Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Letsencrypt SSL certificate with namecheap hosting

source: https://savedlog.com/uncategorized/letsencrypt-ssl-certificate-namecheap-hosting/

The “Positive SSL” certificate I bought along with my domain is invalid with any of my subdomains and cannot be used with wildcards. One annoying thing is that namecheap doesn’t offer auto installation of free let’s encrypt certificates, even though, they are saying “Namecheap is dedicated to data security and privacy for all internet users. We believe the movement to encrypt nearly all web traffic is a positive direction. As more sites embrace HTTPS and use of security products, providers of free SSL are beginning to come online.”

Let me show you what it needs to be done in order to “encrypt nearly all web traffic”.

First, not required but it’s helpful to enable ssh access, it is not enabled by default on the base hosting plans, just go an start a live chat and request ssh access.

Letsencrypt nosudo

SSH to your hosting server, visit diafygi/letsencrypt-nosudo and “git clone” the project. You can also follow the tutorial on the project site.

mkdir tools && cd tools
git clone https://github.com/diafygi/letsencrypt-nosudo.git 
cd letsencrypt-nosudo/

Generate an user account key for Let’s Encrypt.

openssl genrsa 4096 > user.key
openssl rsa -in user.key -pubout > user.pub

Generate the domain key and a certificate request. Replace “example.com” with the domain you own

For single subdomain.example.com use:

openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr

If you want the certificate to be valid for multiple subdomains create a file name openssl-san.cfg and paste the following (Replace the alt_names “mail.example.com” with the domain and subdomain you own):

[req]
default_bits = 2048
default_md   = sha256
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName          = Country Name (2 letter code)
stateOrProvinceName  = State or Province Name (full name)
localityName         = Locality Name (eg, city)
organizationName     = Organization Name (eg, company)
commonName           = Common Name (e.g. server FQDN or YOUR name)

[ req_ext ]

subjectAltName = @alt_names

[alt_names]
DNS.1        = test.example.com
DNS.2        = www.example.com
DNS.3        = mail.example.com
DNS.4        = ftp.example.com

and run:

openssl req -new -sha256 -key domain.key -subj "/O=My Company Name LTD./C=US" -config openssl-san.cfg > domain.csr

Create and install new certificate

Next, you run the script using python and passing in the path to your user account public key and the domain CSR.

python sign_csr.py -f --public-key user.pub domain.csr > signed.crt

When you run the script, it will ask you do do some manual commands. It has to ask you to do these because it doesn’t know your private key or have access to your server. You can edit the manual commands to fit your situation (e.g. if your sudo user is different or private key is in a different location).

When you run the script, it will ask you do do some manual commands, open another terminal and follow the instructions.

At the final step the script will ask you to serve a file on each of your subdomains and you need to create the folders and requseted file in the subdomain root folder.

For example if you have the subdomain test.example.com with root folder in /home/cpanel_user/test.example.com and the script ask you to serve for example:

STEP 4: Please update your server to serve the following file at this URL:
--------------
URL: http://test.example.com/.well-known/acme-challenge/_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM
File contents: "_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM.Nh8mz3FnS03KxkGXN4_Cj9j9vcw4wXcZm0Z25CW6Ttw"
--------------

Notes:
- Do not include the quotes in the file.
- The file should be one line without any spaces.

Press Enter when you've got the file hosted on your server...

you need to create in .well-known/acme-challenge/ in /home/cpanel_user/test.example.com and paste the file content in _bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn–uZwPKzM

mkdir -p /home/cpanel_user/test.example.com/.well-known/acme-challenge/


echo "_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM.Nh8mz3FnS03KxkGXN4_Cj9j9vcw4wXcZm0Z25CW6Ttw" > /home/cpanel_user/test.example.com/.well-known/acme-challenge/_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM

After you done it for all your subdomains you can go and install it your namecheap hosting cpanel. You can use this link for help.

  • Go to cpanel > Security > SSL/TLS and press on Manage SSL sites.
  • Select the domain you want to install the certificate, for example test.example.com
  • In Certificate: (CRT) paste the content of the recently created signed.crt
  • In Private Key (KEY) paste the content of domain.key
  • Press Autofill by Domain button, next to the domain selection drop-down.
  • Press Install certificate.

Congrats you are now using free let’s encrypt certificate on namecheap basic hosting server.

@KerosenoDev

This comment has been minimized.

Copy link

KerosenoDev commented Feb 14, 2018

Great, everything has come out. But after installing the certificate, it keeps saying it is not valid, maybe it takes a while to update the change?

EDIT: signed.crt is empty.

@cccaballero

This comment has been minimized.

Copy link

cccaballero commented Apr 11, 2018

Hi, I am not used to work with CPanel. Would be possible running a cron script to auto renew the Let's Encript certificates repalacing them in the file system in some way? Because if you have a lot of subdomains (like me) is really problematic to update the certs one by one from CPanel.

@mutac

This comment has been minimized.

Copy link

mutac commented Apr 17, 2018

Yes, you can do this from a cron job running on your host. As part of your job, theuapi tool can be used to install the updated certificates.

# As described above, generate requests, and run the ACME/letsencrypt stuff
# ...

# Install certificates and keys
crt=`cat mydomain.crt | python urlencode.py`
key=`cat my.signing.key | python urlencode.py`
uapi SSL install_ssl domain=mydomain.tld cert="$crt" key="$key"

crt=`cat myotherdomain.crt | python urlencode.py`
key=`cat my.signing.key | python urlencode.py`
uapi SSL install_ssl domain=myotherdomain.tld cert="$crt" key="$key"

uapi expects the key and cert to be url encoded, so you could use something like this to do that:

import sys
import urllib as ul

[sys.stdout.write(ul.quote_plus(l)) for l in sys.stdin]
@cccaballero

This comment has been minimized.

Copy link

cccaballero commented May 11, 2018

Thanks @mutac I will give it a try I hope that uapi is exposed to the shell

@amr3li

This comment has been minimized.

Copy link

amr3li commented Sep 13, 2018

This is working, Thank you

@panfass

This comment has been minimized.

Copy link

panfass commented Sep 27, 2018

That works for me too!
Hooray 👍 🥇

@katchy3132

This comment has been minimized.

Copy link

katchy3132 commented Nov 1, 2018

@mutac . thanks! works perfectly

@katchy3132

This comment has been minimized.

Copy link

katchy3132 commented Nov 1, 2018

@anandumdas

This comment has been minimized.

Copy link

anandumdas commented Dec 20, 2018

Now there is an easy way to configure Lets Encrypt free SSL/TLS certificate with your WordPress blog hosted on namecheap shared hosting. The procedure is same for any other hosting plan which uses CPanel as the hosting dashboard.

This is achieved by a plugin names OSE Free SSL. The steps are as follows.

  1. Install OSE Free SSL plugin on your blog.
  2. Go to OSE Free SSL plugin, type your email address and generate the Certificate.
  3. The keys and crt ca bundle will be mailed to you. Download it to your machine.
  4. Login to CPanel and goto SSL under security category.
  5. Click on manage sites
  6. Copy paste the contents of Private key, Public Key and ca bundle.
  7. Click Install certificate

You are done!

Watch the video for more details.
https://youtu.be/TFM8hECnIPY

@nirus

This comment has been minimized.

Copy link

nirus commented Mar 25, 2019

A perfect solution to namecheap or any other hosting solution with SSH access ! - CloudLinux shell

It works flawlessly!

@cyraid

This comment has been minimized.

Copy link

cyraid commented Oct 3, 2019

another option: acme.sh has a cPanel hook.
https://github.com/Neilpang/acme.sh/wiki/Simple-guide-to-add-TLS-cert-to-cpanel

Thank you @katchy3132 ! Other than a umask issue (because I have a specific umask), this worked pretty smoothly. Have a certificate now auto-renewing all using a very very simple process.

@titoleru

This comment has been minimized.

Copy link

titoleru commented Dec 21, 2019

Hi everyone,

I am struggling with creating the certificate. In step 2, when following the console commands and opening a new terminal window, I keep getting these errors:

  • register_0Y25wv.json: No such file or directory
  • domain_mMOvO6.json: No such file or directory
  • ...

What am I missing? :(

@subRobots

This comment has been minimized.

Copy link

subRobots commented Feb 9, 2020

Is this still a valid method to install let's encrypt on namecheap? Safe to try?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.