of the image. Either the script needs to be updated or the image should be re-uploaded. I would recommend first trying to re-upload the image. It may just be something simple like that to complete the conversion to https. Also, using a plugin like Velvet Blues, may help to update all your images/references within your website. However, you may need to reach out to the developer of the theme to ask for an update that will load that particular resource/image over https rather than http. I hope this helps!

  • I had to create the folders manually starting from well known and so forth… is ther any way to just make it copy the files there… it tries to create the folders and still no go (no permissions)

    • Unfortunately I am unsure as to the reason why that is not a function of Let’s Encrypt. However, I did find by reviewing the Let’s Encrypt forums that you can create the Certificate to include both, by generating the CSR with the non-www and www versions of the domain included.

Leave a Reply to Harshvardhan Malpani Cancel reply