Installing free Let’s Encrypt SSL certificates on webfaction in 3 easy steps

WARNING: High levels of NERD ahead.

I started using CloudFlare’s free tier on this blog, before Let’s Encrypt burst onto the scene, mostly for their universal SSL. However, as joepie91 recently pointed out, this means that by design, CloudFlare has to decrypt all SSL traffic, and then re-encrypt it to send it to your original site with its self-signed or generic certificate (in my case). Apart from this, CloudFlare is a bit of overkill for this low-traffic site.

le-logo-standard.png

Because I don’t need much of an excuse to try out something new, I used this as my excuse to try out Let’s Encrypt, a fantastic new(ish) service which issues free 90 day certificates to anyone who can verify their domains.

I was shocked with how easy this was on the webfaction shared (non root) hosting I’ve been using for years, and so I had to share.

WITNESS THE GREAT EASINESS:

Step 1: Install acme.sh

These two steps are to be performed whilst SSH’d in to your web host.

First we install the wonderful acme.sh by following the one-liner on its website:

curl https://get.acme.sh | sh

At this junction, as they say, it’s best to log out and in again, so that the acme.sh alias and environment variable can be setup.

Step 2: Issue shiny new SSL certificate

We then get acme.sh to verify the website using the webroot method, and to request a certificate for the two domains cpbotha.net and www.cbbotha.net:

acme.sh --issue -d cpbotha.net -d www.cpbotha.net -w ~/webapps/wp

The argument following -w is the directory exposed by the website http://cpbotha.net/. Note that this is still http; Let’s Encrypt queries a special file left there by acme.sh to confirm that you actually manage the specified domain.

After a few seconds of progress output, I was left with a shiny certificate (as well as the CSR, key, and so forth) in ~/.acme.sh/cpbotha.net/

Step 3: Install shiny new SSL certificate

On Webfaction, one has to file a support ticket for this. My request was formulated thusly, and was correctly acted upon in about 5 minutes:

Could you please install the following SSL certificate for the website cpbotha_SSL – reachable at https://cpbotha.net/:

  • cert is in /home/cpbotha/.acme.sh/cpbotha.net/cpbotha.net.cer
  • key is in /home/cpbotha/.acme.sh/cpbotha.net/cpbotha.net.key
  • intermediate CA cert is in /home/cpbotha/.acme.sh/cpbotha.net/ca.cer
  • full chain certs is there: /home/cpbotha/.acme.sh/cpbotha.net/fullchain.cer

Thanks!

Update on 2016-10-25

It is now possible to install the new certs all by yourself using the webfaction panel or the API! Read the announcement blog post for more information.

Bonus level: In 90 – k days, simply re-run acme.sh

At any point, you can request certificates for any other domains that you may be hosting on your webfaction.

At regular intervals, or in slightly fewer than 90 days, simply run:

acme.sh --renewAll

To have acme.sh renew any of your certificates that are up for renewal. Just remember to create a new support ticket to have the renewed certificates installed for the relevant domains.

acme.sh cronjob

Unbeknownst to be (I should have read the docs) acme.sh had cleverly installed a user cronjob to check for renewals. When I attempted to renew two of my certs, I saw that it had already done so automatically, so I only had to install the updated versions.

Boss level: htaccess-based redirect from HTTP to HTTPS

Now that I have my SSL setup, I would prefer for users who go to the HTTP site to be 301 forwarded to the HTTPS version. On Webfaction, I can do that with the following addition to the site .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
# we're behind nginx ssl proxy, hence the non-standard check for no-SSL:
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Important: webfaction is using nginx as their SSL frontend, so we check for the X-Forwarded-SSL header.

16 thoughts on “Installing free Let’s Encrypt SSL certificates on webfaction in 3 easy steps”

  1. Cool,
    but it’s recommended to use “acme.sh –installcert ” command to install the certs to your apache server.

    So that, when the cert is renewed automatically, the apache server can be reloaded.

    1. Thank you very much for stopping by, and thank you the most for making acme.sh!

      On webfaction shared hosting we can’t use installcert, because we don’t have access to the apache or the nginx config (which webfaction uses as frontend). SSL certificate installation can only be done by webfaction admins, and hence has to be requested via support.

      1. I’m not familiar with webfaction at all.
        But , if there is an api in webfaction, by which you can install cert to your web hosting, it will be good to use that api. and write it as a `reload.sh` script, then use `–installcert –reloadcmd “./reload.sh” `

        When the cert is renewed, the cert can be installed automatically. Otherwise, you will need to manually installed it every 90 days. Which would be annoying.

        On the other hand, to get rid of the 90 days annoying problem, you can use my another project:
        https://startapi.sh, which can issue free certificate from startcom, each cert has 1 year time.

        You just need to install the cert every 1 year.

        1. Thank you for all the tips!

          I just checked again, it still looks like webfaction does not yet support any other means of installing the new certificate, other than opening a support ticket.

          acme.sh makes it so easy to renew, I’m happy to set a reminder in my todoist for when I need to do that. :)

    1. The second sentence of this blog post is “However, as joepie91 recently pointed out…” with a link to that post.

      I’ll let this one slide, because you’re on vacation. :P

      1. Oops. Who reads introductions? :)

        Siteground allows installing letsencrypt from their Web backend. I tried it, was 2 simple button clicks, this explains why. In the end switched to their 1 year free ssl option on foxandflamingo.nl (for Lisette) just because I’m Dutch and I felt like I did pay for it somewhere (nothing is -just- free). Next year will definitely be LetsEncrypt again.

  2. Thanks for the handy guide!

    Question: if I need to revoke the SSL certificate when moving a site to a different host/server, how do I do that?… or, should I not worry and simply install a new certificate on the new host/server?

      1. So, I googled a bit. It seems like leaving the old certificate in the old server shouldn’t be a problem:

        https://community.letsencrypt.org/t/server-migration-no-ftp-access-do-i-revoke-the-certificate/19283/17

        http://www.jeffgeerling.com/blog/2016/remove-single-certbot-letsencrypt-certificate-server

        And simply removing the certificate-related files and folders will prevent auto-renewal.

        There’a also an indication that a new certificate can be generated on the new server without revoking or deleting the certificate in the old server…

  3. I got this problem.

    Any help? Or anybody willing to do this for me for a fee – I am trying to move away from shopify to wordpress, but getting an ssl up to use with woocommerce is proving to be a lot more difficult than i thought!

    curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a “bundle”
    of Certificate Authority (CA) public keys (CA certs). The default
    bundle is named curl-ca-bundle.crt; you can specify an alternate file
    using the –cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you’d like to turn off curl’s verification of the certificate, use
    the -k (or –insecure) option.

    1. It’s a neat Python script he posts that will replace the acme.sh cron job that runs to check for renewal. His replacement script runs acme.sh, and if there is a new certificate automatically installs it via the webfaction API.

      However, this only happens for one specific site.

      My advice would be to log a webfaction ticket to ask them if they have any mechanisms for the automatic installation of multiple certificates. If they don’t, you could try to modify (or get someone else to do so) the Python script to loop through all of your sites as acme.sh itself already does during renewal.

Leave a Reply

Your email address will not be published. Required fields are marked *