Does activating SSL over Certbot require a permanent server side process?


#1

Hi,
I got SSH access to my hosting server (shared host) for running CertBot on it. The hosting provider set the following rules. Does setting up SSL for my website using SSH and CertBot violate any of these rules? Which one?

  • Do not leave your home directory.
  • Do not attempt to run permanent server-side processors.
  • Do not attempt to gain extended user privileges on the server.
  • Do not start server processes.

Thanks


#2

There are essentially two steps to think about, both of which you need to ensure happen every 2-3 months because Let’s Encrypt certificates expire after 90 days.

  1. Obtaining a certificate from Let’s Encrypt, which requires validating control over the names to appear on the certificate

  2. Installing each certificate in the web server so that it will present this to visitors as proof of its identity

For step 1, this should be possible without breaking any of the rules from the hosting provider, but Certbot can’t obey all these rules easily so you might want to either use Certbot in “manual mode” running on your own computer (unless it’s a Windows PC) or look at other ACME clients

For step 2, most shared hosts don’t provide any practical way for Certbot or similar to do this without breaking several of the rules. So it would probably be done manually. You would usually log into some kind of web control panel and install the resulting certificates there every 60-90 days. In most cases you’ll need two files, the private key, named privkey.pem by Certbot, and a certificate chain, named fullchain.pem by Certbot. The private key must remain private, the server needs it, but you shouldn’t share it or reveal it except to people you’re trusting to administrate the web server.

So, overall using Let’s Encrypt is almost certainly possible in your scenario, but automating it so it’s not a recurring annoyance may not be possible this way. If your shared host has common control panel software like Cpanel or Plesk, the shared host might be able to upgrade or configure this to have a “one button” Let’s Encrypt feature instead of needing the manual steps.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.