Let's Encrypt - Free SSL for your website

Nov 21, 2016 ssl letsencrypt encryption https security
WhatsApp
Yes my website is now encrypted! Recently released was an open source encryption that offers free https for your website. It garnered increased attention in early December 2015 and it’s great news for everyone looking for excellent security for their E-Commerce store but as you will notice that this site now has a SSL certificate installed!

Some of us like myself are on cheap shared hosting, and it’s a little difficult to get around the permissions and some modules, libraries, plugins whatever it may be in your environment may not be available. This post is just to reveal what issues I came across when installing the certificate. So if you’re on shared hosting and don’t have root access read on.

First you’ll need to have SSH access to your shared hosting. Next, someone wrote this neat script, clone the repository –

Git clone https://github.com/diafygi/letsencrypt-nosudo

Follow the openssl commands listed, and remember to replace “user” or “domain” and “example.com” with your own.

openssl genrsa 4096 > user.key
openssl rsa -in user.key -pubout > user.pub

#Create a CSR for example.com
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr

#Alternatively, if you want both example.com and www.example.com
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) > domain.csr


An important note to use --file-based option and to prepend your domain with “www.”.

“By default the script will ask you to start a webserver on port 80. If you already have one, use the --file-based option instead.”

Run the python script which is located in the repository you cloned, note the domain and user files.

python sign_csr.py --public-key user.pub domain.csr > signed.crt

You’ll enter an email address which will be verified and also a series of commands you’ll need to enter. It has instructions but remember to open a separate new window and input the commands.

The second time I tried to run this python script, I was missing a python module argparse.py. If you get an error regarding that then you’ll want to download the file and place it in the same directory as the python script and it should run.

In the 4th step you’ll have to create a new folder in your root directory (public_html) with the structure

.well-known/acme-challenge/{file with long string}

Create it and also input the second string into the file with only one line!

A note here for Laravel users, you may need to modify your routes a little but the following route helped for me
//For the SSL Encryption
Route::get('/.well-known/acme-challenge/{filename}', function ($filename)
{
$path = '.well-known/acme-challenge/' . $filename;

$file = File::get($path);
$type = File::mimeType($path);

$response = Response::make($file, 200);
$response->header("Content-Type", $type);

return $response;
});


Finally run the next command to grab the .cab key

user@hostname:~$ wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
user@hostname:~$ cat signed.crt lets-encrypt-x3-cross-signed.pem > chained.pem

The chained.pem contains the domain.csr and .cab keys. You’ll need three keys to successfully install your certificate and with the final key you created at the beginning – domain.key.

Head over to cPanel and install the keys. You may need to change your .htaccess file as well to redirect all your links to https. I’m not very goot with .htaccess but I found this and it may work for you too

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/auth/login [NC]
RewriteCond %{HTTPS} !^on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]


There was a list on the Let’s Encrypt forum showing companies that have decided to support the program but it seems my web hosting was a little slow. Hopefully we won’t need this anymore and it'll be an easier process.

It can only get easier from here.

Also don't forget to check your website security over at https://www.ssllabs.com and ensure everything is in order.

If you found the following info helpful, I'm happy to accept any donations of the following cryptocurrencies.

  • Bitcoin - 17DTiPExzP9StqveW428acEyB4mVMfKbiK
  • Ethereum - 0x87B8307FD20dc90cc05c94905Ec593134D32B6FF
  • Litecoin - LZMiz5U5sVq9doMLYE3gfLJrxCQDKuyCmU
  • Neo - AXv71WB38ajc1KUUEnxQKhynLLPc4BapVb