Installing Lets Encrypt on godaddy cPanel Shared Hosting

I am trying install and automate the renewal of Let's Encrypt on my domains bought on Godaddy and hosted in Godaddy Host (cPanel Shared Hosting).

Here are the specs I have:

Linux version 2.6.32-673.26.1.lve1.4.20.el6.x86_64 (mockbuild@build.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) )
Apache/2.4.25
cURL 7.36.0
MySQL 5.6.33
PHP 5.4 (native/default) (5.4.45)
5.5 (5.5.38)
5.6 (5.6.30)
PEAR 1.9.4
Perl 5.10.1
phpMyAdmin 4.0.10.14
Python 2.6.6
Zend 2.6.0

First I cloned the repos :
git clone https://github.com/certbot/certbot.git
cd certbot/
./letsencrypt-auto certonly --manual

I get this error:

"sudo" is not available, will use "su" for installation steps...
Sorry, I don't know how to bootstrap Certbot on your operating system!

You will need to install OS dependencies, configure virtualenv, and run pip install manually.
Please see Contributing — letsencrypt latest documentation
for more info.

How can automatically generate and renew the certificates in this condition as described?

hi @Tomus

You haven't installed certbot so not able to use certbot

have you tried this method? The Let’s Encrypt project — letsencrypt latest documentation

pip freeze

And paste the results here

Andrei

more reading Whats the AMI EC2 workflow to install Certbot

Andrei

1 Like

Python version is:
Python 2.6.6

and when I run pip freeze, i get this:
-bash: pip: command not found

I also did the following :
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto --help

and I get the following:

"sudo" is not available, will use "su" for installation steps...
Usage: certbot-auto [OPTIONS]
A self-updating wrapper script for the Certbot ACME client. When run, updates
to both this script and certbot will be downloaded and installed. After
ensuring you have the latest versions installed, certbot will be invoked with
all arguments you have provided.

Help for certbot itself cannot be provided until it is installed.

--debug attempt experimental installation
-h, --help print this help
-n, --non-interactive, --noninteractive run without asking for user input
--no-bootstrap do not install OS dependencies
--no-self-upgrade do not download updates
--os-packages-only install OS dependencies and exit
-v, --verbose provide more output
-q, --quiet provide only update/error output;
implies --non-interactive

All arguments are accepted and forwarded to the Certbot client when run.

Hi @Tomus

I am thinking that most likely the python path won’t work for you either

I am not sure what version of Linux Cloud Linux is built on but try the instructions below

https://packaging.python.org/install_requirements_linux/#centos-rhel

If this doesn’t work then i suggest you look at an alternative BASH based client

https://letsencrypt.org/docs/client-options/

ACME.sh is quite popular

You will still need to work out how to get the certs installed on cPANEL as ACME.sh (nor certbot) will do that for you

Andrei

by the way, more details on my python version:

Python 2.6.6 (r266:84292, Aug 18 2016, 15:13:37)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-17)] on linux2

ah ok

so you should be able to get python pip working

whats your thoughts on what you want to try next?

Andrei

I tried to install pip using python:
first download:
wget https://bootstrap.pypa.io/get-pip.py
and then:
python get-pip.py

DEPRECATION: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of pip will drop support for Python 2.6
Collecting pip
/tmp/tmpyVGsl1/pip.zip/pip/vendor/requests/packages/urllib3/util/ssl.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see Advanced Usage - urllib3 2.1.0 documentation.
/tmp/tmpyVGsl1/pip.zip/pip/vendor/requests/packages/urllib3/util/ssl.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see Advanced Usage - urllib3 2.1.0 documentation.
Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
100% |################################| 1.3MB 867kB/s
Collecting wheel
Downloading wheel-0.29.0-py2.py3-none-any.whl (66kB)
100% |################################| 71kB 9.8MB/s
Collecting argparse; python_version == "2.6" (from wheel)
Downloading argparse-1.4.0-py2.py3-none-any.whl
Installing collected packages: pip, argparse, wheel
Exception:
Traceback (most recent call last):
File "/tmp/tmpyVGsl1/pip.zip/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/tmp/tmpyVGsl1/pip.zip/pip/commands/install.py", line 342, in run
prefix=options.prefix_path,
File "/tmp/tmpyVGsl1/pip.zip/pip/req/req_set.py", line 784, in install
**kwargs
File "/tmp/tmpyVGsl1/pip.zip/pip/req/req_install.py", line 851, in install
self.move_wheel_files(self.source_dir, root=root, prefix=prefix)
File "/tmp/tmpyVGsl1/pip.zip/pip/req/req_install.py", line 1064, in move_wheel_files
isolated=self.isolated,
File "/tmp/tmpyVGsl1/pip.zip/pip/wheel.py", line 345, in move_wheel_files
clobber(source, lib_dir, True)
File "/tmp/tmpyVGsl1/pip.zip/pip/wheel.py", line 316, in clobber
ensure_dir(destdir)
File "/tmp/tmpyVGsl1/pip.zip/pip/utils/init.py", line 83, in ensure_dir
os.makedirs(path)
File "/usr/lib64/python2.6/os.py", line 157, in makedirs
mkdir(name, mode)
OSError: [Errno 30] Read-only file system: '/usr/lib/python2.6/site-packages/pip-9.0.1.dist-info'

I also tried:
curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 70 0 getssl

and then
./getssl -c mydomain.com
and I get this error:
getssl: this script requires one of: nslookup drill dig host

what other solutions are there?

acme.sh :smiley: would be the next thing to try

generally I don’t like messing with python on shared hosting as there are lots of limitations imposed by the host provider

I would also check if there is python 3 available but it’s a long shot

Andrei

I followed the link here : GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
So in my $HOME directory, i did:
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install

and then:

acme.sh --issue -d example.com -w /home/username/public_html/mydir/example.com

the certificates are issued successfully.

  • what should I do now so that the domain shows the ssl?

  • Shouldn't i have followed step 3 in the above link?

  1. Install the issued cert to Apache/Nginx etc.

How can I cron job the renew?
simply by adding this:
acme.sh --renew -d example.com --force
?

You're in a shared hosting environment. Most likely you don't have root access to Apache or nginx. So "manually" getting a certificate through certbot certonly or using acme.sh won't do you any good: you have a certificate now (jeej), but you can't install it into Apache or nginx! Because that requires root.

BUT!

You say you have cPanel access. cPanel has a few options for TLS/SSL: some providers provide the AutoSSL Let's Encrypt plugin. This should do everything for you, including the issuing.
But if the Let's Encrypt plugin isn't installed (ASK YOUR SERVICE PROVIDER FOR IT!), you might be able to install the certificate you got issued just now with acme.sh through other cPanel TLS interface sections.

Forcing something is almost never the right option! This may end up issuing a new certificate every day! How to renew with acme.sh is explained on the acme.sh README.. In step 1.2 to be exact. It renews automatically when you re-run the application.

1 Like

so basically, I have to include this line in my cron job list on Godaddy CPanel:
0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null
so that the renewing will be done automatically. right?

Regarding the installation of the certs, I think I should do them manually.
There is a tuto on this here:
https://www.redpacketsecurity.com/use-lets-encrypt-go-daddys-shared-hosting-platform/
the Part 2 explains how to upload the cert to the ssl manager.
Once I upload it and install it, will the renewal be automatic, given that the cron job is configured as well?
I mean, I am afraid, manually adding the cert to the ssl manager, and creating .well-known/… directory in the domain directory will not smoothly follow the automatic recognition and renewal? or maybe i am totally wrong.
Could you please confirm if it is correct if i do so?
thanks

if following the above method, where can I find the acme challenge?
so that I can put it in .well-known\acme-challenge,
when I ran the ./acme.sh --install, i got this:
[Sun May 14 04:57:10 MST 2017] Registering account
[Sun May 14 04:57:12 MST 2017] Registered
[Sun May 14 04:57:13 MST 2017] Update success.
[Sun May 14 04:57:13 MST 2017] ACCOUNT_THUMBPRINT=‘m8hYX5sdLKvlyPKgPbrRMJrzGTssUhMe6Og5P05POME’
[Sun May 14 04:57:13 MST 2017] Creating domain key
[Sun May 14 04:57:13 MST 2017] Single domain=‘example.com
[Sun May 14 04:57:13 MST 2017] Getting domain auth token for each domain
[Sun May 14 04:57:13 MST 2017] Getting webroot for domain=‘example.com
[Sun May 14 04:57:13 MST 2017] Getting new-authz for domain=‘example.com
[Sun May 14 04:57:14 MST 2017] The new-authz request is ok.
[Sun May 14 04:57:14 MST 2017] Verifying:example.com
[Sun May 14 04:57:18 MST 2017] Pending
[Sun May 14 04:57:20 MST 2017] Success
[Sun May 14 04:57:20 MST 2017] Verify finished, start to sign.
[Sun May 14 04:57:21 MST 2017] Cert success.

where is the acme challenge?
is it the ACCOUNT_THUMBPRINT?

You don’t need the acme challenge.
After the log “[Sun May 14 04:57:21 MST 2017] Cert success.”, you can see the cert and the key file location.

That are the files you need.

Here is a guide for you: https://tryingtobeawesome.com/encryptdaddy/

And you can also find many other useful guides: https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials

1 Like

thanks @Neilpang ! awesome! working like a charm!

Although renewal with regard to the issuing of the cert with acme.sh might be fully automatic, the installation of the certificate, which you have done manually won't be automatic.

That's why specific plugins of cPanel are most of the time a "better" method: the plugin will issue and install the certificate automatically.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.