Hosting service won't cooperate?

My hosting service (Hostway.com) may not be willing to use certbot and the ACME protocol. They may insist that I provide them with a valid certificate along with the private key, which they will then install. Is there a way provide this to them using LetsEncrypt?

There are basically two types of hosting:

  1. "Shared hosting", where you upload files though their control panel and they handle everything. You just get what they give you, and if you don't like it then you don't really have options beyond switching to a different plan (if they have one) or switching to another hosting provider.
  2. "Give you a VPS" where you have the responsibility to administrate the server. You can install what you want, and configure however you want, but it's up to you to do so.

The second is what systems like certbot are for. For the first kind of hosting, they should just be handling https automatically (but for some reason not all do).

If you have control over DNS or able to upload a file to the web server, then it is possible to run something like certbot in "manual mode", get the key & certificates, and send it to your provider. You'd need to do it manually every couple months, and it's the most complicated, error-prone, and insecure way to do it (if you're sending the key around to somebody). But it's not the way I would do it.

With some shared hosting setups, you can get away with CertSage which is a PHP script that can try to integrate with the control panel. You still need to do it manually every couple months, but it's at least keeping the keys on the system and you might not need to involve their support each time.

5 Likes

Peter,

Thanks for your detailed response!

Normally, Hostway uses the "Shared hosting" approach you describe.

In my case, however, I am using Wordpress (.org) which is also available. That gives me a lot more design freedom, and a certain control over directory structure, etc., but I am guessing it does not give me the privileges needed to install certificates or run certbot. Does that constitute a VPS?

Please be patient with my ignorance....

Thanks,

George

1 Like

If you don't have a login to a Linux shell with the ability to install your own software, then it's probably not a VPS. You're probably limited to whatever support your hosting provider can give you, though some people have used things like CertSage (and there may be Wordpress plugins too) to integrate well enough. But ideally your hosting provider would do it for you, or at least walk you through the process to have it work automatically.

5 Likes

Most acme tools can also use DNS validation instead of HTTP validation, that way you can acquire your certificate on any machine then upload it to your service.

I concur that nowadays this should really just be built in (for free) to whatever your host provides and if they don't, it's worth moving host to one that will make it their problem, not yours, you are after all paying for their service and https is quite a basic feature in terms of hosting provision.

If not, you can do things like use Cloudflare (their free service) for your DNS and they will automatically proxy your site and enable https etc.

2 Likes

Just remember that Cloudflare isn't magic. You still need either a Cloudflare Origin CA certificate or a publicly trusted certificate, such as the ones issued by Let's Encrypt, on your origin server behind Cloudflare. Without one, data will only be secure between your vistors and the Cloudflare proxy, which will in turn transmit all of that previously encrypted data between the Cloudflare proxy and your origin server in the clear.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.