Installing free Let’s Encrypt SSL certificates on webfaction in 3 easy steps

WARNING: High levels of NERD ahead.

I started using CloudFlare’s free tier on this blog, before Let’s Encrypt burst onto the scene, mostly for their universal SSL. However, as joepie91 recently pointed out, this means that by design, CloudFlare has to decrypt all SSL traffic, and then re-encrypt it to send it to your original site with its self-signed or generic certificate (in my case). Apart from this, CloudFlare is a bit of overkill for this low-traffic site.


Because I don’t need much of an excuse to try out something new, I used this as my excuse to try out Let’s Encrypt, a fantastic new(ish) service which issues free 90 day certificates to anyone who can verify their domains.

I was shocked with how easy this was on the webfaction shared (non root) hosting I’ve been using for years, and so I had to share.


Step 1: Install

These two steps are to be performed whilst SSH’d in to your web host.

First we install the wonderful by following the one-liner on its website:

curl | sh

At this junction, as they say, it’s best to log out and in again, so that the alias and environment variable can be setup.

Step 2: Issue shiny new SSL certificate

We then get to verify the website using the webroot method, and to request a certificate for the two domains and --issue -d -d -w ~/webapps/wp

The argument following -w is the directory exposed by the website Note that this is still http; Let’s Encrypt queries a special file left there by to confirm that you actually manage the specified domain.

After a few seconds of progress output, I was left with a shiny certificate (as well as the CSR, key, and so forth) in ~/

Step 3: Install shiny new SSL certificate

On Webfaction, one has to file a support ticket for this. My request was formulated thusly, and was correctly acted upon in about 5 minutes:

Could you please install the following SSL certificate for the website cpbotha_SSL – reachable at

  • cert is in /home/cpbotha/
  • key is in /home/cpbotha/
  • intermediate CA cert is in /home/cpbotha/
  • full chain certs is there: /home/cpbotha/


Update on 2016-10-25

It is now possible to install the new certs all by yourself using the webfaction panel or the API! Read the announcement blog post for more information.

Bonus level: In 90 – k days, simply re-run

At any point, you can request certificates for any other domains that you may be hosting on your webfaction.

At regular intervals, or in slightly fewer than 90 days, simply run: --renewAll

To have renew any of your certificates that are up for renewal. Just remember to create a new support ticket to have the renewed certificates installed for the relevant domains. cronjob

Unbeknownst to be (I should have read the docs) had cleverly installed a user cronjob to check for renewals. When I attempted to renew two of my certs, I saw that it had already done so automatically, so I only had to install the updated versions.

Boss level: htaccess-based redirect from HTTP to HTTPS

Now that I have my SSL setup, I would prefer for users who go to the HTTP site to be 301 forwarded to the HTTPS version. On Webfaction, I can do that with the following addition to the site .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
# we're behind nginx ssl proxy, hence the non-standard check for no-SSL:
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Important: webfaction is using nginx as their SSL frontend, so we check for the X-Forwarded-SSL header.

20 thoughts on “Installing free Let’s Encrypt SSL certificates on webfaction in 3 easy steps”

  1. Cool,
    but it’s recommended to use “ –installcert ” command to install the certs to your apache server.

    So that, when the cert is renewed automatically, the apache server can be reloaded.

    1. Thank you very much for stopping by, and thank you the most for making!

      On webfaction shared hosting we can’t use installcert, because we don’t have access to the apache or the nginx config (which webfaction uses as frontend). SSL certificate installation can only be done by webfaction admins, and hence has to be requested via support.

      1. I’m not familiar with webfaction at all.
        But , if there is an api in webfaction, by which you can install cert to your web hosting, it will be good to use that api. and write it as a `` script, then use `–installcert –reloadcmd “./” `

        When the cert is renewed, the cert can be installed automatically. Otherwise, you will need to manually installed it every 90 days. Which would be annoying.

        On the other hand, to get rid of the 90 days annoying problem, you can use my another project:, which can issue free certificate from startcom, each cert has 1 year time.

        You just need to install the cert every 1 year.

        1. Thank you for all the tips!

          I just checked again, it still looks like webfaction does not yet support any other means of installing the new certificate, other than opening a support ticket.

 makes it so easy to renew, I’m happy to set a reminder in my todoist for when I need to do that. :)

    1. The second sentence of this blog post is “However, as joepie91 recently pointed out…” with a link to that post.

      I’ll let this one slide, because you’re on vacation. :P

      1. Oops. Who reads introductions? :)

        Siteground allows installing letsencrypt from their Web backend. I tried it, was 2 simple button clicks, this explains why. In the end switched to their 1 year free ssl option on (for Lisette) just because I’m Dutch and I felt like I did pay for it somewhere (nothing is -just- free). Next year will definitely be LetsEncrypt again.

  2. Thanks for the handy guide!

    Question: if I need to revoke the SSL certificate when moving a site to a different host/server, how do I do that?… or, should I not worry and simply install a new certificate on the new host/server?

      1. So, I googled a bit. It seems like leaving the old certificate in the old server shouldn’t be a problem:

        And simply removing the certificate-related files and folders will prevent auto-renewal.

        There’a also an indication that a new certificate can be generated on the new server without revoking or deleting the certificate in the old server…

  3. I got this problem.

    Any help? Or anybody willing to do this for me for a fee – I am trying to move away from shopify to wordpress, but getting an ssl up to use with woocommerce is proving to be a lot more difficult than i thought!

    curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    More details here:

    curl performs SSL certificate verification by default, using a “bundle”
    of Certificate Authority (CA) public keys (CA certs). The default
    bundle is named curl-ca-bundle.crt; you can specify an alternate file
    using the –cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you’d like to turn off curl’s verification of the certificate, use
    the -k (or –insecure) option.

    1. It’s a neat Python script he posts that will replace the cron job that runs to check for renewal. His replacement script runs, and if there is a new certificate automatically installs it via the webfaction API.

      However, this only happens for one specific site.

      My advice would be to log a webfaction ticket to ask them if they have any mechanisms for the automatic installation of multiple certificates. If they don’t, you could try to modify (or get someone else to do so) the Python script to loop through all of your sites as itself already does during renewal.

  4. Webfaction’s support for Let’s Encrypt is messy and time consuming, which are why I’m seriously considering moving away from them. Instead of automating certs via the Webfaction CP to the point where we just have to click a new buttons, we’re spending lots of time maintaining cert deployment by hand. Also, the damn thing is so fragile too. Like how the cronjob doesn’t update the certs (discovered when Chrome puked up a cert warning and preventing users to reach the site).

    If I can install WordPress with the click of a button, why can’t I do the same with certs? Why do I have to spend so much time on menial crap like this when I got real work to do.

    1. YES! Amen brother. WebFaction needs to step up their game and make auto renewal of Let’s Encrypt transparent process. I don’t even want to think about pushing buttons. Just do it for me. (smh)

  5. I deeply appreciate this tutorial, but I would also strongly recommend you move the “UPDATE” bits to the top of the post for those of us who are coming back here every 90 days, step through the beginning, and then realize we’ve mucked the whole thing up when we could have just renewed them with one command.

  6. Thanks so much for the wonderful tutorial.

    I realized in my most recent cycle that failed to automatically issue new certificates. I was also unable to issue new certificates manually. I traced the error to the .htaccess redirect rule you provided: removing the .htaccess file fixed the problem. Similarly, I created a test file in the acme-challenge folder, simply named “test,” and tried to access http://mydomain/.well-known/acme-challenge/test before and after removing .htaccess. This resulted in a 404 error before removing .htaccess, but success after removing .htaccess.

    So, my question is: how do I keep the .htaccess file? I’m not sure why this problem has suddenly occurred, because I’ve gone through several update cycles without the problem occurring. I can’t recall changing anything to my WebFaction setup in the meantime.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.