PDA

View Full Version : Let's Encrypt + Shared Hosting + Tutorial


GHRake
06-09-2017, 11:11 PM
This is a little tutorial and review of my experience on installing a free LetsEncrypt SSL certificate. I am not an expert on the topic but I believe this is a pretty solid tutorial.

CERTBOT (https://certbot.eff.org/)is developed by the good folks over at the Electronic Frontier Foundation (https://www.eff.org/). For people like us that grew up on the internet, the EFF is essential in protecting the freedom we enjoy and I urge you to check them out and support if you can.

I'm sure others may find themselves with the same circumstances:
Shared Hosting, don't have root access and am a Windows user

Certbot requires root access so you have to create it locally on your own computer and then install the certificate manually.
Linux Subsystem for Windows can create the certificate for you but for some reason Renewing wouldn't work so I had to fire up a Ubuntu VM.

Download Ubuntu (https://www.ubuntu.com/download/desktop)

Download VMWare Workstation (https://www.vmware.com/products/player/playerpro-evaluation.html)

Create New VM
Select your Ubuntu ISO
I like to use 2 Cores and 2GB RAM

After install:
CTRL + ALT + T -> Pulls up the terminal

Update apps and upgrade OS:
sudo apt-get update && sudo apt-get upgrade

Install net-tools dependency for certbot:
sudo apt install net-tools

Make sure your VM connects through your VPN/proxy if privacy is important because LetsEncrypt logs your IP. They aren't published yet but will be in the future.

Install Certbot:
sudo apt-get certbot

If you use CloudFlare or other CDN, set it to bypass the CDN temporarily or it will fail verification.

Generate certificate on local machine:
sudo certbot certonly --manual -d guidedhacking.com

Follow the prompt

Use webroot verification, it will prompt you to create a file which you will put in:
public_html\.well-known\acme-challenge\

The filename will be a hash and then inside the file you need to paste another hash. I used notepad++ and just uploaded it over FTP rather than doing it over SSH because I'm a linux noob

After verification open cPanel go to SSL module->Install Certificate
Open your first cert file, paste in the first certificate including the ---CERT BEGIN--- and ---CERT ENDS---
Open the privatekey cert file and paste it into the private key text box

You must renew every 90 days by opening your Ubuntu VM and running:
certbot-auto renew

LetsEncrypt will email you 2-3 times before it expires to remind you. There are methods to do automatic renewal on shared hosting using third party projects and cronjobs but I don't mind renewing manually vs reviewing/learning how to use a bunch of potentially time wasting third party scripts.

Make sure to setup https redirect in .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Alternatively in CloudFlare you can set up "Automatic HTTPS Rewrites" on the Crypto page

If you use CloudFlare be sure to play with the settings on the Crypto page and note that the certificate your visitors will see will be a CloudFlare cert. The connection between the visitor and CloudFlare will use the CloudFlare cert and the connection between CloudFlare and your server will use your cert. If you want the end user to see YOUR certificate and use CloudFlare, you can get a certificate through CloudFlare and it's 5$/month, not a bad price but free is better

Backup your database and do some SQL REPLACE magic, be aware this may cause some issues and use with care and double check afterwords for problems. If you're not experienced with SQL, just skip this because you can do damage! Here is a sample query:
UPDATE table_name_here SET column_name_here = REPLACE(column_name_here, 'http://', 'https://)

I did this table by table and then tested it so I didn't blow up the entire database at once. 99% of the replacements I did was quite simple using SQL queries.

In AdminCP Make sure your Site URL etc.. all say https://guidedhacking.com instead of http://

Now fire up HTTPS Everywhere (https://www.eff.org/https-everywhere), open the Chrome developer's console and audit your site for HTTP/HTTPS issues.

webmastersun
05-05-2018, 01:30 PM
It is pretty difficult to setup SSL as your guide, if you are using cPanel or Plesk on your shared hosting then you only need some clicks to enable SSL for your websites.

If you are using Directadmin hosting control panel then it can require extra steps to setup SSL but it also is easy to do that.