Using Certbot to Get a Let's Encrypt SSL Certificate for a Shared Hosting Environment
Working with not-for-profit organizations with extremely small budgets can be a challenge. It is usually preferable to spend volunteer time than actual dollars.
Until recently, getting a free Let’s Encrypt certificate has been relatively trivial. All that was required was to go to www.sslforfree.org and follow their GUI procedure. Even if the automatic update did not validate, the manual update normally did, and the fall back DNS validation could be invoked if needed.
As an aside, I spoke to GoDaddy about their certificates for a domain that currently does not have any redirects other than the www and non-www versions. The rep tried to sell me an upgraded certificate for nearly 3 times as much. I went back to a free certificate for the domain.
Another question to GoDaddy regarding a domain where I have both *.org and *.com versions resulted in a rep telling me that I needed to get the *.net and *.info versions (he missed *.biz and *.us). This is ridiculous. Trying to capture your site with all possible extensions can get really expensive, defeats the purpose of the new extensions, and may not even be possible.
Directly using Certbot requires root access, which is obviously not available on a shared hosting account. Thus, Certbot must be run in “manual” mode and the certificates must be downloaded to a local computer.
I had difficulty finding instructions for using Certbot, but after installing it on a local machine, running Certbot help in an elevated command prompt will show all of the commands available with Certbot. The best clue that I could find to running Certbot locally was at this link:
Using Certbot on a shared hosting server that does not support ACME Challege involves:
- Installing Certbot on your local machine.
- Obtaining challenge files
- Installing challenge files
- Validating challenge files.
- Installing the certificate in cPanel.
Each of these items requires that some steps be completed.
I am installing on a windows machine so the steps are:
- Download the Certbot installer from https://dl.eff.org/certbot-beta-installer-win32.exe.
- Run the installer.
Detailed instructions can be found here:
The installer will install a shortcut on The Windows Start menu, but the best way to launch is with a batch file, but don’t use it. Instead:
- Create a Batch file with the command:
Certbot>certbot certonly --manual -d <mydomain1> -d <mydomain2> -d > -d
Where mydomain1 is the primary domain and mydomain2 is a redirect. You should be able to add as many redirects as you need, and you need the -d switch for each domain entered.
Don’t forget to add both the www and non-www versions to the list as separate domains.
- Since this command will have to be run every 90 days, it Save the batch file.
- Tip: Save the batch file in a folder in the root of C: to make it easy to find and execute.
- Open an elevated command prompt.
- In the elevated command prompt:
- Enter your email address if prompted to do so.
- Agree to the terms and conditons
- Answer Y to allow your IP address to be logged. Note that this is the IP address of the local machine and that Certbot won’t run if you answer N.
- As instructed create a text file with the content:
<Long random number 1>.<long random number 2>
- Save the file with the filename <long random number 1>
- Press Enter to continue.
Note that you will have to repeat this for each domain that you entered in step 1. Do Not press enter after the last entry.
- Copy the files that you just created to the webroot on your website’s host in a folder named “.well-known/acme-challenge”.
- The folders can be created in cPanel or in an SSH session.
- Now back on the local computer press enter to run the validation check.
- Once the validation check successfully completes, your certificate will be saved to “C:\Certbot\Live\<mydomain1>\fullchain.pem”.
- Open the file with a text editor such as Notepad++. Word will not work, and I have been advised that Notepad is not a good idea.
- Copy the contents of the file as far as the first “End of Certificate” (there are 2 of them) to your clip board.
- As far as I can tell you can generate the second item in cPanel.
- Log into your webhost and open cPanel.
- On the main screen in the Security Group Click SSL/TLS
- On the screen that opens, click Update certificate in the row associated with the domain in question.
- You will be redirected to the box below and your domain will be selected.
- Paste the certificate into the box labeled Certificate (CRT).
- Click the “Autofill by Domain” button.
- This is where the second part of the “fillchain.pem” file is regenerated.
- Go back to your local computer and open the file “C:\Certbot\live\privkey.pem”.
- Copy the contents of the file.
- Paste the contents into the box in cPanel labeled “Private Key (Key)”.
- Test your main domain and redirects to be sure that the certificate has taken effect.