I can't use the clients with HostGator but not sure if the fix I found is safe


#1

Hello all, I cant run the clients, I am on shared hosting plan and do not have root access. I found a website https://www.sslforfree.com that is supposed to be an interface for LetsEncrypt.org. Its supposed to do it for you but I was unsure of how safe this was.

Is this site safe for me to use to get SSL cert for my domain?

Edit: Never mind I guess this website also handles the private Key which I am not comfortable with, I found another site https://gethttpsforfree.com/ which should work. I might wait cause I am not entirely sure what I am doing.


#2

There is currently a suggestion for one hosting on letsencrypt.org ex. certs.letsencrypt.org due to obvious security reasons. I personally don’t trust any other site to generate my certs, I would suggest for 100% security, boot Linux Mint 17.2 in virtual box and generate the certs there.

Also if you could kindly ask your hosting via support to add LE to their hosting. My business just moved from HostGator due to slow response times (literally weeks) for tickets from support but hopefully you don’t have that issue.

There are plenty other hosting who have support for LE, I manage a list: https://github.com/letsencrypt/letsencrypt/wiki/Web-Hosting-Supporting-LE


#3

Don’t they use WebCrypto to generate a public key? Wouldn’t you have to manually audit to make sure a leak was not happening. wouldn’t https://gethttpsforfree.com/ be a safer route?

I have had tons of trouble with HostGator, especially with Cpanel login issues. I have been testing digital ocean but I have very little experience with having to setting up a backed. I have become super reliant on Cpanel unfortunately.


#4

This is a good option. The site only sees your CSR, which doesn’t include your private key. Feel free to do some research on the suggested openssl commands used to generate the CSR to make sure they’re not malicious. You could also host your own copy of the site since it’s an open source project.

The CSR basically includes your public key and the domain(s), which is public information anyway (Let’s Encrypt pushes all certificates they issue to Certificate Transparency log servers). Note that you will have to repeat this process manually at least once every 90 days (probably more regularly to avoid getting too close to the expiration date). That’s unavoidable on shared hosting plans unless your provider has some programmatic way of deploying new certificates, or supports Let’s Encrypt directly.

With sslforfree.com, you would have to audit the entire client-side code to make sure the code doesn’t expose your private key to a third party anywhere.


#5

Oh alright thank you. I will use https://gethttpsforfree.com/ . I don’t feel like I am qualified to audit the client-side code adequately. Thank you for the explanation.