Enabling free SSL on Hostinger shared hosting

28 July 2016

When there is a will, there is a way!

Free SSL certificates, issued by Let’s Encrypt, have been around for quite a while. Enabling it on a shared hosting is an issue, since users cannot execute any executables (or very limited set of commands) on it.

I’ve been using premium shared hosting service from IDHostinger for few years now to host my personal website (kenrick95.org). From its name, I assume IDhostinger is affiliated with Hostinger, and I also assume other Hostinger services provide a similar functionality. Here are the steps required to enable Let’s Encrypt SSL on IDHostinger shared hosting.

Requirements

  • SSH (full access; not web console)Capture-ssh.PNG
  • “SSL” on Hostinger’s Control PanelCapture-ssl.PNG

From what I know, on IDhostinger, one can use full access SSH by being subscribed to the premium or business-class shared hosting.

Generate SSL Certificate

So the first step is to generate an SSL certificate. Doing so, one must connect to one’s server using SSH. Since I am on Windows, I utilized PUTTY.

After setting up SSH and done doing authentication, one is logged in to a remote terminal. We can do any Unix command, like ls (directory listing), mv (move file), mkdir (make director), even nano (open ‘nano’ editor). One thing that we can’t do: execute arbitrary executables.

After few experimentations, here are the steps required to generate a SSL certificate.

  1. Install acme-client + composer
    1. git clone https://github.com/kelunik/acme-client && cd acme-client
    2. php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
      php composer-setup.php
      php -r "unlink('composer-setup.php');"
    3. php composer.phar install
  2. Setup. The purpose of this command is for Let’s Encrypt to email you when your SSL certificate is about to expire.
    php bin/acme setup --server letsencrypt --email [your email]
  3. Request to issue certificate; note that wildcard subdomains are not supported by Let’s Encrypt, one should explicitly list down all subdomains that one wanted to enable SSL on.
    php bin/acme issue --domains [colon-separated domain names] --path [colon-separated full path to domain root]

    Example for enabling it on kenrick95.org, www.kenrick95.org, and blog.kenrick95.org:

    php bin/acme issue --domains kenrick95.org:www.kenrick95.org:blog.kenrick95.org --path /path/to/kenrick95.org:/path/to/www.kenrick95.org/:/path/to/plan.kenrick95.org

    One might see the following errors on running the script, if so, just re-run the script.

    1. exception 'Kelunik\Acme\AcmeException' with message 'Couldn't resolve the following domains to an IPv4 record: xxxxxxx, xxxxxx' in /home/xxxxxxxxxx/acme-client/src/Commands/Issue.php:197
    2. Challenge marked as invalid!
      exception 'Kelunik\Acme\AcmeException' with message 'Issuance failed, not all challenges could be solved.' in /home/xxxxxxxxxx/acme-client/src/Commands/Issue.php:104
    3. Could not obtain directory.
      exception 'Kelunik\Acme\AcmeException' with message 'Issuance failed, not all challenges could be solved.' in /home/xxxxxxxxxx/acme-client/src/Commands/Issue.php:104
  4. On successful issuance, there will be 4 files (3 certificate files and 1 private key file) generated at a certain folder specified at output; navigate to that folderCapture-success.PNGcd [path to certificate output folder]
  5. Probably this step can be improved to be more secure, but basically this step is just downloading the certificate file and private key file
    1. cat fullchain.pem
    2. Select content (from the first “—–BEGIN CERTIFICATE—–” till the second “—–END CERTIFICATE—–“; inclusive of these words, note that there are two block of “begin certificate” and “end certificate”)
    3. Open a text editor (notepad), paste content, save as cert.txt
    4. cat key.pem
    5. Select content (from “—–BEGIN PRIVATE KEY—–” till “—–END PRIVATE KEY—–“)
    6. Open another notepad, paste content, save as key.txt; keep this key private!

Installing Certificates

Now that the certificates have been issued, let’s go to Hostinger’s cpanel to setup SSL. One should see a “SSL” option here to successfully install SSL.

Capture-ssl fields.PNG

  1. Select domain/subdomain to install SSL on
  2. At “CRT” field, paste content of cert.txt
  3. At “KEY” field, paste content of key.txt
  4. Leave “CABUNDLE” field blank
  5. Save

Do this step 1-5 again for all domains/subdomains you set during the SSH console.

Update (2017-06-30): This process could be tedious, since you need to repeat for each domain/subdomain, so I wrote a userscript to automate this process: Read more here.

Please take note that Let’s Encrypt SSL certificate is only valid for 90 days to ensure people renewing their certificates often and also to mitigate impact of stolen private key.

17 thoughts on “Enabling free SSL on Hostinger shared hosting

  1. Ok ! Well !
    I should do this at the last command :
    php bin/acme issue –server letsencrypt –domains mydomain.me –path /home/u00000000/public_html
    Thanks !

  2. Awesome, thank you very much after looking at several pages, this is the only method that worked for me, please leave it online, i will recomend it a lot, THANK YOU!!!

  3. Thank you very much, it helped me a lot, now my domain is https://myweb.com . The problem now is when I try to test my web throug gtmetrix, it gives me this error: “Analysis Error

    The SSL certificate for this site is not trusted in all web browsers

    You may have an incorrectly installed SSL certificate. Check your SSL certificate at SSLShopper”

    Following the link it says: “The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. “

    How could we solve this problem?

    Thank you very much!

  4. Hello! I am getting those error messages. Can you help me?
    selfVerify failed, please check http://domainname.com/.well-known/acme-challenge/d5nXc5EiZ4OL1md7E4CBwrHJnyquTgZ1fQwm84sF7y4.
    selfVerify failed, please check http://www.domainname.com/.well-known/acme-challenge/wx_7OBK7qSwA4uEZ_Gf_J3KlnGhXB4oOZENayUVN7R4.
    exception ‘Kelunik\Acme\AcmeException’ with message ‘Issuance failed, not all challenges could be solved.’ in /home/username/acme-client/src/Commands/Issue.php:106

    1. Hi there, failing this step means that you failed to prove that “domainname.com” is yours. The way to prove that “domainname.com” is yours is by the tool creating a textfile a certain folder “.well-known/acme-challenge” and Let’s Encrypt will try to read the content of the file through Internet. In my experience, this step usually failed because of intermittent connectivity (so I will just retry the issuance command again). Other times, it could be that you have setup a “.htaccess” filed in the “public_html” folder that redirects every attempt to read the specified file inside that “.well-known/acme-challenge” folder.

  5. hello, when I generated using this method I got error “chain issues incomplete” when testing using ssllabs. I saw other site who also use letsencrypt on hostinger doesn’t have this problem. Do you know what I might have missed? I use it static [dot] zharasonline [dot] com. As a result the pictures I stored in the subdomain cannot be viewed on certain browser.

    thanks!

    1. When you fill in the “CRT” field at Hostinger’s control panel, make sure you use the full content of fullchain.pem file on your server (there are two occurrences of each BEGIN CERTIFICATE and END CERTIFICATE; I think if you only copy-pasted only one of them, it will cause this issue). Let me know if it works. Thanks

Leave a Reply