Let’s Encrypt is a service provider that provides SSLs for your website for free. This allows you to get a valid SSL certificate for use on your site. SSLs provide secure site connections and have lots of uses. This write-up will show how to get, setup, and maintain an updated SSL.
Let’s Encrypt SSL on Shared Servers
Please note that these commands are designed to run in a series, and during the same SSH session.
- First, be sure to find the document root for your domain
- Then login to your server via SSH
- Run the command
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
This will download the Bash script we will be using to obtain our Let’s Encrypt SSL.
- Next, run the command
sed -i 's/curl -k/curl -Aagent -k/' ./getssl
This adds a user-agent to the script which helps it to complete one of its tests.
- Create base configuration files for your domain by running
domain=yourdomaingoeshere.com; ./getssl -c $domain
Be sure to replace yourdomaingoeshere.com with your actual domain.
- These commands will setup your configuration file. Enter these one-by-one, in the following order
configFile=.getssl/$domain/getssl.cfg; sed -i 's/SANS/#SANS/' $configFile
echo 'CA="https://acme-v01.api.letsencrypt.org"' >> $configFile
echo "ACL=('/your/document/root/goes/here/.well-known/acme-challenge')" >> $configFile - Obtain the Let’s Encrypt SSL by running
./getssl $domain
- To install the SSL certificate you will need to login to your cPanel and go to your file manager, Inside your home directory, you will go to the .getssl folder and then the folder for the domain name you are working with. Download the yourdomain.crt yourdomain.key and chain.crt. Once you have them downloaded go back to your cPanel and you will go to the “SSL/TLS manager” and click “Manage SSL sites”. Once in here select the domain you want to install the certificate on from the drop down. Open the files you downloaded earlier in notepad or your preferred text editor and and paste them into the fields on the screen, The yourdomain.crt will go into the “Certificate (CRT)” field, yourdomain.key will go into the “Private Key (KEY)” field and lastly the chain.crt will go into the “Certificate Authority Bundle: (CABUNDLE)” field. Ensure you copy the entire contents of each file into these fields. Once these have been pasted in click the “Install Certificate” Button at the bottom of the page. Your SSL is now installed.
- Let’s Encrypt SSL certificates only last 90 days, To renew the certificate simply SSH back into your account and run the command below.
./getssl yourdomain
After Running the command repeat step 8 to install the updated certificate.
Awesome! Now you’ve got a Let’s Encrypt SSL all setup on your shared server.
Let’s Encrypt SSL on VPS and Dedicated Servers with cPanel
- First login to your server via SSH as root If you do not have root access you can request it by following the directions here
- Once logged in you will want to run the command below to enable lets encrypt for AutoSSL.
/scripts/install_lets_encrypt_autossl_provider
- Now that we have enabled lets encrypt we need to set your AutoSSL to use it, login to your WHM as root and go to the “Manage AutoSSL” menu, You can find this by searching for SSL in the searchbox in the upper left hand side.
- On the Manage Auto SSL page you will have a list of providers for AutoSSL and you will now have the option for Let’s Encrypt. Select the radio button next to Let’s Encrypt and then click save below.
- On the Manage Auto SSL page select “Manage Users”, From here you can enable or disable AutoSSL on a per cPanel account basis, It will be enabled for all by default, AutoSSL will check all domains every 24Hrs for certificates, You can force it to check and provision one now by clicking the “Check ‘cpuser'” button on the Manage Users page.
You now have a Let’s Encrypt SSL certificate set up on your server.
Since the IdentTrust DST Root CA X3 certificate expiring in September, 2021, my website is receiving a “not secure” warning in Chrome (Windows 7). Considering that 12% of windows users are still using win7, does Inmotion have any advice on how to remove such warnings. I have read that rebooting the server OS might resolve the issue.
Hello, and sorry to hear that you were having trouble with your Let’s Encrypt SSLs. We recently implemented some updates that should solve the issues with Let’s Encrypt SSLs, but unfortunately Windows 7 is out of the scope of our support. From my research, it seems that you can resolve it by manually downloading certain components of the SSL to your Windows 7 Third Party Root Certification Authorities directory on your device. That should remove the warning on your installation of Chrome. Hope that helps!
It did not generate the chain.crt
Hi, Suzanne, sorry to hear that you ran into trouble. Did it generate the other files in the right location? This is one situation where I’d advise contacting our Live Support team directly, as they can log into your server and watch logs while the process runs, helping you narrow down the issue.
I know right! And then it sounds like we have to renew manually every 90 days? Really?
If you use the free SSL provided by InMotion Hosting, you don’t need to renew it manually.
Well none of my sites were auto-renewed by 10/09/2019 resulting in them all being unavailable and clients receiving google warning for 14 hours. No telling how many of my clients I will lose. Would like to know why it happened and how IMH will make sure this sort of thing never happens again.
Hello and I’m sorry for your situation. Unfortunately, I cannot access your account to better understand why this happened. Therefore, I recommend you check our article on renewing your subscriptions and contact our Live Support for further investigation. I hope this helps.
wow, such a turn down. Seems that inmotion don’t like to put things easy. I was specting a cpanel option like siteground has, everything automatic.
We do have a button for free SSL activation. This article is about installing a Let’s Encrypt SSL on the command line, which is a different procedure.
Getting following error: “getssl: for some reason could not reach https://mysite.com/.well-known/acme-challenge/5i-gxsSBYq5WwJX0CXMsuUXBPSRVk1cg5NGztfGit0Q – please check it manually
Already disabled ModSecurity but still no luck
I recommend checking error logs using cPanel Errors or SSH. Alternatively, you can contact our live support for additional assistance with this.
Lets encrypt supports wildcard domains since March. How much longer before we can access this option?
I see users asking since then, support still suggests it is not possbile or they are not aware that lets encrypt is capable of wildcard support/
Help please
You should be able to install this just like any 3rd party wildcard certificate, but I unfortunately could not find a good guide in the Let’s Encrypt documentation for Wildcard Certificates. There is a cPanel plugin you can install on your VPS or Dedicated server if you have “root” access. If you are on a shared server, this plugin is not currently available. You can provide manager feedback suggesting they add this feature.
Thank you,
John-Paul
Hello,
I want to install Let’s Encrypt certiticate through Cpanel. Is this the same feature offeed under the Free SSL option in the CPanel ?
Many thanks,
Teresa Cuervo
The SSL from cPanel would be Comodo. If you have a VPS plan, you can choose between Comodo and Let’s Encrypt in WHM.
How to run cmd on step 3
For Step 3 of the section: “Shared Servers” you can simply copy and paste that into the SSH command prompt.
I think it would be useful to mention another steps for this, like enable the ssh access for the account and how to use putty, which you have tutorials for.
https://www.inmotionhosting.com/support/website/ssh/shared-reseller-ssh
https://www.inmotionhosting.com/support/website/file-management/how-to-enable-ssh-through-whm
Ps. this is for reseller hosting plan
I spent over an hour walking through these steps for my shared hosting account and it resulted in a self-signed certificate which is completely useless except for development purposes (I am new to SSL so didn’t realize that until I went through the steps on this page). No where does it say in the tutorial that it is a self signed certificate.
Maybe I did something wrong but that is what I ended up with. So no https in Chrome.
This tutorial is to get a signed SSL from LetsEncrypt, During the provisioning process lets encrypt will generate a self signed certificate which will later be signed by the LetsEncrypt, Generally this only takes a few minutes but their documentation says it could take up to 48Hrs. If you wanted a simpler way to get a free signed SSL you can do so via your AMP which will provide a free signed one from Comodo Via cPanels AutoSSL.
Doesn’t Inmotion have the LetsEncrypt Cpanel feature that does all of this plus renewals automatically? Wow, that’s pretty inconsiderate of Inmotioin.
cPanel does have this feature but it is not installed by default, By default it will use the cPanel supported AutoSSL via Comodo, Its recommended by cPanel to use their AutoSSL instead as its directly supported by them and will be more reliable, If you have a VPS you can enable the LetsEncrypt feature as detailed in the second part of this tutorial. The first part of this tutorial is showing users how to use a lets encrypt SSL on a shared hosting plan in the event they prefer LetsEncrypt for their CA as the shared servers use cPanel’s AutoSSL because that is what we know will always be supported by them.
getssl: new-authz error: { "type": "urn:acme:error:unauthorized", "detail": "Must agree to subscriber agreement before any further actions", "status": 403 }Has anyone seen this before and know how to fix it?
Apologies for the issue with the error when you’re trying to use Let’s encrypt. This appears to be an issue that has been an issue with the Let’s Encrypt. You should post the issue in their community support section for assistance. I would recommend using the built-in Free SSL options provided with our hosting solutions if you are using an InMotion Hosting account.
Un fortunately did not work for me on shared hsoting
After step 4 The getssl file contained 400: Invalid request only so the step 5 gave a result of command not found
Check to make sure that the GETSSL command is there. It will give you that error if it’s not executable as well. If you continue to have the problem, please contact our live technical support team as they have access to make changes on a shared server.
How to use this for multiple domains at once? and Can this be automated without needing to fill cert fields every 3 months
You would need to have a plugin for cPanel depending upon your account type – this would only be available on a VPS or dedicated server account. As this is a third party plugin we could only provide limited support for it. You may find more information from the vendor providing it. The automation you’re asking about is part of the AutoSSL option provided with cPanel. Using this option requires root access to the server. This is not available on shared servers.
The ACL path is wrong. Edit the file .getssl/yourdomain.com/getssl.cfg that was creaetd and remove the first forward slash in the path. You can do this in your terminal. Make sure you are in your home directory by entering cd ~
Then open the file to edit:
nano .getssl/yourdomain.com/getssl.cfg
At the end of the file, look for:
ACL=(‘/public_html/yourdomain.com/.well-known/acme-challenge’)
and change it to:
ACL=(‘public_html/yourdomain.com/.well-known/acme-challenge’)
Ctrl-x followed by ‘y’ then enter to save.
Then enter ./getssl $domain as you did before and this time it should not have the error.
Is there any way to automate Step 8?
With the 90 day life on the cert, i’ve got a cron job running to run ./getssl – but I’d like to avoid manually having to cut and paste the certificate details into the SSL manager, if possible….
Unfortunately, that step appears to be necessary. Have you checked out the cPanel AutoSSL feature? This automates the renewal process.
Let’s Encrypt now support wildcards… Can you update this? Or setup another one explaining how to get a wildcard from them???
Thanks for your comment and recommendation. We will definitely consider improving our Support Center with your suggestion!
im have a issue here is what im getting
“getssl: for some reason could not reach https://mysite.com/.well-known/acme-challenge/5i-gxsSBYq5WwJX0CXMsuUXBPSRVk1cg5NGztfGit0Q – please check it manually
[mysite@myserver ~]$ curl –silent –location “mysite.com/.well-known/acme-challenge/5i-gxsSBYq5WwJX0CXMsuUXBPSRVk1cg5NGztfGit0Q”
<html><head><title>Error 406 – Not Acceptable</title><head><body><h1>Error 406 – Not Acceptable</h1><p>Generally a 406 error is caused because a request has been blocked by Mod Security. If you believe that your request has been blocked by mistake please contact the web site owner.</p></body></html>”.
the config file looks good called and talk with support and was told to just use comodo..
Any otheir ideas?
The error 406 indicates that ModSecurity is blocking the request you are making. Disabling ModSecurity should allow the command to run.
in the getssl.cfg, add this before generating the keys:
SANS=”www.yourDomain.com”
USE_SINGLE_ACL=”true”
This will let you use the same certificate for both your root domain and the www alternative.
With what I understand of how Inmotion Hosting works with SSL, this is what you have to do because you can’t upload seperate certficates for these two addresses.
I keep getting
copying challenge token to /public_html/test/.well-known/acme-challenge/9Ns0GfwvF2tt2-8GZ6Mdy0yEHIwIdX4ayHdF4gkrweI
mkdir: cannot create directory `/public_html’: Permission denied
getssl: cannot create ACL directory 9Ns0GfwvF2tt2-8GZ6Mdy0yEHIwIdX4ayHdF4gkrweI
And, with a reseller account, I can’t get root access.
Is it my error, or can’t get there from here?
I would check the user that you are running the commend with. You’ll want to SSH and run these commands as the user that owns the domain. If you are using the correct user, it is possible the permissions may need to be reviewed to ensure the user can write to that directory.
You should also change it on the last line – for ACL
I just changed to https. Then I went to Whynopadlock.com and got the following error message about the ONE image I uploaded to my site.;
An image with an insecure url of “https://zayantecreekpress.com/wp-content/uploads/2017/12/DSC00010.jpg” was loaded via the javascript file: https://zayantecreekpress.com/wp-content/themes/zerif-lite/js/parallax.js?ver=v1 on line 192. The insecure URL may not be directly contained in the script file and may exist elsewhere.
You may need to contact your web hosting provider for assistance. This URL will need to be updated to use a secure URL for your padlock to return.
From what the error is indicating, it seems that the script for the theme you are using is loading a non-https version of the image. Either the script needs to be updated or the image should be re-uploaded. I would recommend first trying to re-upload the image. It may just be something simple like that to complete the conversion to https. Also, using a plugin like Velvet Blues, may help to update all your images/references within your website. However, you may need to reach out to the developer of the theme to ask for an update that will load that particular resource/image over https rather than http. I hope this helps!
I had to create the folders manually starting from well known and so forth… is ther any way to just make it copy the files there… it tries to create the folders and still no go (no permissions)
You will need sudo or root level privileges.
Hi, in your instructions, why can we not add other domain versions eg. domain.com and www.domain.com by default like how it is done with the Auto SSL? Without having to force HTTPS on www.domain.com?
Unfortunately I am unsure as to the reason why that is not a function of Let’s Encrypt. However, I did find by reviewing the Let’s Encrypt forums that you can create the Certificate to include both, by generating the CSR with the non-www and www versions of the domain included.
mistake: last part of step 6 for Shared Servers – $configfile needs to be $configFile
Thanks!