Saw this fly by on Twitter from DreamHost:
We, at PulseHeberg.com, are also interested to bring free Let’s Encrypt SSL certificates available to our shared hosting’s customers.
I’m also interested to discuss with a LE staff member about any integration of Let’s Encrypt.
If I correctly understood your point, you’re saying that a single certificate can be used by multiple domains on a single host. But what about different domains, each one having a different LE SSL certificate on a single host (with a single IP address). It is possible with Let’s Encrypt or it requires a private IP address for each domain?
That sounds like it should be easier, not harder, to do
Though to save on the storage space, you may want to consider using multi-domain certificates for your lower-paying customers.
Thanks for the explanations. I did some reading. It seems to me that SANs are not relevant in my context as the list of hosts on the IP address is constantly changing (as sites get added and removed). And it feels strange to have one certificate for a bunch of unrelated sites.
But SNI seems to be what I am looking for. I’ll see what my current web hosting provider has to say… The provider’s web server needs to support SNI and they need to have something in place to install your certificates.
Also interested in this (as hosting provider). The goal here would be to provide certificates for all customer web pages BUT also for all services like smtp, imap, pop3, ftp and sql subdomains (thread about non-web usage is here Use on non-web servers?).
Validation via dns would be easiest to implement (but letsencrypt won’t support it initially), so the other solution is to globally DNAT (at edge of our network) all traffic coming from letsencrypt IP addresses to our single server that would provide all required files/data on 80 port. That should be easy to implement and wouldn’t disrupt normal customer usage, wouldn’t require putting any files into customer web files folders etc. Not sure if this will work though… need to read ACME docs first.
@arek, it’s not clear in the long run that Let’s Encrypt validation IP address will be disclosed (or constant over time), because the CA might use probing from randomized or gradually changing locations to decrease the chance that an attacker who controls a portion of the Internet can trick the validation. I think your IP-address-related method could work right now but wouldn’t be guaranteed to work in the future.
Just a heads up that we have written a plugin for Let’s Encrypt for use by cPanel end users (https://letsencrypt-for-cpanel.com/).
Looking forward to see what the Dreamhost offering is - most control panels should have fairly simple integrations, having implemented this now.
The only complication seems to be sites that inadvertently block off access to the “.well-known” URL path, mostly through rewrite rules (blocking dotfiles such as .git). But, I think that over time, improved plugin UX can help the user deal with this problem in a pain-free way.
@arek the DNAT idea, I would dread having to deploy that, haha!
Does that cpanel plugin work on any host? I’ve got mutliple domains on a shared server running Apache. I have SSH access.
only if the host is using cpanel, if it’s using plesk, ispconfig or other control panel then you will need the appropriate plugin.
@carstorm Yes it works! Here is a tutorial for OS X and a shared host (non-root SSH access). All you need is the option to upload SSL certs in your administration panel at your host. Actually you dont even need SSH access. You could do the domain verification via FTP too.
Looks like my webhost hasn’t updated cPanel. Still on 11.48.4.
I should ask Feralhosting. Will do when I get around to it, or if someone else can do this?
Please include Namecheap.
I dont think that LE can do anything about the hosters. if Namecheap doesnt or doesnt want to do it then you are out of luck.
Note that there is an open GIT project for cPanel linking
Written by this guy~ Using Let's Encrypt with cPanel
Please include HostDime!
I work for a small hosting company that would like to allow lets encrypt for all its customers. I’m happy to hear you may be able to help us understand how to make that possible. But, I’m not sure how to contact you other than by replying to your posts… I signed up to this forum today specifically to contact you. Any help would be greatly appreciated.
What is preventing you using Let’s Encrypt at the moment ?
Hey, it’s possible to install let’s encrypt on shared hosting (Hostinger) using ACME client written in PHP and composer. We tested and it works just fine: http://www.hostinger.com/tutorials/ssl/how-to-install-free-ssl-from-lets-encypt-on-shared-hosting
I know this is sort of a late reply and a bump but I created a little php script to install on shared cpanel hosts.
Just upload and run; You may have to run it through from ssh / bash.
ie: php shared-lets-encrypt.php
Eventually I plan on automating the installation with the cPanel API but for now this is what I have.
Hopefully this helps someone.