Deploying Let’s Encrypt SSL to a GoDaddy shared cPanel hosting account

[Updated 11/17 to reflect deprecation of Let’s Encrypt Mac OSX client.]

Thanks to Let’s Encrypt, free, reliable SSL certificates are now widely available. And while some hosting companies (like Dreamhost) have made the process of installing and renewing Let’s Encrypt certificates point-and-click simple, others <cough>GoDaddy</cough> aren’t quite so forward-thinking, so one has to get one’s hands dirty.

(In fairness, one can install the Let’s Encrypt client on their VPS and cloud servers, if that’s what you have. If instead you have the ever-popular shared cPanel hosting, this post’s for you.)

Need to renew your Let’s Encrypt SSL?

Before you begin, you’ll need:

Generating the certificate

  1. Initiate certbot:
    sudo certbot certonly --manual
  2. Enter the root password when prompted.
  3. Enter the domain(s) when prompted:
    Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c' to cancel):

    If the site has an htaccess redirect from www to non-www (or vice versa) only include the non-redirected domain configuration. If, for example, our site is being redirected from www to non-www, only enter the non-www version of the domain.

    If you generate the certificate with both www and non-www versions of the domain included where only one is supported, the certificate will fail on verification.

  4. When prompted, type Y to accept having your IP address logged with the certificate request. (Assuming you are. If you aren’t, fire up your VPN and Tor and restart the process.)
  5. Cerbot will return a block of text like this (specific data replaced with [description]):
    -------------------------------------------------------------------------------
    Create a file containing just this data:
    
    [filename].[key]
    
    And make it available on your web server at this URL:
    
    http://[domain]/.well-known/acme-challenge/[filename]
    
    -------------------------------------------------------------------------------
    Press Enter to Continue
  6. In a second Terminal window, SSH to the remote host and navigate to the root web directory for this domain. If the domain being secured is the primary domain being hosted, this would be ~/public_html.
  7. Create the necessary directories:
    mkdir -p .well-known/acme-challenge
  8. Create the challenge file and write the data to it:
    printf "%s" [filename].[key] > .well-known/acme-challenge/[filename]
  9. Change permissions of the generated file:
    chmod -R 0644 .well-known
  10. Back in the first Terminal window, press ENTER. You should receive a success message:
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at
       /etc/letsencrypt/live/[domain]/fullchain.pem. 
    

    If you don’t, see Troubleshooting below.

Installing the certificate

Now that the certificate have been successfully generated, it’s time to install them.

  1. In the first Terminal window, open fullchain.pem in an editor:
    sudo vi /etc/letsencrypt/live/[domain]/fullchain.pem
  2. The file will contain 2 certificates, each starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----. Copy the entirety of the first certificate, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags, then exit the editor.
  3. Log into your GoDaddy account, then click through to the cPanel (click the + next to Web Hosting, then click the green MANAGE button for the domain you’re securing).
  4. Scroll down to “Security” and click “SSL/TSL”.
  5. Under “Install and Manage SSL for your site (HTTPS)” click the “Manage SSL sites.” link.
  6. Under “Install an SSL Website”, select the (sub)domain you are securing, then paste the certificate text into the “Certificate: (CRT)” textarea. Look for the green checkmark to the right of the textarea.
  7. In the first Terminal window, open privkey.pem in an editor:
    sudo vi /etc/letsencrypt/live/[domain]/privkey.pem
  8. Copy the entire contents of the file, then exit the editor.
  9. Paste the key text into the “Private Key (KEY)” textarea. Look for the green checkmark to the right of the textarea.
  10. Click the green “Install Certificate” button. All going well you should see a success message.
  11. If this is the primary domain, click the “Make Primary” link in the right column of the “Manage Installed SSL Websites” for the domain.
  12. Test the SSL to confirm everything’s properly set up.

Once you’ve confirmed the certificate, check the site for hardcoded “http” elements such as images or scripts (Why No Padlock? is a good resource) as well as consider adding a HTTP to HTTPS redirect.

Important Note

Let’s Encrypt certificates are only valid for 90 days. You’ll receive an automated reminder to renew the certificates 2 weeks, 1 week, and 1 day from the expiration date.

Troubleshooting

Try loading the test URL in a browser window, as provided in the initial output:

Make sure your web server displays the following content at
http://[domain]/.well-known/acme-challenge/[filename] before continuing

Another way of testing for this file is by using wget from the command-line, in a terminal window:

wget http://[domain]/.well-known/acme-challenge/[filename]

I prefer this method as you can view the actual response from the server, instead of merely being show your site’s 404 error page.

Assuming you’ve received a 404 error, here are some possible causes:

  1. The file isn’t there
    Confirm this by navigating to ~/public_html/.well-known/acme-challenge/ and looking for the appropriately-named file. If not found, run the printf command again.
  2. The file or containing directory has been created with excessively-restrictive permissions
    Reset permissions (recursively) via the command-line: chmod -R 0644 ~/public_html/.well-known/
  3. Interference from rewrite rules
    If you have rewrite rules in your .htaccess file that redirect HTTP to HTTPS or restrict direct access to files and folders starting with a dot, either (or both) of these will result in a 404 error. Comment out the rules you think might be causing a problem one-by-one, running the wget command after each. Don’t forget to uncomment any rules after you’ve verified the file and generated your keys.