Difference between revisions of "Let's Encrypt"

From HE FAQ
Jump to: navigation, search
(New page)
 
(How can I tell if the installation was successful?)
 
(9 intermediate revisions by 2 users not shown)
Line 8: Line 8:
 
== How can I set up a Let's Encrypt certificate on my Hurricane Electric webhosting account? ==
 
== How can I set up a Let's Encrypt certificate on my Hurricane Electric webhosting account? ==
  
=== Step 1: Save your Certificate Signing Request ===
+
=== Part 1: Save your Certificate Signing Request ===
  
# Log in to https://admin.he.net
+
# Log in to your account at https://admin.he.net
# Under "Commands" at the bottom, click on "Manage Secure Certificates."  If this option is not there, your account is probably on a version 1 or version 2 server, which do not support certificates.  In this case, click on "Upgrade to New System" instead to read about moving the account to a version 3 server.
+
# Under "Commands" at the bottom, click on "Manage Secure Certificates."  If this option is not present, your account is probably on a version 1 or version 2 server, which does not support certificates.  In this case, click on "Upgrade to New System" instead for information about moving your account to a version 3 server.
 
# If the bottom of the "Manage Secure Certificates" page says "No generated CSR on file," click on the green "Generate" button to generate one.
 
# If the bottom of the "Manage Secure Certificates" page says "No generated CSR on file," click on the green "Generate" button to generate one.
# At the bottom of the screen, you should see a block of text between lines that read "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----".  Copy this entire block of text, including the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines.
+
# At the bottom of the screen, you should see a block of text between lines that read <code>-----BEGIN CERTIFICATE REQUEST-----</code> and <code>-----END CERTIFICATE REQUEST-----</code>.  Copy this entire block of text, including the <code>-----BEGIN CERTIFICATE REQUEST-----</code> and <code>-----END CERTIFICATE REQUEST-----</code> lines.
# Paste that text into a text editor (normally Notepad in Windows or TextEdit in OSX).  Save this as "www.example.com.csr" where "example.com" should be replaced by your actual domain name.  If your account's primary domain is a subdomain (e.g. "secure.example.com"), use that subdomain instead of "www" (e.g. "secure.example.com.csr").
+
# Paste that text into a text editor (ex: Notepad in Windows or TextEdit in macOS).  Save this as "www.example.com.csr" where "example.com" should be replaced by your actual domain name.  If your account's primary domain is a subdomain (e.g. "secure.example.com"), use that subdomain instead of "www" (e.g. "secure.example.com.csr").  The filename should always include either "www" or a subdomain.
# Using the general instructions for [[Uploading & Downloading Files]], create a folder in the root directory of your account named ".certs" (e.g. "/home/username/.certs").  Because this folder name starts with a dot, it may be hidden by default in your FTP client.  In this case, you will have to find an option named something like "View System/Hidden Files" and turn it on.
+
# Using the general instructions for [[Uploading & Downloading Files]], create a folder in the root directory of your account named <code>.certs</code> (e.g. <code>/home/username/.certs</code>).  Because this folder name starts with a dot, it may be hidden by default in your FTP client.  If so, you will have to find an option named similar to "View System/Hidden Files" and turn it on.
 
# Copy the CSR file into this new folder.
 
# Copy the CSR file into this new folder.
  
=== Step 2: Ensure a certificate is already installed on your account ===
+
=== Part 2: Make sure Let's Encrypt will be able to find the file it needs to validate your domain ===
  
If you already use an SSL/TLS certificate, great!  This step is done.  After you finish the rest of these instructions, your Let's Encrypt certificate will be installed automatically about a week before existing one is due to expireIf your certificate is already expired, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.
+
In the certificate creation process, Let's Encrypt will connect to your website to view a temporary "challenge" file it needs to validate that your request was initiated by the actual account ownerThis file will be located in the <code>/.well-known/acme-challenge</code> directory on your site (e.g. "<nowiki>http://www.example.com/.well-known/acme-challenge/filename</nowiki>").
  
If not, click on "Step 2: Install Self Signed Certificate" on the Manage Secure Certificates page.  Click on the green "Install Now!" button.  After you finish the rest of these instructions, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.
+
====No existing<code>.htaccess</code> files====
  
=== Step 3: Make sure Let's Encrypt will be able to find the file it needs to validate your domain ===
+
If you do not have any <code>.htaccess</code> files, you can move on to Part 3.
  
In the certificate creation process, Let's Encrypt will connect to your website to view a temporary "challenge" file it needs to validate that your request was initiated by the actual account owner.  This file will be located in the "/.well-known/acme-challenge" directory on your site (e.g. "<nowiki>http://www.example.com/.well-known/acme-challenge/filename</nowiki>").
+
====Existing<code>.htaccess</code> files====
  
If you have a directive in an .htaccess file that would cause requests to that location to be redirected, you'll need to write an exception.  Whoever created your .htaccess file should know how to do this, but if you try to install the Let's Encrypt certificate and it fails, please contact us for assistance.
+
If you do have a directive in an existing <code>.htaccess</code> file that would cause requests to that location to be prevented or redirected, you'll need to write an exception.  Edit the file <code>public_html/.htaccess</code> and include this line before any other <code>RewriteRule</code>:
 +
 
 +
RewriteRule ^.well-known/ - [L,NC]
 +
 
 +
If you have other complex rewrites, you may need to make other modifications.  If you try to install the Let's Encrypt certificate and it fails, please contact us for further assistance.
 +
 
 +
=== Part 3: Ensure a certificate is already installed on your account ===
 +
 
 +
If you are already using an SSL/TLS certificate, great!  This step is complete.  After finishing the rest of these instructions, your Let's Encrypt certificate will be installed automatically about a week before existing one is due to expire.  If your certificate is already expired, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.
 +
 
 +
If you are not currently using a SSL/TLS certificate, click on "Step 2: Install Self Signed Certificate" on the Manage Secure Certificates page.  Click on the green "Install Now!" button.  After finishing the rest of these instructions, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.
 +
 
 +
: '''Note:''' You will not be using the tab labeled "Step 3: Install SSL Certificate".  This is for certificates purchased from a certificate authority other than Let's Encrypt.
  
 
== What subdomains are the Let's Encrypt certificates good for? ==
 
== What subdomains are the Let's Encrypt certificates good for? ==
  
A Let's Encrypt certificate created by this system will be good for your main ("apex") domain and the "www" and "mail" subdomains, e.g. "example.com", "www.example.com", and "mail.example.com".
+
A Let's Encrypt certificate created by this system will be good for your main ("apex") domain and the "www" and "mail" subdomains, e.g. "example.com", "www.example.com", and "mail.example.com", as well as any subdomains which you have added as additional domains in admin.he.net.
 +
 
 +
== What if I have additional domains on this account? ==
 +
 
 +
This procedure will work for all of them, as long as DNS for the domain points to the IP address of the account.  You may need to check the <code>.htaccess</code> files in the folders of the additional domains, as per Part 2 above.
  
 
== How can I tell if the installation was successful? ==
 
== How can I tell if the installation was successful? ==
  
Visit your website using https:// instead of <nowiki>http://</nowiki>.  Depending on your web browser, you should see a green lock icon in the top left.  Clicking on this should give you an option to see the certificate details.  The "Issued By" section should show "Let's Encrypt."
+
Visit your website using https:// instead of <nowiki>http://</nowiki>.  Depending on your web browser, you may see a lock icon in the top left, or next to the site name in the location box.  Clicking on the lock icon should give you an option to see the certificate details.  The "Issued By" section should show "Let's Encrypt."
 +
 
 +
Please note that when you visit your site using <nowiki>https://</nowiki>, the files that will be served are the ones from the <code>secure_html</code> folder for your account, not the <code>public_html</code> folder.
  
Please note that when you visit your site using <nowiki>https://</nowiki>, the files that will be served are the ones saved in the secure_html folder in your account, not the public_html folder.
+
The file you uploaded will be renamed. "Installed" and a timestamp will be appended to the filename.  If the file is not renamed, or if it renamed to include something other than "Installed," please review the installation instructions and contact Hurricane Electric Support if necessary.
  
 
[[Category:Webhosting]]
 
[[Category:Webhosting]]

Latest revision as of 10:00, 17 March 2019

This information only pertains to Hurricane Electric's Shared Web Hosting package. There may be different information in our other categories.


What is Let's Encrypt?

Let's Encrypt is a free certificate authority managed by the non-profit Internet Security Research Group. Website owners can use certificates created with Let's Encrypt to enable SSL/TLS for their websites and email at no additional cost.

How can I set up a Let's Encrypt certificate on my Hurricane Electric webhosting account?

Part 1: Save your Certificate Signing Request

  1. Log in to your account at https://admin.he.net
  2. Under "Commands" at the bottom, click on "Manage Secure Certificates." If this option is not present, your account is probably on a version 1 or version 2 server, which does not support certificates. In this case, click on "Upgrade to New System" instead for information about moving your account to a version 3 server.
  3. If the bottom of the "Manage Secure Certificates" page says "No generated CSR on file," click on the green "Generate" button to generate one.
  4. At the bottom of the screen, you should see a block of text between lines that read -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----. Copy this entire block of text, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.
  5. Paste that text into a text editor (ex: Notepad in Windows or TextEdit in macOS). Save this as "www.example.com.csr" where "example.com" should be replaced by your actual domain name. If your account's primary domain is a subdomain (e.g. "secure.example.com"), use that subdomain instead of "www" (e.g. "secure.example.com.csr"). The filename should always include either "www" or a subdomain.
  6. Using the general instructions for Uploading & Downloading Files, create a folder in the root directory of your account named .certs (e.g. /home/username/.certs). Because this folder name starts with a dot, it may be hidden by default in your FTP client. If so, you will have to find an option named similar to "View System/Hidden Files" and turn it on.
  7. Copy the CSR file into this new folder.

Part 2: Make sure Let's Encrypt will be able to find the file it needs to validate your domain

In the certificate creation process, Let's Encrypt will connect to your website to view a temporary "challenge" file it needs to validate that your request was initiated by the actual account owner. This file will be located in the /.well-known/acme-challenge directory on your site (e.g. "http://www.example.com/.well-known/acme-challenge/filename").

No existing.htaccess files

If you do not have any .htaccess files, you can move on to Part 3.

Existing.htaccess files

If you do have a directive in an existing .htaccess file that would cause requests to that location to be prevented or redirected, you'll need to write an exception. Edit the file public_html/.htaccess and include this line before any other RewriteRule:

RewriteRule ^.well-known/ - [L,NC]

If you have other complex rewrites, you may need to make other modifications. If you try to install the Let's Encrypt certificate and it fails, please contact us for further assistance.

Part 3: Ensure a certificate is already installed on your account

If you are already using an SSL/TLS certificate, great! This step is complete. After finishing the rest of these instructions, your Let's Encrypt certificate will be installed automatically about a week before existing one is due to expire. If your certificate is already expired, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.

If you are not currently using a SSL/TLS certificate, click on "Step 2: Install Self Signed Certificate" on the Manage Secure Certificates page. Click on the green "Install Now!" button. After finishing the rest of these instructions, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.

Note: You will not be using the tab labeled "Step 3: Install SSL Certificate". This is for certificates purchased from a certificate authority other than Let's Encrypt.

What subdomains are the Let's Encrypt certificates good for?

A Let's Encrypt certificate created by this system will be good for your main ("apex") domain and the "www" and "mail" subdomains, e.g. "example.com", "www.example.com", and "mail.example.com", as well as any subdomains which you have added as additional domains in admin.he.net.

What if I have additional domains on this account?

This procedure will work for all of them, as long as DNS for the domain points to the IP address of the account. You may need to check the .htaccess files in the folders of the additional domains, as per Part 2 above.

How can I tell if the installation was successful?

Visit your website using https:// instead of http://. Depending on your web browser, you may see a lock icon in the top left, or next to the site name in the location box. Clicking on the lock icon should give you an option to see the certificate details. The "Issued By" section should show "Let's Encrypt."

Please note that when you visit your site using https://, the files that will be served are the ones from the secure_html folder for your account, not the public_html folder.

The file you uploaded will be renamed. "Installed" and a timestamp will be appended to the filename. If the file is not renamed, or if it renamed to include something other than "Installed," please review the installation instructions and contact Hurricane Electric Support if necessary.