Tutorial for OS X local certificates and Shared Hosting

I’ve found a quick and rather easy way to generate Let’s Encrypt certificates on my local OS X machine and implementing them on my (non-root) shared hosting account.

This is what you need:

• Shared hosting account with the ability to upload manual SSL certificates
• SSH access to your hosting account (root access not required)

Begin with installing Let’s Encrypt via Terminal:

git clone https://github.com/letsencrypt/letsencrypt

after installation:

cd letsencrypt

Now you begin with creating the certificates locally by defining key size and the domains:

./letsencrypt-auto certonly -a manual --rsa-key-size 4096 -d yourdomain.com -d www.yourdomain.com

In the next stept Let’s Encrypt wants to verify, if you have really access to your domains. This looks like this:

Make sure your web server displays the following content at http://www.yourdomain.com/.well-known/acme-challenge/weoEFKS-aasksdSKCKEIFIXCNKSKQwa3d35ds30_sDKIS before continuing: weoEFKS-aasksdSKCKEIFIXCNKSKQwa3d35ds30_sDKIS.Rso39djaklj3sdlkjckxmsne3a Content-Type header MUST be set to text/plain.

Open a second Terminal window in order to log into your SSH account of your webhost and create the folders into the main directory of your domain:

mkdir -p .well-known/acme-challenge

cd .well-known/acme-challenge/

Create the file by copy and paste the parts of the Let’s Encrypt domain verification (verification code exemplary only - you need your output from the first Terminal window). This would look like this:

echo -n "weoEFKS-aasksdSKCKEIFIXCNKSKQwa3d35ds30_sDKIS.Rso39djaklj3sdlkjckxmsne3a" > weoEFKS-aasksdSKCKEIFIXCNKSKQwa3d35ds30_sDKIS

Switch to your other Terminal window to continue the verfication process with the Let’s Enrcypt client. If you defined the domain with “yourdomain.com” and “www.yourdomain.com” (you should), Let’s Encrypt will ask for a second verification. Just repeat the step above with the second verification code. Now you can close your SSH Terminal window with: exit

Get your certificates (.pem files):

sudo ls -la /etc/letsencrypt/live/www.yourdomain.com

Switch to OS X root mode:

sudo su Enter your admin password of your local account

Type:

cd /private/etc/letsencrypt/archive/www.yourdomain.com/

ls

There it is! Your certificates Now you can open then to copy/paste the content into the SSL configuration of your webhost!

CRT is cert1.pem
Private Key or PrivKey is privkey1.pem
CA is chain1.pem

Sources (all in German)

• https://netzklad.de/2015/12/lets-encrypt-im-shared-hosting/
• https://thomas-leister.de/internet/lets-encrypt-zertifikate-im-manual-mode-abholen/

after first step I get:
grep: /etc/os-release: No such file or directory

Running El Capitan.

Update: had to add --debug for it to start working.

Issue fixed via https://github.com/letsencrypt/letsencrypt/issues/1888

Thanks for the heads up! I’m glad it’s fixed now! I had Xcode preinstalled, so it didn’t happened to me.

OK, I did all the above on Mac OS 10.9, but when I tried to login to my web host to install the acme challenge, I can no longer connect with sftp, getting the error message: “EOF while reading packet. Please contact your web hosting service provider for assistance.” Now what do I do? I have lost access to me website

Is there a way to undo whatever the above did to my system?

If you are stuck at the acme-challenge, you didn’t even touched your hosting. It starts with creating the folders and files for the acme challenge.

What you did before that, was installing the letsencrypt client on your Mac.

Are you using CyberDuck as FTP client? If yes, try another FTP client. Seems like an client specific error to me.

Reference: https://forums.cpanel.net/threads/connecting-with-sftp.429342/

Right. I could not access my website via sftp (using my web hosts shared ssl) after getting to the point of the acme challenge. Then I accessed my website using plain ftp. I setup the acme challenge as instructed, but it then failed claiming that a Different challenge was not met. I tried this 3 times. Each time it wanted a different challenge then complained that a still different one (I had never seen before) was not met. At this point I have no sftp access to my site. I just want to undo everything and get as far away from this garbage as I can.

I still don’t get how this process could break your hosting service technically. Have you tried another FTP client to access your files?

If you want to get rid of letsencrypt, go ahead and delete the local (on your Mac) copy of letsencrypt and the folders on your webspace: .well-known/acme-challenge/ , once you’ve gained access again.

Great question! I tried another client and it fails as well, but both clients succeed with a different hosting account I have for a different website. I deleted the letsencrypt folder and .well-known (using ftp), but still sftp does not work. My guess is that something else outside that folder was changed on my Mac. I appreciate your help.

If your hosting doesn’t support SSH then you wont have sftp, you will have explicit ftp with ssl but in general ftps.

So first off stop trying sftp.

Second, there are 2 files that need to be present for the acme challenge, you cant rename the first one to the second one, both files need to exist on your hosting.

That is a helpful clarification abut 2 files being needed, but that is not what it says above. Using sftp with my web hosts shared ssl has worked for years until I followed the instructions above.

If all you changed was adding 2 files and a folder via whatever ftp method, and you HAVEN’T installed any certs via cpanel, then the issue is your hosting.

Let me clarify, it could be that your default SSL cert for your hosting on your computer was somehow overrided, which doesnt make sense, but a fix would be backup and rename your .ssh folder in your Mac home folder. This will all you to connect via sftp, and show the pop for confirmation that you want to allow access to this web host.

It’s a hidden file, so either enable hidden files or you could run a command via terminal to rename it

I renamed it via the terminal. Tried again…it was recreated…but it still fails.

Odd. I found this but doesnt help, just said changed a setting on the host fixed the issue: https://stackoverflow.com/questions/25677169/eof-while-reading-packet-connection-failed

Could you contact your support telling them EOF issue? It just doesn’t make any sense. I remember having this issue before myself on my vps, and I dont remember the fix.

I have asked my web host (arvixe)…I will see what they say. I am now remembering that the --debug mode I needed (per above) may have changed some permissions on my system…I just do not remember what it did since it scrolled by so fast.

This command fails for me on Yosemite. I have Xcode.
It says Failed building wheel for cffi
Command "/Users/me/.local/share/letsencrypt/bin/python2.7 -c "import setuptools........ failed with error code 1 in /private/var/folders/5r/77hy8f_14y1_c9vkzkj5k2i40000gn/T/pip-build-6UUdnc/cffi

It's possible that libffi is missing. It can be installed manually. But before you go ahead, ask the #letsencrypt IRC channel here: https://webchat.freenode.net

Yep. Doing “brew install libffi” fixed it. Now the curses based UI runs.
However shared hosting remains a problem.
I installed the files on the server that the curses UI says to, in .well-known/acme-challenge, but after that it crashes.
I’m analyzing the Javascript option now i.e. this: gethttpsforfree

Hi guys. I was able to generate the certificate for my domain using this tutorial. However, when importing it to my hosting provider (mediatemple), it says, “Error: the key is invalid.”

I copy/pasted the key as-is from privkey1.pem

I even recreated the certificate to get a new key, cert, and chain, but I’m still getting the invalid key error when trying to import the certificate. What am I doing wrong? Please help!

are you doing a file import ? or pasting it into the hosts control panel ?

is pasting make sure you include the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- lines, but no additional blank lines ( although I have seen one control panel that needed a single blank line at the end )