Hi, I’m just a regular person with a wordpress site on shared hosting who wants to secure his website with SSL. I’m passionate about free software but have very little technical knowledge beyond basic shell commands in debian. I phoned my UK based webhost to ask about letsencrypt and after a bit of confusion , one of their sysadmins came back and said that there was no way they could support this on their cloud platform or on cpanel sites as the root permissions required were too great and presented a security risk to their infrastructure.
So a few questions:
Is there anyway anyone here can convince them that it is OK? i.e respond to this so I can email them the link.
If not, can anyone recommend a UK based shared hosting company using linux that will allow letsencrypt client installation? so that I can migrate if need be.
Thanks in advance.
If they allow you configure a certificate manually, for example via cPanel, and if they allow you to put files into your document root, you can run a LE client locally in manual mode and upload the generated certificates.
The downside to that is that you have to repeat it every 60-90 days.
Unless you feel confident of managing a linux install on your own, right now, I don’t think the official letsencrypt client is right for you. As the person on the other end of the phone said, root level authority means that you have full control over the system in question, and in any sort of shared hosting environment, that’s going to be a no go for the sysadmin.
Optionally, you could look here: https://github.com/diafygi/letsencrypt-nosudo. It requires more work on your part, but should get you a certificate.
And that’s a big downside of the low certificate lifetime.
I guess that the most websites, we can find on the web, are hosted on some kind of “shared hosting”. Only very few websites are hosted on “root servers”.
So if the goal of the whole “letsencrypt” project is really to encrypt the whole web, then you have to allow longer lifetimes optionally. If someone can run the client, then 90 days should be OK, but on my hosting, everything, I have, are two text boxes to paste the content of the key files. I can do this as often as I want, but manually generating a key every few weeks and uploading it via web GUI would just suck. This way, I’ll prefer to not even start with HTTPS.
You’re in the wrong thread, you meant to comment on Pros and cons of 90-day certificate lifetimes
Maybe you can use an PHP/JAVA etc library that is listed under the client topic here.
Thanks for the replies. I had a look at the no- sudo script and I think I’m going to have to give https a miss for now.
If this is going to help encrypt the web then an idiots guide to SSL and certificates would be useful along with some text to manage peoples expectations and advise if this is a solution for them or not.
Good luck with the project.
You need access a Linux machine for the key generation ( use a VM in VirtualBox; but do extract your keys from there since you’ll need them in 3 months ) and you need access on you host but not root, just file access to be able to create 2 folders and 1 file ( for the verification part ).
Tip: press (how do I generate this?) at each step for the run down.
Just for the records, there is no need to use a Linux VM or another Unix machine to generate the key, csr, etc., you could also use openssl in Windows using pre-compiled binaries https://wiki.openssl.org/index.php/Binaries
I guess you are right. Althought having 2 third party options there does not feel as right as a full curated distro.
Maybe something like the integrated https://babun.github.io would be better, not sure how cmd handles those long command lines, while the included zsh will be fine…
@filbert, we’re hoping that hosting providers will routinely integrate Let’s Encrypt into their own infrastructure so that you can get the certificate automatically without having to run additional software. There are already people working on this kind of integration for cPanel, for example, so once that’s available it ought to be a readily-accessible feature for cPanel users on shared hosting.
Although there are already a lot of software options for getting the certificate, we’re still going to be reliant on shared-hosting providers (or the people who make their tools) to do some integration work to make it more convenient for their users to take advantage of. And I think that will happen over time.
Thanks @schoen. I will email tsohost.co.uk with a link to this thread and see what they say. Good luck with the project.
Hi, I think you’re approaching the problem from the wrong angle
“I’m just a regular person with a wordpress site on shared hosting who wants to secure his website with SSL”
moving from a VPS to a dedicated would not solve your problem as it is quite intensive on the tech side, I think you want to add SSL to make things more secure without having to understand all this advanced tech
staying on your current VPS and forcing LE to works there is not the solution either, they obviously do not support LE and I think it will create more trouble than solve problems forcing it on them.
imho you have 2 solutions
Even experienced / advanced sysadmin on dedicated server could struggle with SSL, Certs, etc.
So yeah LE is free but it does not mean it is simple, in my opinion you fall in the case where you want the host (VPS or other) to support it for you.
Since you can run the whole generating process on another machine (VM or bare metal) I don’t find it such a tragedy.
doing so every 60-90 days can become old real quick
when you re the sysadmin and can automate the process on your server it’s great
but when you’re just a user it seems a lot of trouble
my point is not discouraging a user to use SSL, but still I would say “go with a host that support LE for you”, the same the user do not install WP or the DB or the backup process etc. they probably do not want to use the command line to generate certs, they just want to use it.
and ultimately it could make things less secure with ppl dealing with sysadmin task they don’t fully understand
Yes, but not many VPS services providers let you set up stuff to run periodically, and come on it’s 5 minutes of work every 3 months.
Unless you have 100 domains there and yeah, maybe it’s a good idea to search some other hosting.
As partially mentioned in the above replies you can install LE on a local linux machine/VM
Then you can use ‘letsencrypt certonly --manual -d www.example.com’
This will prompt you to place a file onto http://www.example.com/.well-known/acme-challenge/asdfasdfasdfasdf with a specific content.
Then you press Enter, it verifies that the content is correct and places the relevant keys into /etc/letsencrypt/live/www.example.com/*
You can then upload the certificate/key to your hosting cPanel/etc
Yes a downside of this is that it is manual, but you are not limited by providers.
So 4 times a year is a bit of a pain???
@filbert I used this on shared hosting by generating it on my mac OSX, just boot a live cd and follow: Tutorial for OS X local certificates and Shared Hosting
As long as you have ssl/tls access in your cpanel should be good to go. Also let me know your webhost so I can put them on the naughty list here: Web Hosting who support Lets Encrypt