Let's Encrypt

From HE FAQ
Revision as of 16:37, 20 November 2018 by Blarsen (Talk | contribs)

Jump to: navigation, search

This information only pertains to Hurricane Electric's Shared Web Hosting package. There may be different information in our other categories.


What is Let's Encrypt?

Let's Encrypt is a free certificate authority managed by the non-profit Internet Security Research Group. Website owners can use certificates created with Let's Encrypt to enable SSL/TLS for their websites and email at no additional cost.

How can I set up a Let's Encrypt certificate on my Hurricane Electric webhosting account?

Part 1: Save your Certificate Signing Request

  1. Log in to https://admin.he.net
  2. Under "Commands" at the bottom, click on "Manage Secure Certificates." If this option is not there, your account is probably on a version 1 or version 2 server, which do not support certificates. In this case, click on "Upgrade to New System" instead to read about moving the account to a version 3 server.
  3. If the bottom of the "Manage Secure Certificates" page says "No generated CSR on file," click on the green "Generate" button to generate one.
  4. At the bottom of the screen, you should see a block of text between lines that read "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----". Copy this entire block of text, including the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines.
  5. Paste that text into a text editor (normally Notepad in Windows or TextEdit in OSX). Save this as "www.example.com.csr" where "example.com" should be replaced by your actual domain name. If your account's primary domain is a subdomain (e.g. "secure.example.com"), use that subdomain instead of "www" (e.g. "secure.example.com.csr"). The filename should always include either "www" or a subdomain.
  6. Using the general instructions for Uploading & Downloading Files, create a folder in the root directory of your account named ".certs" (e.g. "/home/username/.certs"). Because this folder name starts with a dot, it may be hidden by default in your FTP client. In this case, you will have to find an option named something like "View System/Hidden Files" and turn it on.
  7. Copy the CSR file into this new folder.

Part 2: Make sure Let's Encrypt will be able to find the file it needs to validate your domain

In the certificate creation process, Let's Encrypt will connect to your website to view a temporary "challenge" file it needs to validate that your request was initiated by the actual account owner. This file will be located in the "/.well-known/acme-challenge" directory on your site (e.g. "http://www.example.com/.well-known/acme-challenge/filename").

If you do not have any directives in an .htaccess file that would prevent or redirect access to the "/.well-known/acme-challenge" directory on your site, you don't need to do anything for this step. Do not create any files or folders. Our script will do that for you.

If you do have a directive in an .htaccess file that would cause requests to that location to be prevented or redirected, you'll need to write an exception. Edit the file "public_html/.htaccess" to include this line at the bottom:

 RewriteRule ^.well-known/ - [L,NC]

This may not work if you have other complex rewrites. Whoever created your .htaccess file should know how to write an appropriate directive in this case, but if you try to install the Let's Encrypt certificate and it fails, please contact us for assistance.

Part 3: Ensure a certificate is already installed on your account

If you already use an SSL/TLS certificate, great! This step is done. After you finish the rest of these instructions, your Let's Encrypt certificate will be installed automatically about a week before existing one is due to expire. If your certificate is already expired, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.

If not, click on "Step 2: Install Self Signed Certificate" on the Manage Secure Certificates page. Click on the green "Install Now!" button. After you finish the rest of these instructions, your Let's Encrypt certificate will be installed the following morning, when the web server reloads.

Note: You will not be using the tab in admin.he.net labeled "Step 3: Install SSL Certificate". This is for a certificate purchased from a certificate authority other than Let's Encrypt.

What subdomains are the Let's Encrypt certificates good for?

A Let's Encrypt certificate created by this system will be good for your main ("apex") domain and the "www" and "mail" subdomains, e.g. "example.com", "www.example.com", and "mail.example.com", as well as any subdomains which you have added as additional domains in admin.he.net.

What if I have additional domains on this account?

This procedure will work for all of them, as long as DNS for the domain points to the IP address of the account. You may need to check the .htaccess files in the folders of the additional domains, as per Part 2 above.

How can I tell if the installation was successful?

Visit your website using https:// instead of http://. Depending on your web browser, you should see a green lock icon in the top left. Clicking on this should give you an option to see the certificate details. The "Issued By" section should show "Let's Encrypt."

Please note that when you visit your site using https://, the files that will be served are the ones saved in the secure_html folder in your account, not the public_html folder.

Also, the file you uploaded will be renamed. "Installed" and a timestamp will be appended to the filename. If the file is not renamed, or if it renamed to include something other than "Installed," please review the installation instructions and contact Hurricane Electric Support if necessary.