Let's Encrypt on shared hosting with cPanel

If you've stumbled upon this page, then you're probably trying to figure out how to install your own free SSL certificate from Let's Encrypt.

By now you might have discovered that your hosting provider doesn't give you root access, which is required by most of the easy methods of issuing and installing your certificate.

I had this problem too, but luckily I made notes!

Getting started

There are many ACME clients to choose from, but a lot of them require root access to the server or other commands (like sudo) that are not usually available if you are using shared hosting. I found acme.sh the easiest no sudo client to use, so we will use it for this guide.

Firstly, head over to acme.sh and follow the installation steps, then pop back here to continue.

Issue a certificate

To issue a certificate you will need to type a command into your SSH console. Even if you are not using www in your website address, it doesn't hurt to include it in the certificate. The command I used looked a bit like this:

acme.sh --issue -d beeurd.uk -d www.beeurd.uk -w /home/username/public_html

If everything goes well, which may take a moment, you should get a result like this:

[Fri Jan 27 20:37:26 CET 2017] Multi domain='DNS:www.beeurd.uk'
[Fri Jan 27 20:37:26 CET 2017] Getting domain auth token for each domain
[Fri Jan 27 20:37:26 CET 2017] Getting webroot for domain='beeurd.uk'
[Fri Jan 27 20:37:26 CET 2017] _w='/home/username/beeurd.uk'
[Fri Jan 27 20:37:26 CET 2017] Getting new-authz for domain='beeurd.uk'
[Fri Jan 27 20:37:28 CET 2017] The new-authz request is ok.
[Fri Jan 27 20:37:28 CET 2017] Getting webroot for domain='www.beeurd.uk'
[Fri Jan 27 20:37:28 CET 2017] _w='/home/username/beeurd.uk'
[Fri Jan 27 20:37:28 CET 2017] Getting new-authz for domain='www.beeurd.uk'
[Fri Jan 27 20:37:29 CET 2017] The new-authz request is ok.
[Fri Jan 27 20:37:29 CET 2017] Verifying:beeurd.uk
[Fri Jan 27 20:37:32 CET 2017] Success
[Fri Jan 27 20:37:32 CET 2017] Verifying:www.beeurd.uk
[Fri Jan 27 20:37:35 CET 2017] Success
[Fri Jan 27 20:37:35 CET 2017] Verify finished, start to sign.
[Fri Jan 27 20:37:36 CET 2017] Cert success.
-----BEGIN CERTIFICATE-----
[there was a long block of text here which I have snipped out for security]
-----END CERTIFICATE-----
[Fri Jan 27 20:37:36 CET 2017] Your cert is in  /home/username/.acme.sh/beeurd.uk/beeurd.uk.cer
[Fri Jan 27 20:37:36 CET 2017] Your cert key is in  /home/username/.acme.sh/beeurd.uk/beeurd.uk.key
[Fri Jan 27 20:37:37 CET 2017] The intermediate CA cert is in  /home/username/.acme.sh/beeurd.uk/ca.cer
[Fri Jan 27 20:37:37 CET 2017] And the full chain certs is there:  /home/username/.acme.sh/beeurd.uk/fullchain.cer

Troubleshooting

I might expand this section later, but if for some reason you got errors and it didn't work, then you're on your own at the moment, sorry. :(

There are some friendly folk over at Let's Encrypt Community Support that might be able to point you in the right direction, though.

Installing your Certificate

Save the Certificate

In your SSH window you should have seen the block of text between the lines marked BEGIN CERTIFICATE and END CERTIFICATE. This is your certificate; copy it including the beginning and ending lines and the dashes.

Then, in cPanel, navigate to: SSL/TLS > Certificates (CRT)

  1. Find the section "Upload a New Certificate"
  2. Paste your certificate in the box
  3. Click the "Save Certificate" button

Save the Private Key

In the cPanel File Manager navigate to the "cert key" location and copy the contents of this file.

Then, in cPanel, navigate to: SSL/TLS > Private Keys (KEY)

  1. Find the section "Upload a New Private Key"
  2. Paste your certificate in the box
  3. Click the "Save" button

Install the Certificate

In cPanel, navigate to: SSL/TLS > Install and Manage SSL for your site (HTTPS)

In section "Install an SSL Website"

  1. Select your domain from the drop down list
  2. Press the "Autofill by Domain" button
  3. Click the "Install Certificate" button

Redirecting traffic to HTTPS

You can update your website scripts to use https protocol instead of http. How you do this will depend on the script you're using, so if you are using a third party script such as Wordpress then you may need to refer to their support documentation.

You'll also want to make sure that when you visit your site it shows up as secure. If it doesn't then make sure the URL has been redirected to https. If it does show https but you are still not showing as secure then you may be getting "mixed content warnings".

Mixed Content basically means that some of the elements on your page (usually images) are still trying to load using http. The best way to resolve this is to update all the internal links to https, but this can be a nightmare if you have a large site.

A quick and dirty way is to add the below lines to your .htaccess file to automatically upgrade all http requests to https. This will break any external images that don't have a https equivalent, but you'll preserve your secure status.

<IfModule mod_headers.c>
  Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS
</IfModule>

Automatically renew your certificate

The certificate will expire in three months, but you can set up a cron job to renew it automatically. In cPanel navigate to the "Cron Jobs" section and add this:

0 0 * * * "/home/user/.acme.sh"/acme.sh --cron --home "/home/user/.acme.sh" > /dev/null

Every day the cron will check if any of your certificates need renewing, and if they are it'll renew them for you... sweet!