Let's Encrypt
This information only pertains to Hurricane Electric's Shared Web Hosting package. There may be different information in our other categories.
Contents
What is Let's Encrypt?
Let's Encrypt is a free certificate authority managed by the non-profit Internet Security Research Group. Website owners can use certificates created with Let's Encrypt to enable SSL/TLS for their websites and email at no additional cost.
How can I set up a Let's Encrypt certificate on my Hurricane Electric webhosting account?
Step 1: Save your Certificate Signing Request
- Log in to https://admin.he.net
- Under "Commands" at the bottom, click on "Manage Secure Certificates." If this option is not there, your account is probably on a version 1 or version 2 server, which do not support certificates. In this case, click on "Upgrade to New System" instead to read about moving the account to a version 3 server.
- If the bottom of the "Manage Secure Certificates" page says "No generated CSR on file," click on the green "Generate" button to generate one.
- At the bottom of the screen, you should see a block of text between lines that read "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----". Copy this entire block of text, including the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines.
- Paste that text into a text editor (normally Notepad in Windows or TextEdit in OSX). Save this as "www.example.com.csr" where "example.com" should be replaced by your actual domain name. If your account's primary domain is a subdomain (e.g. "secure.example.com"), use that subdomain instead of "www" (e.g. "secure.example.com.csr"). The filename should always include either "www" or a subdomain.
- Using the general instructions for Uploading & Downloading Files, create a folder in the root directory of your account named ".certs" (e.g. "/home/username/.certs"). Because this folder name starts with a dot, it may be hidden by default in your FTP client. In this case, you will have to find an option named something like "View System/Hidden Files" and turn it on.
- Copy the CSR file into this new folder.
Step 2: Ensure a certificate is already installed on your account
If you already use an SSL/TLS certificate, great! This step is done. After you finish the rest of these instructions, your Let's Encrypt certificate will be installed automatically about a week before existing one is due to expire. If your certificate is already expired, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.
If not, click on "Step 2: Install Self Signed Certificate" on the Manage Secure Certificates page. Click on the green "Install Now!" button. After you finish the rest of these instructions, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.
Step 3: Make sure Let's Encrypt will be able to find the file it needs to validate your domain
In the certificate creation process, Let's Encrypt will connect to your website to view a temporary "challenge" file it needs to validate that your request was initiated by the actual account owner. This file will be located in the "/.well-known/acme-challenge" directory on your site (e.g. "http://www.example.com/.well-known/acme-challenge/filename").
If you have a directive in an .htaccess file that would cause requests to that location to be redirected, you'll need to write an exception. Whoever created your .htaccess file should know how to do this, but if you try to install the Let's Encrypt certificate and it fails, please contact us for assistance.
- Note: You will not be using the tab in admin.he.net labeled "Step 3: Install SSL Certificate". This is for a certificate purchased from a certificate authority other than Let's Encrypt.
What subdomains are the Let's Encrypt certificates good for?
A Let's Encrypt certificate created by this system will be good for your main ("apex") domain and the "www" and "mail" subdomains, e.g. "example.com", "www.example.com", and "mail.example.com".
How can I tell if the installation was successful?
Visit your website using https:// instead of http://. Depending on your web browser, you should see a green lock icon in the top left. Clicking on this should give you an option to see the certificate details. The "Issued By" section should show "Let's Encrypt."
Please note that when you visit your site using https://, the files that will be served are the ones saved in the secure_html folder in your account, not the public_html folder.
Also, the file you uploaded will be renamed. "Installed" and a timestamp will be appended to the filename. If the file is not renamed, or if it renamed to include something other than "Installed," please review the installation instructions and contact Hurricane Electric Support if necessary.