Shared hosting / Bluehost

Then I can’t see the problem, if your hosting allows to upload the cert and the intermediate cert there should be no problem at all, you don’t need to upload a chained cert.

@sahsanu

I’m lost as well. All i can see is that https://www.ssllabs.com/ssltest/analyze.html?d=nvexx.nl
Still shows the chain is broken. Bluehost has installed the crt for me now but looking at the ftp it’s the same setup only difference is that the SSL/TLS manager produced the following files for me:

  • Let_s_Encrypt_Authority_X1_9cd30_dc393_1603146816_dbd6c5e7d438293887768a3bfb168259.crt
  • www_nvexx_nl_e0bc3_8b1a1_1458561060_f40541d48ba16c37430c625c77b0e52d.crt

After bluehost “installed the crt” it looked like:

  • Let_s_Encrypt_Authority_X1_9cd30_dc393_1603146816_dbd6c5e7d438293887768a3bfb168259.crt
  • www.nvexx.nl.crt

In the SSL folder. I have to wait a bit to “propogate” but I doubt it will change/work.

Seems that when the random part of the file name disappears is because your hosting included it in your apache conf so they didn’t process the Intermediate Cert yet.

In apache 2.2 and apache 2.4 (till version 2.4.8) they should use these directives to configure your certs:

SSLCertificateFile    /path/to/domain.crt
SSLCertificateKeyFile /path/to/private.key
SSLCertificateChainFile /path/to/intermediate.crt

From Apache 2.4.8, SSLCertificateChainFile directive is deprecated (you can still use it if you want but will dissapear in future versions) so you need to put the cert and the intermediate cert concatenated in the same cert using directive SSLCertificateFile:

SSLCertificateFile    /path/to/domain+intermediate.crt
SSLCertificateKeyFile /path/to/private.key

Since you have no control about this config, the only thing you can do is wait for your hosting support answer because they are the only ones to config your site properly.

Good luck :wink:
sahsanu

It’s finally working now.

  • www.nvexx.nl.crt
  • www.nvexx.nl.cabundle

is the naming setup they use. Just spend another 45 minutes on live chat with them and they managed to fix it. Green locker on mobile / desktop and no more broken chain.

Thanks for taking the time to explain. I gave them a link to your page/answer maybe it helped in making things more clear for them while I was chatting with support.

Glad you get it working ;). Now I can see that your site gets an A in sslabs test which is pretty fine.

Merry Christmas
sahsanu

@sahsanu

Merry Christmas to you as well. I could try to get A+ but don’t know where to start. Ill start to read up on how to get the best out of it all.

For now I’m glad it’s working and running fine on desktop and mobile.

To get A+ you need to add HSTS header in apache, something like this:

Header always set Strict-Transport-Security "max-age=17280000"

But as I said, this is something that should be configured in apache and don’t know if you can do that without the support of bluehost. By the way, keep in mind that setting this header, the first time a browser reach your https site, next time it will try to connect directly to https:// version, even if in the bar of browser it specifies http:// so maybe is something that you don’t like.

Take a look to this link

Cheers,
sahsanu

1 Like

Hi,

I already have it enabled (just now) via the htaccess with

<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=10886400; includeSubDomains; preload"
</IfModule>

For HSTS Preloading to work I have to get added to the list maintained by chrome? The way I have setup the websites, also for clients everything will be https://www.*domain

using https:// is the future and most secure so i won’t be going back to http:// at all.

Only other thing I can think of is the “Cipher Strength” as when I click on the green locker on my website/domain it tells me an old/depricated Cipher is used?

1 Like

@KillerSneak Great work getting this done. I’ve got bluehost too and was just going to tackle this.

Any chance you could do a quick brain dump on the steps to getting this working with Bluehost? I’m sure a lot of us would be very appreciative!

@burhop

I was planning on a short how to but this is a great start https://gethttpsforfree.com/ <- I used this setup/generator to get the certificates.

In esence it comes down to renaming the domain.crt and intermediate.pem to
www.*yourdomain.com.crt <- domain.crt
www.*yourdomain.com.cabundle <- intermediate.pem

And putting them in the /ssl/certs folder via FTP

In the bluehost CPanel you can use the SSL/TLS Manager for

  • Private Keys (KEY) Generate, view, upload, or delete your private keys.

  • Certificate Signing Requests (CSR) Generate, view, or delete SSL certificate signing requests.

Just don’t use the 3rd one to set the CRT/upload your certificates -> use ftp to upload them to the /ssl/certs folder.

I know this is a bit quick as I’m in the middle of putting my daughter to sleep.

I hope in the next few days I can write up a better how to as I need to get more websites updated to letsencrypt SSL

1 Like

This is good. Thanks for the quick reply. I’ve been down this path before so even this short answer is good for me :slight_smile: I’m typing in the info for https://gethttpsforfree.com/ now.

I signed my own certificate a while back (I’m cheap) so I’m looking forward to swapping it out for one that doesn’t give scary messages to my visitors :slight_smile:

1 Like

Keep in mind that to get A+ the max-age should be at least 180 days (15552000), you used 10886400 (120 days) so you won't get A+.

Yes, you should add it to the list, but check carefully the requirements.[quote="KillerSneak, post:15, topic:7643"]
Only other thing I can think of is the "Cipher Strength" as when I click on the green locker on my website/domain it tells me an old/depricated Cipher is used?
[/quote]

I see that your site still has SSL2 activated but doesn't offer any cipher for it, strange. Anyway, you should modify the cipher list offered by apache, in this page you will get conf examples for differents web servers, versions and the type of cipher suite you want (modern, intermediate & old).

Also, take a look to this page for more info.

Cheers,
sahsanu

Hi, I am also a Bluehost user and am attempting to setup SSL on my site. How did you get the public key? I can not find it in cPanel and it gives me an error via SSH.

OpenSSL> rsa -in account.key -pubout
Error opening Private Key account.key
140100725749576:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('account.key','r')
140100725749576:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
error in rsa

Any help would be much appreciated…

Update:
I reached out to BlueHost and they said that they do not provide a Public key, but https://gethttpsforfree.com/ does now allow you to proceed with only a Certificate Signing Request. How did you bypass this?

hi @lankanmon, I replied to this in the other thread that you created just now.

In case anyone needs to know how to get the subject public key from a CSR, you can do it by running

openssl req -in mycsr.pem -pubkey -noout

However, as I explain in the other thread, the public key that you're looking for on the gethttpsforfree site is not the subject public key; it's a different public key that you generate yourself on your own computer as part of the process of making a keypair to use as the Let's Encrypt account key. So, don't use this command with the gethttpsforfree site in particular, because it won't give you what you're looking for there!

1 Like

Thank you for clarifying that. I have replied to the other thread as well…

You have to log into the server. You can use putty for that. Once you connected with putty (use your bluehost login credentials / the login you use to access your Cpanel) run
openssl genrsa 4096 > account.key
rename account.key to whateveryoulike.key
Then to get the public key use
openssl rsa -in account.key -pubout
This will show you the output you need to copy&paste into the first box at https://gethttpsforfree.com/

EDIT:
next thing should be to try and get automatic renewal working although I think it’s not possible because of the way we have to use it on bluehost. We are stuck with manual renewal

1 Like

Thanks for that. I ended up using another linux install because I kept getting an error on mine. It is all fine now.
Let me know if you find a solution for getting it to auto renew.

Thanks for the tip on https://gethttpsforfree.com/ ! I was using it to generate my certs but when I get the point of proving ownership with the file on the site I keep getting:

Error: Domain challenge failed. Please start back at Step 1. 405 Not Allowed

405 Not Allowed

every time. I've gone through the steps again but it happens every time.

Anyone have any idea what the deal with this is?

Hi there. I just went through a week of trying to put our free Let’s Encrypt certificate on our Bluehost account and I want to share my experience.

I learned that our particular Bluehost account server is running CentOS 6. Since we are paying for a dedicated IP we have SSH access, but not root (admin) privileges. Bluehost uses cPanel and cPanel are currently in experimental phase of providing Let’s Encrypt SSL certificates. I found this link, but couldn’t implement the steps, because it requires root (admin) privileges: https://forums.cpanel.net/threads/how-to-installing-ssl-from-lets-encrypt.513621/

Next, I found that https://letsencrypt.org/docs/client-options/ mentioned https://gethttpsforfree.com as a non-SSH way to generate a Let’s Encrypt SSL certificate. I went through the steps and successfully generated a Let’s Encrypt SSL certificate and later learned that it mimics the same steps as the command-line certbot tool. However, I made a grave mistake, which cost me several days to fix: I generated a 4096 byte private key: Bluehost seems to work only with 2048 byte private keys! All the websites I visited to learn about SSL certificates pointed out that they recommend a 2048 byte key, but I thought I might as well go for a key that is twice as much secure - and totally useless! When I called Bluehost tech support and told them I was ready to install my shiny Let’s Encrypt SSL certificate generated with a 4096 byte private key, they told me: “Your private key doesn’t match your certificate.” What? How could that possibly happen? I believe I actually confused the account key with the private key. I later found on https://www.sslshopper.com/certificate-key-matcher.html that the MD5 hash from the private key, the Certificate Signing Request and the certificate itself has to match. Once you successfully generate an SSL certificate, you can run the following commands to check whether the components’ MD5 hashes match. For example, when I run these commands this is what I get:

$ openssl x509 -noout -modulus -in cert.pem | openssl md5
(stdin)= 16f96a4606acd0ac4ff094497a61ea62

$ openssl x509 -noout -modulus -in fullchain.pem | openssl md5
(stdin)= 16f96a4606acd0ac4ff094497a61ea62

$ openssl rsa -noout -modulus -in privkey.pem | openssl md5
(stdin)= 16f96a4606acd0ac4ff094497a61ea62

$ openssl req -noout -modulus -in bluehost_csr.asc | openssl md5
(stdin)= 16f96a4606acd0ac4ff094497a61ea62

However, the 4096 byte account key and subsequent certificate I generated produced MD5 hashes which didn’t match. The only option I had was to revoke that certificate generated with the 4096 byte private key, because I didn’t have the private key, but only the account key. I used a computer with Ubuntu 16.04 LTS (Xenial) and installed certbot on it using the steps outlined on https://certbot.eff.org/#ubuntuxenial-other and I revoked the certificate using the following command:

$ sudo letsencrypt revoke -d mydomain.com -d www.mydomain.com --cert-path signed.cert --key-path account.key

Next, I was checking the status of my old certificate using https://certificate.revocationcheck.com - it took one day for my old certificate to become revoked. I had shot myself in the foot with the 4096 byte private key.

Great. So, how to do it right? Here are the steps that worked for me:

  1. Use a Linux machine where you have root (admin) privileges and install certbot. In my case, I had an Ubuntu 16.04 LTS (Xenial) machine and ran the following commands:
    $ sudo apt-get install letsencrypt

  2. Generate a Let’s Encrypt SSL certificate with the default 2048 byte private key. Since we are generating the certificate on one machine and will be using it on another, we cannot use the automatic web server (for example Apache) configuration that certbot offers; instead we will have to use the manual option, since we will manually configure our web server. Actually, the Bluehost tech support will configure the web server for us. Also, it’s always a good idea to test whether you will successfully generate the certificate by doing a dry-run, like so:
    $ sudo letsencrypt --dry-run --manual certonly

  3. Next, certbot will ask you: “Please enter in your domain name(s) (comma and/or space separated)”. Enter something similar to this: mydomain.com,www.mydomain.com and select OK using the down arrow button and press Enter.

  4. Next, certbot will ask you: “NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you’re running letsencrypt in manual mode on a machine that is not your server, please ensure you’re okay with that. Are you OK with your IP being logged?” Select Yes and press Enter.

  5. Next, certbot will say something similar to this: "Make sure your web server displays the following content at http://mydomain.com/.well-known/acme-challenge/mQrV3E4d5vIUrrmhs41ppa8drh66F409ZvE6QtAadJk"
    mQrV3E4d5vIUrrmhs41ppa8drh66F409ZvE6QtAadJk.FblC_wtJqZv9yb8fLvTD4p8z1ilpeBUZ0E-ligwgsR8
    Now you have to switch from your Linux machine to your Bluehost file system. Don’t touch anything on your Linux machine; you must first generate the random web page requested by certbot before pressing Enter on the Linux machine. Use SFTP or SSH to access your Bluehost account file system and go to the directory where the particular web site is hosted. In my case it was something like this: /home3/username/public_html/mydomain
    Here you have to create the directory .well-known and please make sure it begins with a period, because that’s very important. Go inside .well-known and here create the directory acme-challenge. Go inside acme-challenge and create a file with the filename as per certbot, in my case the filename was mQrV3E4d5vIUrrmhs41ppa8drh66F409ZvE6QtAadJk and next open the file and enter the one line as per certbot, which in my case was mQrV3E4d5vIUrrmhs41ppa8drh66F409ZvE6QtAadJk.FblC_wtJqZv9yb8fLvTD4p8z1ilpeBUZ0E-ligwgsR8
    Now open up your browser and make sure you can go to the web page as per certbot, which in my case was http://mydomain.com/.well-known/acme-challenge/mQrV3E4d5vIUrrmhs41ppa8drh66F409ZvE6QtAadJk
    If that worked, switch to your Linux machine where certbot is waiting for you to create the web page to prove ownership of the domain and hosting, before it generates a certificate for you. You are now ready to press Enter to continue. Note that certbot will ask you to generate a random web page for each domain you enter; since I entered mydomain.com and www.mydomain.com it asked me to generate two random web pages.
    If certbot could access your newly created web page(s), it will say that the dry-run was successful and you can now successfully generate your Let’s Encrypt SSL certificate by repeating steps 2-5 without using the --dry-run switch on the command line, like so:
    $ sudo letsencrypt --manual certonly
    Your new certificate will reside at the /etc/letsencrypt/live/mydomain.com directory on your Linux machine. You can also check whether the components’ MD5 hashes match by using the commands at the beginning of my post.
    Otherwise, if certbot couldn’t access your newly created web page, it will report an error, and you have to repeat the process again from step 2.

  6. Copy the files in /etc/letsencrypt/live/mydomain.com from your Linux machine to your Bluehost account via SFTP or SSH - no root (admin) privileges needed, just remember the path where you copied these files, for example /home3/username/letsencrypt/live/mydomain.com. You should find the following files in /etc/letsencrypt/live/mydomain.com on your Linux machine: the generated private key privkey.pem, the certificate cert.pem and the CA bundle fullchain.pem.

  7. Also, upload the private key privkey.pem, the certificate cert.pem and the CA bundle fullchain.pem to your Bluehost account’s SSL/TLS Manager, and fill out the Certificate Signing Request using the uploaded Let’s Encrypt private key. First, the private key privkey.pem should be uploaded on the “Private Keys (KEY)” section of your Bluehost account’s SSL/TLS Manager web page; give it a meaningful name, such as “mydomain.com Let’s Encrypt private key generated on my Linux machine”. Second, go to the “Certificate Signing Requests (CSR)” section of your Bluehost account’s SSL/TLS Manager web page and generate a new Certificate Signing Request using your Let’s Encrypt private key you just uploaded, called “mydomain.com Let’s Encrypt private key generated on my Linux machine”. You only have to fill-in the required fields on the Certificate Signing Request, but it is strongly recommended to enter an important email address. Press Generate and go back to the main SSL/TLS Manager web page. Third, the certificate cert.pem and the CA bundle fullchain.pem should be uploaded on the “Certificates (CRT)” section of your Bluehost account’s SSL/TLS Manager web page.

  8. Call Bluehost tech support and tell them you have generated a 3rd party SSL certificate and uploaded it to both your account’s file system at, let’s say, /home3/username/letsencrypt/live/mydomain.com and uploaded it to your account’s SSL/TLS Manager web page. They should be able to help you out.

Here’s a much easier way:
Go to https://zerossl.com click on Online Tools and click Start on the “FREE SSL Certificate Wizard” section. Now there are three major steps:

  1. Details: Enter your email in the Email field, enter the domain(s) in the Domains field (for example: mydomain.com,www.mydomain.com), check the “Accept ZeroSSL TOS” checkbox and the “Accept Let’s Encrypt SA (pdf)” checkbox, leave the radio button on the default option “HTTP verification” and click Next. ​Copy the generated CSR locally, for example, call it csr.txt and click Next. Copy the account key locally, for example, call is accountkey.txt and click Next.
  2. Verification: Create the directory path .well-known/acme-challenge/ on your Bluehost account as explained in step 5 in the above example, and create the file with filename as per the File field, and contents as per the Text field. You can click on the link in the File field to verify that you have successfully generated the random web page. Once you have verified that, click Next.
  3. Certificate: Write down your account ID generated by zerossl.com as they provide a service to restore a lost account key. Download or copy your domain certificate, in this case a bundle of several certificates, by clicking the down arrow icon above the text in the top box; its filename is domain-crt.txt equivalent to the fullchain.pem generated by certbot. Download or copy your domain key, by clicking the down arrow icon above the text in the bottom box; its filename is domain-key.txt equivalent to the privkey.pem generated by certbot. Note down the instructions on the Certificate page, they are very useful.

I hope this helps.

Best regards,
Denis

P.S.: Today I learned that SiteGround have a 1-CLICK procedure to get a Let’s Encrypt SSL certificate, because their cPanel has that option built-in!

1 Like

Hi @denal05, thanks for writing up the steps you went through.

One thing I wanted to point out is that the openssl md5 commands you used are superfluous. You were told [quote=“denal05, post:26, topic:7643”]
that the MD5 hash from the private key, the Certificate Signing Request and the certificate itself has to match
[/quote]

However, the entire modulus itself has to match (not just the MD5 checksum of the modulus). Therefore, if you leave off the | openssl md5 part and just look at the moduli themselves, they should also match, assuming all of these resources correctly refer to the same public key as expected.

I would also add that you should avoid using FTP to transfer private key material, because classic FTP is unencrypted and will expose your private key to your ISP and anyone else who’s in a position to tap the connection between you and Bluehost. The SSH methods (including scp and sftp) are relatively safer.

1 Like