How to install lets encrypt via webhost

Hello,

I just downloaded the let’s encrypt client (https://github.com/letsencrypt/letsencrypt).

I moved it to my webhost and the folder appears as letsencrypt-master.

The folder is under the home directory on my web host/server.

I just tried this: https://letsencrypt.readthedocs.org/en/latest/intro.html
code: ./letsencrypt-auto certonly --standalone --email admin@thing.com -d thing.com -d www.thing.com -d otherthing.net (I replaced everything with our site).

and I am getting this error:
updating letsencrypt and virtual environment dependencies…Command “python setup.py egg_info” failed with error code 1 in /tmp/pip-build-Tqwq7A/cffi

Thanks.
-Sky

What version of python are you using ?

Hello,

Thanks for the quick reply.

Where can I find the version of python that I am using? I do not see that option anywhere in cPanel.

I see Perl: 5.10.1

Thanks!
-Sky

normally I’d just say run “python --version” however if you don’t have ssh access that will be tricky.

If you are using cpanel, there isn’t yet ( I don’t think ) a really easy way to automate thing. I’m assuming you are also on a shared hosting system, so you don’t have root access ?

There are a number of topics discussing cpanel however most need server side access.

Can you say a little more about your configuration ?
is it your server ( and access to WHM ) or do you just have a cpanel account on a server hosted by someone ?
What version of cpanel are you using ?

Hi Serverco,

Thanks for responding so quickly again!

I did not know the python --version trick. It worked! So here it is: Python 2.6.6

I used putty for the previous attempts so I am not using cPanel at all. I just thought I could find that information for the sever through cPanel. I did not know about the commands. I am a newbie.

We do not have a dedicated server - we are on a shared host because it is so much cheaper.

Cpanel version: cPanel Version 11.52.2 (build 1)

Do you think I can still do this? If so, I would really need help. Thanks.

Thanks!

The easiest for now ( on a shared cpanel server) is probably a manual method. You would ideally need to upgrade python to 1.7 on your server to do things automatically. I don’t think it will be long before there is an automatic method, but not there yet.

I’d suggest using the web version at https://gethttpsforfree.com/

You can either generate the private key and CSR using putty ( there are details of how to on https://gethttpsforfree.com/ ) or you can generate them in cpanel in the SSL/TLS Manager section.

You will be asked to create a file, with given contents, on your website to prove ownserhip, and then a certificate provided.

You can install the certificate in cpanel in the SSL/TLS Manager section.

Hi Serverco,

Thanks so much for that information!

I was able to do step 1 on the website that you provided.

However, I am having issues with step 2.

I was able to do the command: openssl genrsa 4096 > domain.key but I do not know what to do after that because there is no explanation on how to change foo to my site. Also, I tried looking for the file account.key in my list of files on the server- but I do not see it anywhere. I looked in etc and ssl.

Thanks!

in putty, you ran the command

openssl genrsa 4096 > account.key

which would have generated a private account key for you. If you then run (again in putty, in the same folder);

openssl rsa -in account.key -pubout

it will print out the account key for you - that you can then paste into the box on the website ( https://gethttpsforfree.com/ )

Did the first command give any errors or anything ? if not it should have created the file "account.key" for you. It should be in the folder where you ran the first command.

Hello,

I got step one done easy, peesy.

However, I am having issues with the following:

Generate a CSR for your the domains you want certs for:
(replace "foo.com" with your domain)
Linux:
#change "/etc/ssl/openssl.cnf" as needed:
#  Debian: /etc/ssl/openssl.cnf
#  RHEL and CentOS: /etc/pki/tls/openssl.cnf
#  Mac OSX: /System/Library/OpenSSL/openssl.cnf
openssl req -new -sha256 -key domain.key -subj "/" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \
  <(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))
Copy and paste the CSR into the box below.

This does not make any sense to me. I open the domain.key and I see what I see in account.key but it is different text.

Also, I tried via cPanel and since I created it, it will bring up a page asking if you want to continue, so I do not want to do the cPanel method.

OK, so you have created an "account key" and a "domain key"

just replace "foo.com" with your domain name in the command;

openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf
<(printf "[SAN]\nsubjectAltName=DNS:foo.com,DNS:www.foo.com"))

so if your domin was "ilovemusic.net" then the command is;

openssl req -new -sha256 -key domain.key -subj "/"
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf
<(printf "[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net"))

This should give you the CSR. If you want the certificate to be for more than "yourdomain.com" and "www.yourdomain.com" then let me know.

Hi Severco,

Thank you! I did that (along with DNS:ilovemusic.org,DNS:www.ilovemusic.org). We have .org and .com.

Did I do something wrong?

That sounds right. That should give you the CSR to upload.

Hello again,

I tried that and I got this error:
cat: /etc/ssl/openssl.cnf: No such file or directory
unable to find ‘distinguished_name’ in config
problems making Certificate Request
xxxxxxxxxxxxxxx:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=req name=distinguished_name

Thank you.

What were you doing / where did you get this message ?

Did you obtain a certificate and then got this error when installing ? or was this at one of the steps before when you were trying to obtain the certificate? if so, which step ? what have you completed and what was the exact command you were using that got the certificate ?

Ahh, OK, it was at the step of doing the command;

openssl req -new -sha256 -key domain.key -subj "/"
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf
<(printf "[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net,DNS:ilovemusic.org,DNS:www.ilovemusic.org"))

is that correct ?

Hi serverco,

that is correct. I got that message after I typed: openssl req -new -sha256 -key domain.key -subj "/" \ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net,DNS:ilovemusic.org,DNS:www.ilovemusic.org"))

So basically, this is what I did:
openssl genrsa 4096 > domain.key
then:
openssl req -new -sha256 -key domain.key -subj "/" \ -reqexts SAN -config <(cat /etc/ssl/openssl.cnf \ <(printf "[SAN]\nsubjectAltName=DNS:ilovemusic.net,DNS:www.ilovemusic.net,DNS:ilovemusic.org,DNS:www.ilovemusic.org"))

then got the error.

I am not sure what to do.

Thanks.

Do you have an openssl.cnf file on your system, in a different directory ? perhaps /etc/pki/tls/openssl.cnf that you can use instead ?

I searched for it via cPanel and found one in the following directory:

letsencrypt/examples

I opened and saw this:
[ req ]
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
[ san ]
subjectAltName=${ENV::SAN}

I’d suggest trying to use that one then, or copy it to /etc/ssl/ and then use the command as before

I tried that and it did not work.
This is so difficult… it should not be. I even created the file and tried and no luck.

The challenges are because you don’t have real full access to the server.

You can create the files you need in SSL/TLS Manager in cpanel though.