Using Let's Encrypt on 3rd Party Hosting Service


#1

Hi I have few queries. I am using a 3rd party hosting service and I don’t have root access to it. I am planning to generating the certificate and key file on my local system and will be sharing the same with my hosting provider so that they can implement the same.

  1. Is this possible to generate file locally and use it on my server?
  2. It says that the certificate expires after 90 days and I need to run the letsencrypt-auto file again. Do I need to update the certificate and key file again on the server or the same file that was configured before will work.
  3. Is there any way that the certificate will be auto renewed. (without using cron)

#2

Not knowing the details of your “3rd party hosting system” it’s difficult to give a definitive answer here.

  1. You can certainly generate the private key and csr locally. At some point in the process you need to provide proof of ownership of the domain, and if using http for proof you will need need upload a file to a specific location on the server. If you are using DNS as proof of ownership, you can do it all remotely.

  2. You will need to upload the new certificate to the server every 90 days ( or have a script do it for you automatically). Depending on whether you have access to automate this tasks means it can be trivial or something that is a hassle every 80 days or so.

  3. You need some way of having a task / script run. typically this would be via a cron, but you can use whatever method you like for re-running the script.


#3

Thanks, that answered all my question.

Just a quick confirmation on the command

  • For generating the cert and key file for the first time:
    ./letsencrypt-auto

  • For renewing (using cron)
    ./letsencrypt-auto certonly --email me@domain.com --agree-tos --webroot --renew-by-default -d www.domain.com

Additionally, how to check when is my cert going to expire?


#4

Do you have root access on your 3rd party hosting service ? and does this have some sort of control panel which manages the apache / nginx configuration ?

if it’s a standard server, running apache, you have root access ( i.e. permission to modify the apache/nginx configuration) then yes you can run letsencrypt-auto. If it has say a control panel, such as cpanel, plesk, ispconfig then you can’t just run that command (hence why I said it’s difficult to give a definitive answer without that info).

For checking when your certificate expires, if you use linux, I use a script ( checkssl ) but you could just manually check the certificate in your browser ( click on the lock, and go to certificate information )


#5

--webroot mode is unlikely to work on shared hosting unless you somehow managed to mount the webroot of your site on the system where you’re running the client. You’re probably looking for manual mode. You won’t be able to automate certificate issuance or renewal on a shared hosting plan unless they offer a way to programmatically deploy new certificates (via some kind of API).

Certificates issued by Let’s Encrypt always expire after 3 months. Once you deployed your certificates, this information is visible if you click on the lock icon in your browser and look at the certificate (“Certificate Information” in Chrome, “More Information” > “View Certificate” in Firefox).

You might also want to look into Web Hosts that support Let’s Encrypt. Web Hosts are generally in a position to manage and automate certificate management for you, and some have already done that.


#6

No, I don’t have root access to the server.
I am using Arvixe for hosting my website.
My website is on shared hosting.
I am using cpanel to manage my website.


#7

OK, with cpanel, there are a number of script coming out that integrate with cpanel - you would need to persuade your hosting provider to incorporate it though ( I suspect given time cpanel themselves will incorporate it, they don’t yet though)

You can’t use the official LetsEncrypt client on cpanel sites

You are probably best using a service like https://gethttpsforfree.com/ ( which is a web based client for LetsEncrypt ) and copying / pasting the certificate details between the two. If you go into cpanel, in the SSL section, you can generate the private key and CSR there, copy those into gethttpsforfree.com … and follow the insttuctions for getting a certificate. It’s a manual method that would need to be repeated every 80-90 days at the moment, until a client is integrated into cpanel.


#8

Hi,

For example i bought on ovh domain and simple hosting. I don’t have acces to root, apache or another config stuff. I don’t have in default panel any options with ssl. I can buy ssl in ovh, but for some money.

Is possibility to i can use let’s encrypt in me case ?


#9

it’s possible, however you probably need to get your provider your hosting provider to install the certificate for you - and they will probably charge for that, which defeats the point of getting a free cert.

There is a list of hosting companies which support Letsencrypt if you wanted to go down the route of moving to somewhere that does support it difectly


#10

Can i modify the cert and key output path?
3rd party hosting provider does not give access to etc folder but if somehow if we can modify the output path to our public/www folder then I guess we can acheive something.


#11

The challenges (for http) need to be completed via your web root ( so your public_html/www folder … well actually a .well-known/acme-challenge within there) You will still need to upload the resulting certificate manually into cpanel though ( at the current time)


#12

I was talking about the letsencrypt-auto output files. Can we change the path of the files to a custom location.


#13

You can install a proxy that redirects all requests to your challenge server (i.e. the standard standalone client)
After that you can provide the key and certificate to your ISP.


#14

I was trying gethttpsforfree.com but I am having problem with domain verification.

I tried setting up all the files with the content but when I visit the url it’s showing 403 forbidden error.

there was a step stating “Add the static folder to your webserver’s config (if you haven’t already)”. As I am using a 3rd party hosting provider, I don’t have access to edit the webserver’s config file. Any alternative to do this via .htaccess file on apache server.


#15

I think you want this post:


#16

Done. Thanks for everyone’s help.

Tips: Anyone hosting their website on Arvixe (Shared hosting) can install the cert and key file from their cpanel. The cert and key can be obtained from gethttpsforfree.com


#17

Yes indeed it was .htaccess problem.

I am using elgg and it’s htaccess file was blocking any file/folder starting with a dot (.)


#18

serverco speculates that hosting companies would charge money to install LE. This might happen at first, but after LE becomes accepted and standard it is very unlikely to happen anywhere. Hosting companies would compete by offering free certificates (supported by LE). Once this competition starts, it would become standard for hosting companies to install LE for any new customer. Market pressures almost always support progress.


#19

Several people mention CPanel. I feel certain that CPanel will decide to be an early adopter of LE, and may even write their own scripts. I think that CPanel is available by default on most hosting company accounts, so obviously LE itself (and perhaps CPanel) will create CPanel-compatible agents. I would be surprised if just a year from now CPanel doesn’t come with LE built in. I see nothing technical to interfere with the success of the LE vision of an entire World Wide Web made secure through LE-secured TLS.


#20

Use “lescript”, easy configuration and it will do everything for you using PHP curl. Your certs will be saved to your hosting directory. I use it and everything works as expected!