How to get a gratis SSL certificate when hosting on a shared hosting plan?

I host three Drupal websites and one MediaWiki website on a shared hosting plan (Stellar Business) at Namecheap.

If I understand correctly, Namecheap don't give me any gratis (free of charge) SSL certificate as part of that plan.

I am actually quite confused on what SSL certificates they give me at all.
I have already paid them for this product:

PositiveSSL Multi-Domain (3 SANs) purchased for 5 years

For some reason that I don't understand, this product expiers for different domains different times:

  • Domain 1 --- Drupal website --- SSL certificate will expire in 1,398 days

  • Domain 2 --- Drupal website --- SSL certificate will expire in 279 days

  • Domain 3 --- Drupal website --- SSL certificate will expire in 54 days

  • Domain 4 --- MediaWiki website --- SSL certificate already expired

I am in a loss about why all don't have 1,398 days left or why at least the first three domains don't have 1,398 days left, but anyway, I think I shouldn't pay for SSL certificates at all because years ago I used Certbot to install SSL certificates in a DigitalOcean droplet gratisly and everyone were satisfied and now I seek a gratis approach on shared hosting as well.


I have tried to install CertSage but the PHP installation wizard was unclear to me; I was asked to suffice a password for something but I misunderstood for what --- when I used CertBot on a DigitalOcean droplet I don't recall being asked to input a password. I also didn't understand other parts of the installation wizard so I have decided that at least for the time being, I won't use CertSage.
I am well aware that the developer of CertSage is a very respected and beloved member of this community and I respect him myself and don’t think he is after any password of any user and may have even prevented himself of having accees any such password somehow but I just seek a simpler tool more intuitive to someone like me which isn’t a PHP programmer and which isn’t an Information Security specialist.


That said,

I can SSH to my shared hosting partition with Putty and can run a decent number of commands there, but with a non-root user account only.

I wonder if besides CertSage there is any technology left for me to try to use to get a gratis SSL certificate for any website I host there.

How to get a gratis SSL certificate when hosting on a shared hosting plan?

Please feel free to edit this post if I wrote anything misleading and thanks anyway.

1 Like

If you can run through the process manually, you might be able to script it.
This is not a simple task but it might be possible.

It would be much simpler to find a HSP that has already figured out how to integrate free certs into their plans.

6 Likes

is not a valid term for a globally recognized certificate. If you examine that long-lived certificate, I expect that you will find it is either self-signed or issued by a private CA.

This article describes how to use Let's Encrypt work Namecheap shared hosting using ssh and acme.sh.

6 Likes

Probably not better, except for changing hosting provider.

If you already purchased a commercial certificate from Namecheap, I'd suggest to take your issues with that purchased certificate up with Namecheap.

3 Likes

What do you suggest that I'll script?

For example, to script using Certbot I did something like that, at the time:

apt install certbot python3-certbot-apache

read domain_1 &&
read domain_2 &&
if [ "$domain_1" == "$domain_2" ]; then
echo $domain_2
else
   echo Mismatch.
fi

certbot --apache -d "$domain_2" -d www."$domain_2"

About the first article, I would suggest these companies to just make it one year valid or 365 days valid and be done with it, after all these changes from nearly 1000 days to 398 :slight_smile:

I should take the time to carefully read the second article, although I first need to understand what is ACME.SH I guess. Then, I could try to make a well commented Bash script out of this.
I noted it's from June 2020, more than 3 years ago, hopefully it's still relevant and Namecheap didn't block that option.

2 Likes

Hi :slightly_smiling_face:

Author of CertSage here. Thank you for your kind words of praise. To clarify, the password for which CertSage is asking for both certificate acquisition and installation is simply the contents of the password.txt file created in the CertSage directory by CertSage itself when certsage.php is loaded in a browser. By default, the password is just some random characters generated by CertSage and not any password created by the user.

7 Likes

Hi griffin !

Is there any plan to make a CLUI version of CertSage? Is there something experimental, an alpha, a beta, I could try before becoming a pseudo-scholar on ACME.SH :joy: ?

I am curious to know why it was chosen to make it GUI for starters :slight_smile: I mean to ask, with the right curls and wgets and heredocuments and read prompts and text processing etc. the data could have been exchanged by a shared hosting non root user account as well, couldn't it?

I just imagine that a CLUI CertSage might have been longer to operate then Certbot, but still give verbose yet clear, perhaps even didactic black and white charm explanations on each execution stage.

And also see Baseline Requirements for TLS Server Certificates – CAB Forum this document
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1.pdf in the section
6.3.2 Certificate operational periods and key pair usage periods states
"Subscriber Certificates issued on or after 1 September 2020 SOHULD NOT have a Validity Period
greater than 397 days and MUST NOT have a Validity Period greater than 398 days.
For the purpose of calculations, a day is measured as 86,400 seconds. Any amount of time greater
than this, including fractional seconds and/or leap seconds, shall represent an additional day. For
this reason, Subscriber Certificates SHOULD NOT be issued for the maximum permissible time by
default, in order to account for such adjustments."

2 Likes

The UI format is much more user-friendly, faster to use, and conducive to fulfilling the needs of users who don't have or/nor want command line experience. Needing to SSH or otherwise into a command line adds an entire extra, unnecessary step and process to certificate acquisition and installation. For my own websites, I can renew a certificate in under 30 seconds right from my phone's browser. It would take at least that long and be far more error-prone to even access a command line, nonetheless acquire and install a certificate with it. :slightly_smiling_face:

6 Likes

Admittedly though, I have considered making CertSage supply a quasi-API experience to be scriptable, which would support CL interaction.

6 Likes

I suppose I could increase the verbosity of the process. :thinking: Just hadn't had a need yet.

4 Likes

I wonder why I find the GUI wizard of CertSage hard. Maybe I am just not familiar with much background terminology there.

I don't understand around 75% of the usage directions there, if not more.
I'd humbly suggest adding some more explanation leftly or rightly to the wrapper as well, instead only or primarily on top of a wrapper item or in it, and also, adding or checking if there is need to improve explanations like:

  • What kind of data should be inputted in the particular input field.
  • From where to get or collect any such data.

If all of that is done GUIwise then maybe there won't be any need in a CLUI parallel of CertSage.

1 Like

Perhaps indeed. My comment right above suggest a possible how :slight_smile:

Out of curiosity, which of the five input boxes (with one being a domain name list, one being an email address list, and three being the contents password.txt) have you found difficulty understanding? Are any of the buttons unclear? I'm always up for trying to make CertSage simpler and more clear, but I need to understand the concerns. Which of the directions here are unclear?

6 Likes

And I'll be more than happy and respected to share my thoughts on this, something I'll do as a hubmle web accessibility consultant :slight_smile:

Box 1

CertSage is an ACME client

I thought that ACME is a protocol, not a client, but maybe Let's Encrypt is the protocol and ACME is just one of the clients for creating Let’s Encrypt standardized SSL certificates, similar to how Certbot is one such clients.

that acquires free DV TLS/SSL certificates from Let's Encrypt

Personally I'd phrase this as A software client which gets DV TLS/SSL certificates from Let's Encrypt”.

I think that this would have been a clearer text for people like me that English or any other Germanic language for that matter is not their first language and are also far from being information security experts.

Also I find the text DV TLS/SSL graphically inaccessible and it might be good to change it to one of these:

  • DV — TLS/SSL: emdash instead hyphen

  • DV || TLS/SSL

  • DV and/or TLS/SSL

I have no idea what DV is, currently, by the way.

by satisfying an HTTP-01 challenge

I am in a total loss here :slight_smile:

Please use the staging environment for testing to avoid hitting the rate limits.

I think that "staging environment" here means "code testing environment" and that rate limits here do something with brute force attacks but on what?
Again I am far from being an information security expert and therefore I came out very confused.


That said, Box 1 is “densly” filled with links, which make reading it even less accessible and possibly more confusing to general audience.

Box 2

Acquire Certificate

One domain name per line

No wildcards (*) allowed

So, if I give one domain I get a single-site SSL certificate and if I give two or more domains I get a multi-site SSL certificate?

I suggest to clarify what is the case exactly.

Why wildcards are suddenly mentioned? :slight_smile:

Box 3

Password

Contents of ../CertSage/password.txt

The only file I have downloaded in that context is certsage.txt changed to certsage.php so where do I get this aforementioned password file and a password for what would it be?

Wouldn't it be better to unite all password input-fields to one and also suggesting users to save this password in some password sheet?

Acquire Staging Certificate

I just don't have a clue what that means.

Acquire Production Certificate

And again :frowning_face:

Box 4

Install Certificate into cPanel

Password

Contents of ../CertSage/password.txt

Install Certificate into cPanel

Again the password I find mysterious :slight_smile:

What is installing a certificate into cPanel? Shouldn't it be in the web server configuration files or in the content management system files?

Receive Certificate Expiration Notifications

One email address per line

Leave blank to unsubscribe

So putting my personal email address of some major email provider like yahoo.com or mail.com or gmail.com or yandex.com is what I am suggested to do? Sounds fair !

That being said, I think people shouldn't be suggested to unsubscribe from it because renewing a certificate is extremely important and in my honest opinion not less important then “privacy policy” changes.

Password Contents of ../CertSage/password.txt

This password is very intriguing.


Now then, to the end,

I personally felt “pressured” when I saw that I must fill-in data, and save, each and everyone of the input fields alone.

I would have preferred to just fill in data in all four boxes and their-sub input-fields and only then just hit a single “Save” button.

ACME is an (IETF) protocol. acme.sh, Certbot and others are ACME clients. Let's Encrypt runs boulder an ACME server.

7 Likes

I'm game. Let's begin. :slightly_smiling_face:

You do realize that every single question/confusion you've had so far is thoroughly explained by clicking on those links and doing some reading, right? :wink: I'm not going to repeat fundamental information, thus blowing out CertSage's intro into a treatise, to save people a few clicks.

Essentially, yes, if you want to complicate things with terminology. Again, clicking the links above and/or doing a basic Google search will quickly and simply explain wildcards in certificates. This is a free piece of software, not a definitive textbook on certificate terminology.


Did you read the CertSage usage instructions to which I linked above or any of my previous posts at all?

Presenting:

The multiple password boxes were to technologically simplify the architecture of the PHP/HTML code. There are technically 3 separate forms on that page. Admittedly, I didn't want to repeat the password box, but the page was much more confusing and fragmented without.


Again, please click the provided links in the intro and do some basic reading. Free software. Not a textbook.


How can you possibly ask this question and not understand what a staging and production system are? cPanel is one of the most popular hosting management systems in the history of the internet. There are thousands of providers that use it and copious amounts of information about it. CertSage was primarily designed for hosting situations where admin access is not available and users don't have a clue/desire to manage systems at the web server or CMS level.

Some people don't need the email. They have that option.

Because it appears you haven't read anything about using CertSage or the repetition of such information I provided to you directly above.

Huh? Saved how? There are 3 forms: one with two fields, one with one field, and one with two fields. You can only push one button at a time, so why would you ever fill out more that one form at once? Following the usage instructions, which I don't think you've read yet, makes this very clear.

That isn't possible here because not everyone uses cPanel and people need to be able to manage the email address(es) used for their reminders without needing to acquire a certificate.


Regardless, thank you for your suggestions. I'll see what I might adjust based on them.

9 Likes

Thanks for detailing and please allow me to clarify a few of my sayings in my previous reply that may explain some of the surprise you had when reading it.

  1. My personal philosophy as an accessibility consultant is that passages shouldn’t have three or more links because I believe that one link near the middle and another link near the end are the best maximum for a passage on a webpage, if not on an entire webpage (if there’s a need in link/s at all), but the particular passage currently has ten links, which philsophically biased me personally from opening them.

  2. I personally think that expanding a bit more about usage details won't necessarily make a free software including CertSage a "textbook". In regards to CertSage, a few more words on a few different places (maybe text examples in gray inside the input fields) would be nice.
    By the way, I think FOSS textbooks are often great; we all like manuals like man tree or man zip or man find for example.

  3. In the context of computing, I personally know what is "local development", "production development", “deployment”, “integration” and “delivery”, solely or primarily in the subcontext of Bash-HTML-JavaScript-CSS-CMSs, but I do not know it at all in the subcontext of SSL certification.
    If "staging" is not “local development” then I have no idea what that is and would need a subcontext to understand it.

  4. I didn't open the links, in part, due to what I have described in clause 1 but also in part because of my interpretation of a few other comments you have gracefully made in other threads that I have created from which I interpreted two things:
    One is that using CertSage would be solely Cpanel-focused and another, that using CertSage will be very very intuitive to use, almost with no learning curve at all (pretty much how Certbot was for me at the time).
    These interpretations were wrong and I now figure that I am left with two choices probably --- becoming much more learned about SSL certification from all the aforementioned links, or just pay some 15 USD per month to Namecheap.

There's at least one more you should consider: move to a less user-hostile hosting provider.

7 Likes