Install Let's Encrypt free SSL to your Elgg website on shared hosting (without root access)

Another Big Milestone – Let's Encrypt is now offering Free HTTPS certificates to everyone.

Let's Encrypt has opened to the public, allowing anyone to obtain Free SSL/TLS (Secure Socket Layer/ Transport Layer Security) certificates for their web servers and to set up HTTPS websites in a few simple steps (mentioned below).

Let's Encrypt – an initiative run by the Internet Security Research Group (ISRG) – is a new, free, and open certificate authority recognized by all major browsers, including Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer.

The Free SSL Certification Authority is now in public beta after testing a trial among a select group of volunteers.

Why Let's Encrypt?

Let's Encrypt promised to offer a certificate authority (CA) which is:

  • Free – no charge for HTTPS certs.
  • Automatic – the installation, configuration as well as the renewal of the certificates do not require any administrator action.
  • Open – the automatic issuance, as well as renewal procedures, will be published as the open standard.
  • Transparent – the records of all certs issuance or revocation will be available publicly.
  • Secure – the team is committed to being a model of best practice in their own operations.
  • Cooperative – Let's Encrypt is managed by a multi-stakeholder organization and exists to benefit the community, not any of the consortium members.

How to Install Let's Encrypt Free SSL Certificate

First of all, let's say you want to get a certificate for example.com. To run the installation using the official Let's encrypt method, you must have root access to your example.com web server, but unfortunately many of us use shared hosting plan like I am using the "PersonalClass" plan on Arvixe and we don't have root access to the server. What about us? Can't we use enjoy the benefit of free SSL? Well the answer is "Yes, you can". Below is a tutorial where admin using shared hosting and not having root access can also install the free SSL.

So, let's begin...

First, let me introduce you to https://gethttpsforfree.com/ which is a web based client for LetsEncrypt. Admin who does not have root access to their server can obtain the ssl certificate from this website.

Step 1: Go to https://gethttpsforfree.com/

Step 2: Follow the instruction as on the website for Account Info, Certificate Signing Request and Sign API Requests. (Use putty or any other ssh client to run the commands)

Step 3: Now there is a small problem with the step "Verify Ownership" as the current elgg's htaccess file forbiddens all the files/folder starting with dot (.) to be accessed via any browser and it's generate a 403 forbidden error for the validation path ".well-known/acme-challenge/" on your server. (Detailed discussion here). Now to validate your account you need a small modification in your htaccess file until there is a permanent fix for this. (View ticket here). You need to comment out "RewriteRule (^\.|/\.) - [F]" line by inserting "#" at the beginning of the line to make .well-know folder accessible for validation process. Once validated you can remove the # symbol and your htaccess file will be back to original format.

Step 4: Once validated, you will get your certificate and permission file. You need to save your cert and pem file with the content provided on gethttpsforfree on your local system.

Step 5: Login to your cpanel and click on "SSL/TLS Manager". Upload your private key obtained in step 1 at "Private Keys (KEY)" section and the certificate file obtained in step 4 at "Certificates (CRT)" section within your SSL/TLS Manager page.

Step 6: After successfully uploading the file, visit "Manage SSL sites" and install the uploaded certificate,

Congratulation you have successfully installed SSL certificate for your example.com domain.

How to Renew Let's Encrypt Free SSL Certificate

It is important to note that the beta version of Let's Encrypt issues certificates that expire after 90 days. So, to renew your SSL certificate, you need go through the entire process again after expiration.

FREE HTTPS Certificates for Everyone!

So, now it's time for the Internet to take a significant step forward in terms of security and privacy. With Let's Encrypt, the team wants HTTPS becomes the default and to make that possible for everyone, it had built Let's Encrypt in such a way that it is easy to obtain and manage.

Let's Encrypt had signed its first free HTTPS certificate in September, and its client software emerged in early November. Since then the team has been finding flaws in their systems before going public.

If you want to check on how the ssl looks or if you want to check the certificate, then feel free to visit my site www.campuskarma.in

  • Hi Rohit.. thanks for sharing this. I check it out on your website an its working great. However, am trying to install on my site but having difficulty in step 2 under Certificate Signing Request. Looks like the instruction given there for the command line is only for Linux because am trying it on windows and the commands are not working for me. Do you know any other way out or precisely, how can i run the command for CSR using Putty on windows??

  • You need a linux platform for Step 2 - Certificate Signing Request and more importantly in Step 3 - Sign API Requests. You cannot complete step 3 without a linux server.

    What you can do is that connect to your linux server using putty. Open putty, type in your server link and click on connect. login using your cpanel username/password. Once logged in, run your command on putty.

    Fore more details on how to use putty, refer this article: https://mediatemple.net/community/products/dv/204404604/using-ssh-in-putty-

  • Thanks Rohit.... i have actually connected to my linux server using putty. Am trying to run this command from the instruction on step 2 to generate a CSR but that isn't working:

    #change "/etc/ssl/openssl.cnf" as needed:
    #  Debian: /etc/ssl/openssl.cnf
    #  RHEL and CentOS: /etc/pki/tls/openssl.cnf
    #  Mac OSX: /System/Library/OpenSSL/openssl.cnf
    
    openssl req -new -sha256 -key domain.key -subj "/" \
      -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
      <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

    I think am running something in this command line wrongly, could you tell me exactly what command you used here? Thank you.

  • openssl req -new -sha256 -key domain.key -subj "/" \ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))
    • Change "/etc/ssl/openssl.cnf" as needed:
      * Debian: /etc/ssl/openssl.cnf
      * RHEL and CentOS: /etc/pki/tls/openssl.cnf
      * Mac OSX: /System/Library/OpenSSL/openssl.cnf
    • Change foo.com to your domain.com
  • keep getting this when i enter the command:

    cat: /etc/ssl/openssl.cnf: No such file or directory
    cat:  /dev/fd/63: No such file or directory

    unknown option  -reqexts
    req [options] <infile >outfile
    where options  are
     -inform arg    input format - DER or PEM
     -outform arg   output format - DER or PEM
     -in arg        input file
     -out arg       output file
     -text          text form of request
     -pubkey        output public key
     -noout         do not output REQ
     -verify        verify signature on REQ
     -modulus       RSA modulus
     -nodes         don't encrypt the output key
     -engine e      use engine e, possibly a hardware device
     -subject       output the request's subject
     -passin        private key password source
     -key file      use the private key contained in file
     -keyform arg   key file format
     -keyout arg    file to send the key to
     -rand file:file:...
                    load the file (or the files in the directory) into
                    the random number generator
     -newkey rsa:bits generate a new RSA key of 'bits' in size
     -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
     -newkey ec:file generate a new EC key, parameters taken from CA in 'file'
     -[digest]      Digest to sign with (see openssl dgst -h for list)
     -config file   request template file.
     -subj arg      set or modify request subject
     -multivalue-rdn enable support for multivalued RDNs
     -new           new request.
     -batch         do not ask anything during request generation
     -x509          output a x509 structure instead of a cert. req.
     -days          number of days a certificate generated by -x509 is valid for.
     -set_serial    serial number to use for a certificate generated by -x509.
     -newhdr        output "NEW" in the header lines
     -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                    have been reported as requiring
     -extensions .. specify certificate extension section (override value in config file)
     -reqexts ..    specify request extension section (override value in config file)
     -utf8          input characters are UTF8 (default ASCII)
     -nameopt arg    - various certificate name options
     -reqopt arg    - various request text options

     

     

  • Which server are you using?  Debian, RHEL, CentOS or Mac OSX?

  • I am not sure of the path of openssl.cnf in cloudlinux.. you can contact your hosting provider for the correct path.

  • for me it was /etc/pki/tls/openssl.cnf