28 July 2016
When there is a will, there is a way!
Free SSL certificates, issued by Let’s Encrypt, have been around for quite a while. Enabling it on a shared hosting is an issue, since users cannot execute any executables (or very limited set of commands) on it.
I’ve been using premium shared hosting service from IDHostinger for few years now to host my personal website (kenrick95.org). From its name, I assume IDhostinger is affiliated with Hostinger, and I also assume other Hostinger services provide a similar functionality. Here are the steps required to enable Let’s Encrypt SSL on IDHostinger shared hosting.
- SSH (full access; not web console)
- “SSL” on Hostinger’s Control Panel
From what I know, on IDhostinger, one can use full access SSH by being subscribed to the premium or business-class shared hosting.
Generate SSL Certificate
So the first step is to generate an SSL certificate. Doing so, one must connect to one’s server using SSH. Since I am on Windows, I utilized PUTTY.
After setting up SSH and done doing authentication, one is logged in to a remote terminal. We can do any Unix command, like ls (directory listing), mv (move file), mkdir (make director), even nano (open ‘nano’ editor). One thing that we can’t do: execute arbitrary executables.
After few experimentations, here are the steps required to generate a SSL certificate.
- Install acme-client + composer
git clone https://github.com/kelunik/acme-client && cd acme-client
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" php composer-setup.php php -r "unlink('composer-setup.php');"
php composer.phar install
- Setup. The purpose of this command is for Let’s Encrypt to email you when your SSL certificate is about to expire.
php bin/acme setup --server letsencrypt --email [your email]
- Request to issue certificate; note that wildcard subdomains are not supported by Let’s Encrypt, one should explicitly list down all subdomains that one wanted to enable SSL on.
php bin/acme issue --domains [colon-separated domain names] --path [colon-separated full path to domain root]
Example for enabling it on kenrick95.org, www.kenrick95.org, and blog.kenrick95.org:
php bin/acme issue --domains kenrick95.org:www.kenrick95.org:blog.kenrick95.org --path /path/to/kenrick95.org:/path/to/www.kenrick95.org/:/path/to/plan.kenrick95.org
One might see the following errors on running the script, if so, just re-run the script.
exception 'Kelunik\Acme\AcmeException' with message 'Couldn't resolve the following domains to an IPv4 record: xxxxxxx, xxxxxx' in /home/xxxxxxxxxx/acme-client/src/Commands/Issue.php:197
Challenge marked as invalid! exception 'Kelunik\Acme\AcmeException' with message 'Issuance failed, not all challenges could be solved.' in /home/xxxxxxxxxx/acme-client/src/Commands/Issue.php:104
Could not obtain directory. exception 'Kelunik\Acme\AcmeException' with message 'Issuance failed, not all challenges could be solved.' in /home/xxxxxxxxxx/acme-client/src/Commands/Issue.php:104
- On successful issuance, there will be 4 files (3 certificate files and 1 private key file) generated at a certain folder specified at output; navigate to that foldercd [path to certificate output folder]
- Probably this step can be improved to be more secure, but basically this step is just downloading the certificate file and private key file
- Select content (from the first “—–BEGIN CERTIFICATE—–” till the second “—–END CERTIFICATE—–“; inclusive of these words, note that there are two block of “begin certificate” and “end certificate”)
- Open a text editor (notepad), paste content, save as cert.txt
- Select content (from “—–BEGIN PRIVATE KEY—–” till “—–END PRIVATE KEY—–“)
- Open another notepad, paste content, save as key.txt; keep this key private!
Now that the certificates have been issued, let’s go to Hostinger’s cpanel to setup SSL. One should see a “SSL” option here to successfully install SSL.
- Select domain/subdomain to install SSL on
- At “CRT” field, paste content of cert.txt
- At “KEY” field, paste content of key.txt
- Leave “CABUNDLE” field blank
Do this step 1-5 again for all domains/subdomains you set during the SSH console.
Update (2017-06-30): This process could be tedious, since you need to repeat for each domain/subdomain, so I wrote a userscript to automate this process: Read more here.
Please take note that Let’s Encrypt SSL certificate is only valid for 90 days to ensure people renewing their certificates often and also to mitigate impact of stolen private key.