Please Note: The following tutorial is how I used my VPS and installed Let’s Encrypt on all of my sites. This is also for apache. nginx is not too different, but you’ll have to deviate from this tutorial slightly.
First thing to note is there are lot’s of less manual ways to handle this… Sites with newer versions of CPanel have a Let’s Encrypt feature, so you should use that. Also, if you are hosting yourself, or using a box ‘you own’ as in have full admin privileges (such as Digital Ocean), then there are much better ways to do this… However, I purchased a 2 year plan with my VPS, and wanted to do it this way to see how difficult it really is (it really isn’t that bad – lots of copying/pasting).
So here you go…
- You will need to have the following 3 windows open (however you choose)…
- an SSH session into your hosted space (I just used Terminal and ssh’d into firstname.lastname@example.org and entered my password. I know I should set up an SSH Key so I don’t worry about the password, and I’ll probably do that once I reformat my computer). I’ll refer to this as ssh when I’m talking about this window below.
- a web browser open to your cpanel, which I’ll refer to as cpanel
- and a web browser open to Let’s Encrypt’s free HTTP Site, which I’ll refer to as encrypt
- In cpanel, go to your SSL/TLS Manager and select Private Keys. In there, you will generate 2 private keys (I used 4096 bit). I labeled 1 Account for musicalcoder and the other was domain for musicalcoder. Will make it simpler later on
- In ssh, you should see where your keys were created (~/ssl/keys). You’ll then create a symbolic link to the account key (named account.key). This will be useful in future steps.
- In ssh, Enter
openssl rsa -in account.key -puboutwhich generates your public key for your private account key. You’ll then copy that into the clipboard.
- In encrypt, Enter your account admin email address (for me it was email@example.com), and then paste that public key into the box. You’ll then click the Validate Account Info button.
- In cpanel, go to your SSL Manager, and then go to CSRs. Here you will want to generate a CSR with your DOMAIN key for your site (which we generated earlier, remember?) Fill out all the pertinent information it wants, and then click generate. (NOTE:If you want multiple entries, such as yoursite.com and www.yoursite.com, you must enter them both in the domain window, on separate lines.) Once that’s done, you’ll see your ‘Encoded CSR’. You will copy this to your clipboard.
- In encrypt, paste your CSR information in step 2, then click Validate CSR
- At this point, you should be at Step 3 in encrypt! Here there are 4 boxes that you will want to copy, one at a time. You’ll notice that it references account.key – because we made a symbolic link before, this will be as simple as copy and paste. Without it, you’ll have to edit the command to reference your account key.
- Paste the command into your ssh session, and you’ll get a a huge set of hexadecimal values. You’ll copy the entire output (including the (stdin) bit) into your clipboard, and the paste it in the corresponding text box in encrypt. Repeat this for each of the 4 entries.
- Once you’ve done all 4, click the Validate Signatures button. This should take you to step 4.
- In step 4, you’ll copy and paste another entry similar to step 3. Once you’ve pasted the result, you’ll then click on Option 2 – file based and then how do I do this?. In the section that appears, copy step 4 (the echo command) and paste it in ssh. It will error (as expected) because its using a /path/to/www reference, which you will have to change to your actual www reference. Once you’ve fixed that, run the command.
- Click the I’m now serving this file on [yourdomain.tld]. If you entered multiple domains in step 6, you’ll have multiple files to create. They are just repeating the last 2 steps for encrypt step 4.
- Once that is done, you’ll be on encrypt step 5, and will generate your certificate. Copy the certificate code.
- In cpanel, go to SSL Manager, and then Certificates, and paste that code into the textbox provided. Then click Generate
- When that’s finished, you should then have an entry at the top for your domain. Click Install
- When that’s finished, go back to encrypt, and test your installation.
- Before closing ssh, you can delete the directory .well-known and its subdirectories and files.
I did that for each of my domains… it took about a half hour, although the last site to only a minute or two as I was used to it.
I hope this proves useful to you!