Will certs provided by let’s encrypt work on shared web host? Can users with cPanel get a cert themselves or will the hosting company have to set it up?
Hi @carstorm,
There's another thread here where we're talking about cPanel compatibility, which was at
In general Let's Encrypt will often require some level of support from a shared hosting provider, and we hope to talk to many of the hosting providers to make sure that they take whatever steps are necessary to achieve that support. There may be some configurations in which hosting providers already allow users to deploy certs without the providers' intervention; in those configurations it may be possible for a shared hosting user to get a Let's Encrypt cert and install it manually.
It will almost always require the provider's assistance to allow the process to be automated on the provider's infrastructure (for example, installing the cert automatically or renewing the cert automatically).
Ok, thank you for the quick response. Among the hosting providers be sure to include hosting24.
I’m going to be going to some hosting industry events to try to drum up interest and contacts, but in general I think we need the hosting providers to contact us rather than the other way around. If anyone here is a customer or employee of a hosting provider that might be interested in Let’s Encrypt integration but hasn’t figured out what to do, please encourage the provider to get in touch with us!
Hi Schoen!
What’s the preferred point of contact for any hosting companies to reach out to Let’s Encrypt for integration?
–…Archer
I’m happy for people to contact me via my username here at eff.org. That’s one option. You can also post a request for contact on this support forum, or e-mail the general Let’s Encrypt inquiries e-mail address on the Let’s Encrypt web site.
I’m on shared hosting as well. I will totally reach out to my provider, share the http://letsencrypt.org link with them and ask them to contact you. But what exactly should I be asking for them to do? Thank you.
It depends on what you want from them; different people have different expectations of their hosting providers.
Some people would like to see the Let’s Encrypt client preinstalled in hosting provider OS images or installs, some people would like to see it integrate with different kinds of management UI, some people would like to see the hosting provider go out and automatically obtain the certificates for the users. I think a lot depends on the kind of hosting and the kind of service that the customers are receiving.
I reached out to several web hosts I, or clients, have websites on. Have you heard from a decent number of web hosts who plan to support letting their shared hosting customers make use of Let’s Encrypt?
Yes, there seems to be quite a bit of interest in that.
Hi,
I would be more than happy to provide free SSL certs at scale for Online.net shared hosting customers.
How can we work toward that goal ?
Please include Dreamhost too!!!
I’m wondering if this will work when the website is on a shared hosting provider with multiple domains pointing to the same IP address? Or will I need a private IP address? Either way, if it can work, I’ll start bugging them, trying to get them to contact you.
I don’t have access to the server environment nor any root access. So I couldn’t run the client script. I have access to the web site (of course), so I can put files there, but that’s about it.
Is there a page that describes the pre-requisites for this to work for a given web site.
Hi @lew, you don’t need an individual IP address because of Subject Alternative Names (SAN), which let a single certificate be valid for many different domains, and likely also because of Server Name Indication (SNI), which lets a client indicate which domain name it’s trying to connect to when beginning the TLS session. Each of these has some limitations: there’s a maximum number of SAN names per certificate, SANs reveal in an obvious way exactly which sites may be hosted on the same server, and SNI isn’t supported by some old client software.
If you don’t have access to the server environment, the hosting provider would need to complete the domain validation process on your behalf. We are trying to make it practical for all hosting providers to make use of our services, so the answer for whether we can work with a given provider should in principle almost always be yes, but they may need to do some engineering work to integrate with us.
Saw this fly by on Twitter from DreamHost:
Hello,
We, at PulseHeberg.com, are also interested to bring free Let's Encrypt SSL certificates available to our shared hosting's customers.
I'm also interested to discuss with a LE staff member about any integration of Let's Encrypt.
If I correctly understood your point, you're saying that a single certificate can be used by multiple domains on a single host. But what about different domains, each one having a different LE SSL certificate on a single host (with a single IP address). It is possible with Let's Encrypt or it requires a private IP address for each domain?
Best regards,
Thomas Cardonne.
That sounds like it should be easier, not harder, to do
Though to save on the storage space, you may want to consider using multi-domain certificates for your lower-paying customers.
Thanks for the explanations. I did some reading. It seems to me that SANs are not relevant in my context as the list of hosts on the IP address is constantly changing (as sites get added and removed). And it feels strange to have one certificate for a bunch of unrelated sites.
But SNI seems to be what I am looking for. I’ll see what my current web hosting provider has to say… The provider’s web server needs to support SNI and they need to have something in place to install your certificates.
Also interested in this (as hosting provider). The goal here would be to provide certificates for all customer web pages BUT also for all services like smtp, imap, pop3, ftp and sql subdomains (thread about non-web usage is here Use on non-web servers?).
Validation via dns would be easiest to implement (but letsencrypt won’t support it initially), so the other solution is to globally DNAT (at edge of our network) all traffic coming from letsencrypt IP addresses to our single server that would provide all required files/data on 80 port. That should be easy to implement and wouldn’t disrupt normal customer usage, wouldn’t require putting any files into customer web files folders etc. Not sure if this will work though… need to read ACME docs first.
@arek, it’s not clear in the long run that Let’s Encrypt validation IP address will be disclosed (or constant over time), because the CA might use probing from randomized or gradually changing locations to decrease the chance that an attacker who controls a portion of the Internet can trick the validation. I think your IP-address-related method could work right now but wouldn’t be guaranteed to work in the future.