Letsencrypt SSL certificate with namecheap hosting

namecheap SSL.md

source: https://savedlog.com/uncategorized/letsencrypt-ssl-certificate-namecheap-hosting/

The “Positive SSL” certificate I bought along with my domain is invalid with any of my subdomains and cannot be used with wildcards. One annoying thing is that namecheap doesn’t offer auto installation of free let’s encrypt certificates, even though, they are saying “Namecheap is dedicated to data security and privacy for all internet users. We believe the movement to encrypt nearly all web traffic is a positive direction. As more sites embrace HTTPS and use of security products, providers of free SSL are beginning to come online.”

Let me show you what it needs to be done in order to “encrypt nearly all web traffic”.

First, not required but it’s helpful to enable ssh access, it is not enabled by default on the base hosting plans, just go an start a live chat and request ssh access.

Letsencrypt nosudo

SSH to your hosting server, visit diafygi/letsencrypt-nosudo and “git clone” the project. You can also follow the tutorial on the project site.

mkdir tools && cd tools
git clone https://github.com/diafygi/letsencrypt-nosudo.git 
cd letsencrypt-nosudo/

Generate an user account key for Let’s Encrypt.

openssl genrsa 4096 > user.key
openssl rsa -in user.key -pubout > user.pub

Generate the domain key and a certificate request. Replace “example.com” with the domain you own

For single subdomain.example.com use:

openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr

If you want the certificate to be valid for multiple subdomains create a file name openssl-san.cfg and paste the following (Replace the alt_names “mail.example.com” with the domain and subdomain you own):

[req]
default_bits = 2048
default_md   = sha256
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName          = Country Name (2 letter code)
stateOrProvinceName  = State or Province Name (full name)
localityName         = Locality Name (eg, city)
organizationName     = Organization Name (eg, company)
commonName           = Common Name (e.g. server FQDN or YOUR name)

[ req_ext ]

subjectAltName = @alt_names

[alt_names]
DNS.1        = test.example.com
DNS.2        = www.example.com
DNS.3        = mail.example.com
DNS.4        = ftp.example.com

and run:

openssl req -new -sha256 -key domain.key -subj "/O=My Company Name LTD./C=US" -config openssl-san.cfg > domain.csr

Create and install new certificate

Next, you run the script using python and passing in the path to your user account public key and the domain CSR.

python sign_csr.py -f --public-key user.pub domain.csr > signed.crt

When you run the script, it will ask you do do some manual commands. It has to ask you to do these because it doesn’t know your private key or have access to your server. You can edit the manual commands to fit your situation (e.g. if your sudo user is different or private key is in a different location).

When you run the script, it will ask you do do some manual commands, open another terminal and follow the instructions.

At the final step the script will ask you to serve a file on each of your subdomains and you need to create the folders and requseted file in the subdomain root folder.

For example if you have the subdomain test.example.com with root folder in /home/cpanel_user/test.example.com and the script ask you to serve for example:

STEP 4: Please update your server to serve the following file at this URL:
--------------
URL: http://test.example.com/.well-known/acme-challenge/_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM
File contents: "_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM.Nh8mz3FnS03KxkGXN4_Cj9j9vcw4wXcZm0Z25CW6Ttw"
--------------

Notes:
- Do not include the quotes in the file.
- The file should be one line without any spaces.

Press Enter when you've got the file hosted on your server...

you need to create in .well-known/acme-challenge/ in /home/cpanel_user/test.example.com and paste the file content in _bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn–uZwPKzM

mkdir -p /home/cpanel_user/test.example.com/.well-known/acme-challenge/


echo "_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM.Nh8mz3FnS03KxkGXN4_Cj9j9vcw4wXcZm0Z25CW6Ttw" > /home/cpanel_user/test.example.com/.well-known/acme-challenge/_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM

After you done it for all your subdomains you can go and install it your namecheap hosting cpanel. You can use this link for help.

• Go to cpanel > Security > SSL/TLS and press on Manage SSL sites.
• Select the domain you want to install the certificate, for example test.example.com
• In Certificate: (CRT) paste the content of the recently created signed.crt
• In Private Key (KEY) paste the content of domain.key
• Press Autofill by Domain button, next to the domain selection drop-down.
• Press Install certificate.

Congrats you are now using free let’s encrypt certificate on namecheap basic hosting server.

Great, everything has come out. But after installing the certificate, it keeps saying it is not valid, maybe it takes a while to update the change?

EDIT: signed.crt is empty.

Hi, I am not used to work with CPanel. Would be possible running a cron script to auto renew the Let's Encript certificates repalacing them in the file system in some way? Because if you have a lot of subdomains (like me) is really problematic to update the certs one by one from CPanel.

Yes, you can do this from a cron job running on your host. As part of your job, theuapi tool can be used to install the updated certificates.

# As described above, generate requests, and run the ACME/letsencrypt stuff
# ...

# Install certificates and keys
crt=`cat mydomain.crt | python urlencode.py`
key=`cat my.signing.key | python urlencode.py`
uapi SSL install_ssl domain=mydomain.tld cert="$crt" key="$key"

crt=`cat myotherdomain.crt | python urlencode.py`
key=`cat my.signing.key | python urlencode.py`
uapi SSL install_ssl domain=myotherdomain.tld cert="$crt" key="$key"

uapi expects the key and cert to be url encoded, so you could use something like this to do that:

import sys
import urllib as ul

[sys.stdout.write(ul.quote_plus(l)) for l in sys.stdin]

Thanks @mutac I will give it a try I hope that uapi is exposed to the shell

This is working, Thank you

That works for me too!
Hooray 👍 🥇

@mutac . thanks! works perfectly

another option: acme.sh has a cPanel hook.
https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

Now there is an easy way to configure Lets Encrypt free SSL/TLS certificate with your WordPress blog hosted on namecheap shared hosting. The procedure is same for any other hosting plan which uses CPanel as the hosting dashboard.

This is achieved by a plugin names OSE Free SSL. The steps are as follows.

1. Install OSE Free SSL plugin on your blog.
2. Go to OSE Free SSL plugin, type your email address and generate the Certificate.
3. The keys and crt ca bundle will be mailed to you. Download it to your machine.
4. Login to CPanel and goto SSL under security category.
5. Click on manage sites
6. Copy paste the contents of Private key, Public Key and ca bundle.
7. Click Install certificate

You are done!

Watch the video for more details.
https://youtu.be/TFM8hECnIPY

A perfect solution to namecheap or any other hosting solution with SSH access ! - CloudLinux shell

It works flawlessly!

another option: acme.sh has a cPanel hook.
https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

Thank you @katchy3132 ! Other than a umask issue (because I have a specific umask), this worked pretty smoothly. Have a certificate now auto-renewing all using a very very simple process.

Hi everyone,

I am struggling with creating the certificate. In step 2, when following the console commands and opening a new terminal window, I keep getting these errors:

• register_0Y25wv.json: No such file or directory
• domain_mMOvO6.json: No such file or directory
• ...

What am I missing? :(

Is this still a valid method to install let's encrypt on namecheap? Safe to try?

another option: acme.sh has a cPanel hook.
https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

Thank you @katchy3132 ! Other than a umask issue (because I have a specific umask), this worked pretty smoothly. Have a certificate now auto-renewing all using a very very simple process.

I have just gone through the acme.sh process as recommended by @cyraid and @katchy3132. This is on a Namecheap Stellar shared hosting. It was super easy, just a few simple commands. Much simpler than the instructions in this gist. The only (minor) issue was that Chrome kept claiming the site was insecure, even though the certificate was good. I used these steps to fix that.

error on line -1 of openssl-san.cfg
140565004556104:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('openssl-san.cfg','rb')
140565004556104:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
140565004556104:error:0E078072:configuration file routines:DEF_LOAD:no such file:conf_def.c:197:

another option: acme.sh has a cPanel hook.
https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

This worked great and saved a lot of time. Great option if you have CPanel and want to set up certs in a few minutes.

https://github.com/acmesh-official/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

Use acme.sh method. works great.

Now there is an easy way to configure Lets Encrypt free SSL/TLS certificate with your WordPress blog hosted on namecheap shared hosting. The procedure is same for any other hosting plan which uses CPanel as the hosting dashboard.

This is achieved by a plugin names OSE Free SSL. The steps are as follows.

1. Install OSE Free SSL plugin on your blog.

2. Go to OSE Free SSL plugin, type your email address and generate the Certificate.

3. The keys and crt ca bundle will be mailed to you. Download it to your machine.

4. Login to CPanel and goto SSL under security category.

5. Click on manage sites

6. Copy paste the contents of Private key, Public Key and ca bundle.

7. Click Install certificate

You are done!

Watch the video for more details. https://youtu.be/TFM8hECnIPY

So, "Let me email you your keys and install a strange plugin" is literally a scam..

Not sure this works anymore, I have attempted to use this and got a list of errors:

$ python sign_csr.py -f --public-key user.pub domain.csr > signed.crt Traceback (most recent call last): File "sign_csr.py", line 450, in <module> signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based) File "sign_csr.py", line 29, in sign_csr DIRECTORY = json.loads(urlopen(CA + "/directory").read().decode('utf8')) File "/usr/lib64/python2.6/urllib2.py", line 126, in urlopen return _opener.open(url, data, timeout) File "/usr/lib64/python2.6/urllib2.py", line 391, in open response = self._open(req, data) File "/usr/lib64/python2.6/urllib2.py", line 409, in _open '_open', req) File "/usr/lib64/python2.6/urllib2.py", line 369, in _call_chain result = func(*args) File "/usr/lib64/python2.6/urllib2.py", line 1205, in https_open return self.do_open(httplib.HTTPSConnection, req) File "/usr/lib64/python2.6/urllib2.py", line 1172, in do_open raise URLError(err) urllib2.URLError: <urlopen error [Errno -2] Name or service not known> [onebkxtt@server266 letsencrypt-nosudo]$

not sure if anyone can help with this error.

thanks

@chrishac-git I'm having the same problem

I get this error

    signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based)
  File "sign_csr.py", line 29, in sign_csr
    DIRECTORY = json.loads(urlopen(CA + "/directory").read().decode('utf8'))
  File "/usr/lib64/python2.6/urllib2.py", line 126, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib64/python2.6/urllib2.py", line 391, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.6/urllib2.py", line 409, in _open
    '_open', req)
  File "/usr/lib64/python2.6/urllib2.py", line 369, in _call_chain
    result = func(*args)
  File "/usr/lib64/python2.6/urllib2.py", line 1205, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib64/python2.6/urllib2.py", line 1172, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno -2] Name or service not known>```

The sign_csr.py script is using version 1 of the Let's Encrypt ACME API:

    CA = "https://acme-v01.api.letsencrypt.org"

As of June 2021, this version of the API has been turned off, which is why it's no longer working. You can find other client options for ACME v2 on the Let's Encrypt site.

I want to again recommend that people use acme.sh instead of the sign_csr approach. It's discussed in this thread as a simpler alternative, and it's officially supported by Let's Encrypt so it won't just stop working.

Also seconding the acme.sh method, as this worked perfectly for me without hitches as I installed my certificate onto a Namecheap shared hosting site through Stellar. Nothing else has seemed to work for me until now, and no more paying for Namecheap certs!