Shared hosting: Use Let's Encrypt without SSH access


#1

This topic is a mix of some other topics (see “related” at the bottom) and I just want to create a new topic, because this is something which may be a big question asked by many people.
So let’s image a scenario:

  • Your website is hosted by a share-hoster.
  • You only have FTP(S) access to your webspace.
  • You can receive mails sent to your domain name.
  • You can execute CGI/Phyton scripts in your webspace (often only under a special path like /cgi-bin)
  • At a special website of the share-hoster you can input your certificate credentials, which will be applied to your site.

You have no:

  • SSH or any other console access
  • direct access to the configuration files of your webserver

The last requirement is necessary, because otherwise you have of course no chance to use your own certificate. But in this example certificates from StartSSL (StartCom) are currently possible, because StartSSL only requires mail validation.
However LE does it another way and there are already a few different authentication methods available. But most of them require SSH access as you have to execute the LE client and let it configure your webserver. Obviously, because of the restrictions listed above this is not possible.

So what way would be possible to get a LE certificate (manually)? After you got it you can just copy & paste it into the web interface of your hosting provider.

(Possibly) related topics: Shared hosting?, Raspberry Pi compatibility, Web-based issuance

The following-up question of this would be Can you use the automatic (cron) certificate update while using manual mode first time?.


Manual Domain Verification
Using the webroot domain verification method
"python setup.py egg_info" failed with error code 1 in /tmp/pip-build-NktBcn/ConfigArgParse
Raspberry Pi compatibility
#2

So one way:

  • change your dns entry and temporarily redirect your traffic to a server where you have SSH access

This would of course be possible in some cases but is not really a solution for the problem - it’s more a kind of a workaround.


#3

I think I read this right; so all we would need to do is copy paste the hashes into our SSL Installer through cPanel?


#4

If you somehow got a LE certificate (with a method I’m trying to find out in this thread) you can copy and paste the whole certificate (not only the file hashes) in your web interface for managing this.
Just note that there is a separate thread tracking direct cPanel integration:

Because one thing is still missing in this approach: You have to renew the certs, so either you have to do this step every 90 days or you can automate it e.g. by using another method.


#5

Just to confirm (if you found out) temporarily changing your DNS to another server and copy-pasting the certificate will work?


#6

You don’t need to touch your DNS… Simply install LE on your local machine, and use the manual mode to generate the required verification data locally, and then copy it onto your web server. LE can then authenticate those files, and it will generate your certificiate. Then manually install it. Easy :smile:

No need to touch DNS or anything else like that.


#7

Hi valorin, I tried the following command:

whitespace


./letsencrypt-auto --manual --agree-dev-preview -d miapike.me -d www.miapike.me -d mpike.me -d www.mpike.me --server <production-url> auth


whitespace

And got the following error:

    Failed authorization procedure. www.mpike.me (dvsni): unauthorized :: The client lacks sufficient authorization :: Correct zName not found for TLS SNI challenge, miapike.me (simpleHttp): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://miapike.me/.well-known/acme-challenge/dDXC1Sd48FemfgGHEh8mSfG2mygdOvor03uqXhWsqWg [104.28.21.181]: 404, mpike.me (simpleHttp): unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mpike.me/.well-known/acme-challenge/6atlFt6a99NpVPpItCqUSkI4QoYyU9B-KovqbteuVxg [198.91.83.64]: 404, www.miapike.me (dvsni): tls :: The server experienced a TLS error during DV :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:
 - The following 'tls' errors were reported by the server:

   Domains: www.miapike.me
   Error: The server experienced a TLS error during DV

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain contains
   the right IP address. Additionally, please check that you have an
   up to date TLS configuration that allows the server to communicate
   with the Let's Encrypt client.
 - The following 'unauthorized' errors were reported by the server:

   Domains: miapike.me, mpike.me, www.mpike.me
   Error: The client lacks sufficient authorization

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain contains
   the right IP address.

Putting manual on the end (rather than auth) results in an unknown option, any ideas?


#8

Correct command:

./letsencrypt-auto -a manual --agree-dev-preview -d example.org --server <production-url> auth

New problem:
I don’t know how to set the Content-Type header and get the following error despite the content being displayed at the address

Self-verify of challenge failed, authorization abandoned.

Any idea on how to set that header type? (Content-Type header MUST be set to application/jose+json.) keeping in mind it’s shared hosting


#9

Well I got the application/jose+json to work:



However the authorization is still failing:


My .htaccess file contains:

(Selecting only files without an extension returned text/plain but * works and is only the acme-challenge folder)


Any help is greatly appreciated :innocent:


#10

Viewing the error log shows it fails to load the challenge because it receives a Forbidden error despite the file being accessible in a web browser, I’ve made a post about it here


#11

Sorry, I can’t really help with that stuff - I had no idea it was so picky about content type! :frowning:
I use the webroot authentication method that creates the files manually in the right location.

Hopefully someone can help you! :smile:


#12

well I just did the stuff and instruction for manual says type as text/plain and well it worked nicely for me.


#13

Nice!

Did you install it via the cpanel interface?


#14

well I didnt install the cert yet but I got it on my raspi.
in short it went like this:

run ./letsencrypt-auto --agree-dev-preview --server
https://acme-v01.api.letsencrypt.org/directory certonly -a manual
push agree to an agreement then enter the domains I need and for each domain the following:

agree to the logging of the Client IP
make a text file url123 which is accessible at example.org/.well-known/acme-challenge/url123
with the content
textabc
and the header set to text/plain which can be done using the following .htaccess code:
<Files *>
ForceType text/plain

after you pasted the data at the URL specified and verified you can access it you press enter for the verification and go on to the next domain (if any)

I dont see any problems with manual auth, pretty straight-forward process.
for the certs themselves I actually have access to the config of my “server”, my Windows PC to be exact and I will try pushing the cert into it later but the certs and keys are stored in /etc/letsencrypt/live/ attention you need root to access this.