I’m happy for people to contact me via my username here at eff.org. That’s one option. You can also post a request for contact on this support forum, or e-mail the general Let’s Encrypt inquiries e-mail address on the Let’s Encrypt web site.
I’m on shared hosting as well. I will totally reach out to my provider, share the http://letsencrypt.org link with them and ask them to contact you. But what exactly should I be asking for them to do? Thank you.
It depends on what you want from them; different people have different expectations of their hosting providers.
Some people would like to see the Let’s Encrypt client preinstalled in hosting provider OS images or installs, some people would like to see it integrate with different kinds of management UI, some people would like to see the hosting provider go out and automatically obtain the certificates for the users. I think a lot depends on the kind of hosting and the kind of service that the customers are receiving.
I reached out to several web hosts I, or clients, have websites on. Have you heard from a decent number of web hosts who plan to support letting their shared hosting customers make use of Let’s Encrypt?
Yes, there seems to be quite a bit of interest in that.
I would be more than happy to provide free SSL certs at scale for Online.net shared hosting customers.
How can we work toward that goal ?
Please include Dreamhost too!!!
I’m wondering if this will work when the website is on a shared hosting provider with multiple domains pointing to the same IP address? Or will I need a private IP address? Either way, if it can work, I’ll start bugging them, trying to get them to contact you.
I don’t have access to the server environment nor any root access. So I couldn’t run the client script. I have access to the web site (of course), so I can put files there, but that’s about it.
Is there a page that describes the pre-requisites for this to work for a given web site.
Hi @lew, you don’t need an individual IP address because of Subject Alternative Names (SAN), which let a single certificate be valid for many different domains, and likely also because of Server Name Indication (SNI), which lets a client indicate which domain name it’s trying to connect to when beginning the TLS session. Each of these has some limitations: there’s a maximum number of SAN names per certificate, SANs reveal in an obvious way exactly which sites may be hosted on the same server, and SNI isn’t supported by some old client software.
If you don’t have access to the server environment, the hosting provider would need to complete the domain validation process on your behalf. We are trying to make it practical for all hosting providers to make use of our services, so the answer for whether we can work with a given provider should in principle almost always be yes, but they may need to do some engineering work to integrate with us.
Saw this fly by on Twitter from DreamHost:
We, at PulseHeberg.com, are also interested to bring free Let’s Encrypt SSL certificates available to our shared hosting’s customers.
I’m also interested to discuss with a LE staff member about any integration of Let’s Encrypt.
If I correctly understood your point, you’re saying that a single certificate can be used by multiple domains on a single host. But what about different domains, each one having a different LE SSL certificate on a single host (with a single IP address). It is possible with Let’s Encrypt or it requires a private IP address for each domain?
That sounds like it should be easier, not harder, to do
Though to save on the storage space, you may want to consider using multi-domain certificates for your lower-paying customers.
Thanks for the explanations. I did some reading. It seems to me that SANs are not relevant in my context as the list of hosts on the IP address is constantly changing (as sites get added and removed). And it feels strange to have one certificate for a bunch of unrelated sites.
But SNI seems to be what I am looking for. I’ll see what my current web hosting provider has to say… The provider’s web server needs to support SNI and they need to have something in place to install your certificates.
Also interested in this (as hosting provider). The goal here would be to provide certificates for all customer web pages BUT also for all services like smtp, imap, pop3, ftp and sql subdomains (thread about non-web usage is here Use on non-web servers?).
Validation via dns would be easiest to implement (but letsencrypt won’t support it initially), so the other solution is to globally DNAT (at edge of our network) all traffic coming from letsencrypt IP addresses to our single server that would provide all required files/data on 80 port. That should be easy to implement and wouldn’t disrupt normal customer usage, wouldn’t require putting any files into customer web files folders etc. Not sure if this will work though… need to read ACME docs first.
@arek, it’s not clear in the long run that Let’s Encrypt validation IP address will be disclosed (or constant over time), because the CA might use probing from randomized or gradually changing locations to decrease the chance that an attacker who controls a portion of the Internet can trick the validation. I think your IP-address-related method could work right now but wouldn’t be guaranteed to work in the future.
Just a heads up that we have written a plugin for Let’s Encrypt for use by cPanel end users (https://letsencrypt-for-cpanel.com/).
Looking forward to see what the Dreamhost offering is - most control panels should have fairly simple integrations, having implemented this now.
The only complication seems to be sites that inadvertently block off access to the “.well-known” URL path, mostly through rewrite rules (blocking dotfiles such as .git). But, I think that over time, improved plugin UX can help the user deal with this problem in a pain-free way.
@arek the DNAT idea, I would dread having to deploy that, haha!
Does that cpanel plugin work on any host? I’ve got mutliple domains on a shared server running Apache. I have SSH access.
only if the host is using cpanel, if it’s using plesk, ispconfig or other control panel then you will need the appropriate plugin.
@carstorm Yes it works! Here is a tutorial for OS X and a shared host (non-root SSH access). All you need is the option to upload SSL certs in your administration panel at your host. Actually you dont even need SSH access. You could do the domain verification via FTP too.
Looks like my webhost hasn’t updated cPanel. Still on 11.48.4.