How to install lets encrypt via webhost


#1

Hello,

I just downloaded the let’s encrypt client (https://github.com/letsencrypt/letsencrypt).

I moved it to my webhost and the folder appears as letsencrypt-master.

The folder is under the home directory on my web host/server.

I just tried this: https://letsencrypt.readthedocs.org/en/latest/intro.html
code: ./letsencrypt-auto certonly --standalone --email admin@thing.com -d thing.com -d www.thing.com -d otherthing.net (I replaced everything with our site).

and I am getting this error:
updating letsencrypt and virtual environment dependencies…Command “python setup.py egg_info” failed with error code 1 in /tmp/pip-build-Tqwq7A/cffi

Thanks.
-Sky


#2

What version of python are you using ?


#3

Hello,

Thanks for the quick reply.

Where can I find the version of python that I am using? I do not see that option anywhere in cPanel.

I see Perl: 5.10.1

Thanks!
-Sky


#4

normally I’d just say run “python --version” however if you don’t have ssh access that will be tricky.

If you are using cpanel, there isn’t yet ( I don’t think ) a really easy way to automate thing. I’m assuming you are also on a shared hosting system, so you don’t have root access ?

There are a number of topics discussing cpanel however most need server side access.

Can you say a little more about your configuration ?
is it your server ( and access to WHM ) or do you just have a cpanel account on a server hosted by someone ?
What version of cpanel are you using ?


#5

Hi Serverco,

Thanks for responding so quickly again!

I did not know the python --version trick. It worked! So here it is: Python 2.6.6

I used putty for the previous attempts so I am not using cPanel at all. I just thought I could find that information for the sever through cPanel. I did not know about the commands. I am a newbie. :confused:

We do not have a dedicated server - we are on a shared host because it is so much cheaper.

Cpanel version: cPanel Version 11.52.2 (build 1)

Do you think I can still do this? If so, I would really need help. Thanks.

Thanks!


#6

The easiest for now ( on a shared cpanel server) is probably a manual method. You would ideally need to upgrade python to 1.7 on your server to do things automatically. I don’t think it will be long before there is an automatic method, but not there yet.

I’d suggest using the web version at https://gethttpsforfree.com/

You can either generate the private key and CSR using putty ( there are details of how to on https://gethttpsforfree.com/ ) or you can generate them in cpanel in the SSL/TLS Manager section.

You will be asked to create a file, with given contents, on your website to prove ownserhip, and then a certificate provided.

You can install the certificate in cpanel in the SSL/TLS Manager section.


#7

Hi Serverco,

Thanks so much for that information!

I was able to do step 1 on the website that you provided.

However, I am having issues with step 2.

I was able to do the command: openssl genrsa 4096 > domain.key but I do not know what to do after that because there is no explanation on how to change foo to my site. Also, I tried looking for the file account.key in my list of files on the server- but I do not see it anywhere. I looked in etc and ssl.

Thanks!


#8

in putty, you ran the command

openssl genrsa 4096 > account.key

which would have generated a private account key for you. If you then run (again in putty, in the same folder);

openssl rsa -in account.key -pubout

it will print out the account key for you - that you can then paste into the box on the website ( https://gethttpsforfree.com/ )

Did the first command give any errors or anything ? if not it should have created the file “account.key” for you. It should be in the folder where you ran the first command.


#9

Hello,

I got step one done easy, peesy.

However, I am having issues with the following:

Generate a CSR for your the domains you want certs for:
(replace "foo.com" with your domain)
Linux:
#change "/etc/ssl/openssl.cnf" as needed:
#  Debian: /etc/ssl/openssl.cnf
#  RHEL and CentOS: /etc/pki/tls/openssl.cnf
#  Mac OSX: /System/Library/OpenSSL/openssl.cnf
openssl req -new -sha256 -key domain.key -subj "/" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
  <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))
Copy and paste the CSR into the box below.

This does not make any sense to me. I open the domain.key and I see what I see in account.key but it is different text.

Also, I tried via cPanel and since I created it, it will bring up a page asking if you want to continue, so I do not want to do the cPanel method. :neutral_face:


#10

OK, so you have created an “account key” and a “domain key”

just replace “foo.com” with your domain name in the command;

openssl req -new -sha256 -key domain.key -subj “/” -reqexts SAN -config <(cat /etc/ssl/openssl.cnf
<(printf “[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com”))

so if your domin was “ilovemusic.net” then the command is;

openssl req -new -sha256 -key domain.key -subj “/”
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf
<(printf “[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net”))

This should give you the CSR. If you want the certificate to be for more than “yourdomain.com” and “www.yourdomain.com” then let me know.


#11

Hi Severco,

Thank you! I did that (along with DNS:ilovemusic.org,DNS:www.ilovemusic.org). We have .org and .com.

Did I do something wrong?


#12

That sounds right. That should give you the CSR to upload.


#13

Hello again,

I tried that and I got this error:
cat: /etc/ssl/openssl.cnf: No such file or directory
unable to find ‘distinguished_name’ in config
problems making Certificate Request
xxxxxxxxxxxxxxx:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name

Thank you.


#14

What were you doing / where did you get this message ?

Did you obtain a certificate and then got this error when installing ? or was this at one of the steps before when you were trying to obtain the certificate? if so, which step ? what have you completed and what was the exact command you were using that got the certificate ?

Ahh, OK, it was at the step of doing the command;

openssl req -new -sha256 -key domain.key -subj “/”
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf
<(printf “[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net,DNS:ilovemusic.org,DNS:www.ilovemusic.org”))

is that correct ?


#15

Hi serverco,

that is correct. I got that message after I typed: openssl req -new -sha256 -key domain.key -subj "/" \ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net,DNS:ilovemusic.org,DNS:www.ilovemusic.org"))

So basically, this is what I did:
openssl genrsa 4096 > domain.key
then:
openssl req -new -sha256 -key domain.key -subj "/" \ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net,DNS:ilovemusic.org,DNS:www.ilovemusic.org"))

then got the error.

I am not sure what to do.

Thanks.


#16

Do you have an openssl.cnf file on your system, in a different directory ? perhaps /etc/pki/tls/openssl.cnf that you can use instead ?


#17

I searched for it via cPanel and found one in the following directory:

letsencrypt/examples

I opened and saw this:
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ san ]
subjectAltName=${ENV::SAN}

:confused:


#18

I’d suggest trying to use that one then, or copy it to /etc/ssl/ and then use the command as before


#19

I tried that and it did not work. :confused:
This is so difficult… it should not be. I even created the file and tried and no luck. :confused:


#20

The challenges are because you don’t have real full access to the server.

You can create the files you need in SSL/TLS Manager in cpanel though.