I run a hosting company and my users want Let’sEncrypt Certificates and many of them posted this link in support. But I’m not able to find anything out there for hosting companies. I want to know if there is any guides for getting started.
Thanks!
2 Likes
What type of hosting platform do you offer your customers? Do you use something like cPanel, Plesk, Directadmin? This will be the main thing that informs what you should do next.
There is a general integration guide here: https://letsencrypt.org/docs/integration-guide/
But specific advice comes down to your specific situation.
2 Likes
My hosting company is based on cPanel/VistaPanel. Mine is a free hosting.
2 Likes
Well, cPanel installations these days have AutoSSL enabled by default, which automatically generates certificates from Sectigo/Comodo, for all user domains. You can switch AutoSSL to Let’s Encrypt (https://documentation.cpanel.net/display/CKB/The+Let’s+Encrypt+Plugin), but generally, it’s not necessary to.
For Vista Panel, I’m not sure what the situation is. But you would be wanting to look for some kind of Let’s Encrypt plugin that is compatible with it.
2 Likes
Actually I will not be able to customize the cPanel any way my user to manually set this from the client area of my site?
1 Like
Ummm, it sort of depends. Users can enable or disable AutoSSL for domains from the client interface, but they can’t issue the actual certificates themselves. That happens automatically in the WHM background service.
(I offer a paid plugin for cPanel which gives the users full control, which works differently to AutoSSL.)
But generally, AutoSSL works very well, and cPanel users are very used to it all happening automatically. I recommend adopting it.
3 Likes
Companies like this offer let’s encrypt certificates from their client area. So, the user should follow some procedures to do the same.
1 Like
I’m not really following.
Doing things manually is worse than doing things automatically.
Infinityfree don’t let you issue Let’s Encrypt certificates unless you upgrade to their premium hosting.
Otherwise, you have to manually create one using external tools, and then install it via the client area every 90 days.
And you can already do that with cPanel and Vesta - manually upload whatever certificate you want. But it’s completely manual and hostile to users.
2 Likes
Ok then is there a way I can issue certificates to cutomers without the cPanel like just do as how infinityfree does the manual installation and I renew it every 90 days with a script or so?
1 Like
Are you using cPanel, or no? If you want specific advice about how to automate renewals, then it’s crucial to know what your hosting environment actually is, and whether you are the web host or a user of another web host.
1 Like
I am a reseller of iFastnet and they provide all features of cPanel and they control that.
But the client area is fully custom built by me with the help of api they provide for communication with the server. The client area has all account related info for the specific user and the users all hosting account. And they can also login to cPanel through that.
1 Like
@_az even if it’s manual method please let me know. As my clients have no problem with manual method.
1 Like
OK. So with the cPanel accounts created via your WHM Reseller plan, do your clients see this icon in their user interfaces? http://kb.ifastnet.com/index.php?/article/AA-00426/13/Premium-Hosting/cPanel-FAQ/How-do-I-issue-a-free-SSL-certificate.html
1 Like
No they don’t see that icon in the cPanel.
But they have the option to upload SSL certs.
1 Like
SSL is usually managed on the shared hosting server itself. In your case, ifastnet seems to only enable that functionality on “premium” plans. So it’s not an option for you.
I think it’s probably unlikely that you are going to find an existing turnkey solution for this. Managing SSL from the client area doesn’t really make sense except for some circumstances (like your reseller restriction).
Hypothetically, you could just build a Let’s Encrypt client into your custom client area. Grab a PHP (or whatever language) ACME library, and automatically create a certificate order, get the challenges, use UAPI Fileman::upload_files to upload the challenge response, complete the order, download the certificate, and deploy it using UAPI SSL::install_ssl. And you can make that automatically renewing. All using cPanel HTTP API and you have the cPanel credentials already in your client area. But it’s a lot of work to develop. Perhaps you can simplify it by scripting an existing ACME client (like Certbot or acme.sh) and adding your own custom hooks to do the actual challenge and deployment steps.
TBH I would consider getting a WHM reseller plan somewhere that doesn’t disable AutoSSL. There are a lot of them out there. Why does your blood have to be shed for the greediness of your host? :\
2 Likes
If you want a turn-key solution with integrated letsencrypt support (not to mention, a lot cheaper than cPanel) you should switch to ISPConfig – hire me and we can learn how it works together.
3 Likes
Your users should never even see their private keys.
(I don't think I've seen mine, it's a cat away, but it's always pointless random data the only important characteristic of which is to be secret.)
4 Likes
It’s interesting to note that some Amazon TLS products (and I think maybe some of Google’s) follow your advice to the extent of not allowing customers to see their own keys. This might be because of hardware or software that deliberately doesn’t implement a private key export feature.
5 Likes
Well, it’s kinda like smartcards, supposed to hold private keys in write-only mode, and perform signing on the card secure chip itself. 
4 Likes
I think I know exactly one person (a PGP developer) who has benefited from the ability to directly view his own private key data in a software application, and I know several people who have been harmed by it (by accidentally sharing their private keys instead of their public keys).
Even the ability to copy, export, or back up the private key is often useful only as a workaround to some other missing functionality or option (in TLS, often that’s the inability to easily issue a desired number of certificates, in the desired environment where they will be used, at no marginal cost). (For a smartcard, it might be the problem that a relying party won’t authorize the desired number or type of devices to perform some kind of authentication.)
3 Likes