Enabling free SSL on Hostinger shared hosting

Update 2023-09: It seems like Hostinger has rolled out free Let’s Encrypt SSL for all customers, even for the most basic hosting plan. This post was originally written in 2016 and kept as archive.

28 July 2016

When there is a will, there is a way!

Free SSL certificates, issued by Let’s Encrypt, have been around for quite a while. Enabling it on a shared hosting is an issue, since users cannot execute any executables (or very limited set of commands) on it.

I’ve been using premium shared hosting service from Hostinger Indonesia for few years now to host my personal website (kenrick95.org). Here are the steps required to enable Let’s Encrypt SSL on Hostinger shared hosting.

Requirements

  • SSH (full access; not web console)Capture-ssh.PNG
  • “SSL” on Hostinger’s Control PanelCapture-ssl.PNG

As per time of writing, one can only use this SSH access by being subscribed to the premium or business-class shared hosting.

Generate SSL Certificate

So the first step is to generate an SSL certificate. Doing so, one must connect to one’s server using SSH. Since I am on Windows, I utilized PUTTY.

After setting up SSH and done doing authentication, one is logged in to a remote terminal. We can do any Unix command, like ls (directory listing), mv (move file), mkdir (make director), even nano (open ‘nano’ editor). One thing that we can’t do: execute arbitrary executables.

After few experimentations, here are the steps required to generate a SSL certificate.

1. Install acme-client and composer

Install acme-client + composer.
Make sure you are outside public_html folder

git clone https://github.com/kelunik/acme-client
cd acme-client

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php
php -r "unlink('composer-setup.php');"

php composer.phar install

2. Setup

The purpose of this command is for Let’s Encrypt to email you when your SSL certificate is about to expire.

php bin/acme setup --server letsencrypt --agree-terms --email [your email]

3. Issue Certificate

Wildcard subdomains are supported by Let’s Encrypt but I’m not sure how to do so with this tool. So, I recommend to list down all the domain & subdomain names.

php bin/acme issue --domains [colon-separated domain names] --path [colon-separated full path to domain root]

For example, if I want to enable for kenrick95.org, www.kenrick95.org, and blog.kenrick95.org:

php bin/acme issue --domains kenrick95.org:www.kenrick95.org:blog.kenrick95.org --path /path/to/kenrick95.org:/path/to/www.kenrick95.org/:/path/to/plan.kenrick95

You may see a few errors when you run the script. If it’s related to “couldn’t resolve the following domains”, “challenge marked as invalid”, or “not all challenges could be solved”, just re-run the script.

When the issuance are successful, there would be 4 files generated at the folder shown in the output.

4. Download the Certificates

When you navigate to that folder, you can download the certificate file & private key file. Probably there are other more secure ways of doing this 😅

cd [path to certificate output folder]
Capture-success.PNG
cat fullchain.pem

Select content (from the first “—–BEGIN CERTIFICATE—–” till the second “—–END CERTIFICATE—–“; inclusive of these words, note that there are two block of “begin certificate” and “end certificate”)

Open a text editor (notepad), paste content, save as cert.txt

cat key.pem

Select content (from “—–BEGIN PRIVATE KEY—–” till “—–END PRIVATE KEY—–“)

Open another notepad, paste content, save as key.txt; keep this key private!

Installing Certificates

Now that the certificates have been issued, let’s go to Hostinger’s cpanel to setup SSL. You must have the “SSL” module here to successfully install SSL.

Capture-ssl fields.PNG
  1. Select domain/subdomain to install SSL on
  2. At “CRT” field, paste content of cert.txt
  3. At “KEY” field, paste content of key.txt
  4. Leave “CABUNDLE” field blank
  5. Save

Do this step 1-5 again for all domains/subdomains you set during the SSH console.

Please take note that Let’s Encrypt SSL certificate is only valid for 90 days to encourage people to renew their certificates frequently and also to mitigate impact of stolen private key.

22 thoughts on “Enabling free SSL on Hostinger shared hosting”

  1. Ok ! Well !
    I should do this at the last command :
    php bin/acme issue –server letsencrypt –domains mydomain.me –path /home/u00000000/public_html
    Thanks !

  2. Awesome, thank you very much after looking at several pages, this is the only method that worked for me, please leave it online, i will recomend it a lot, THANK YOU!!!

  3. Thank you very much, it helped me a lot, now my domain is https://myweb.com . The problem now is when I try to test my web throug gtmetrix, it gives me this error: “Analysis Error

    The SSL certificate for this site is not trusted in all web browsers

    You may have an incorrectly installed SSL certificate. Check your SSL certificate at SSLShopper”

    Following the link it says: “The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. “

    How could we solve this problem?

    Thank you very much!

  4. Alexander Benjamine

    Hello! I am getting those error messages. Can you help me?
    selfVerify failed, please check http://domainname.com/.well-known/acme-challenge/d5nXc5EiZ4OL1md7E4CBwrHJnyquTgZ1fQwm84sF7y4.
    selfVerify failed, please check http://www.domainname.com/.well-known/acme-challenge/wx_7OBK7qSwA4uEZ_Gf_J3KlnGhXB4oOZENayUVN7R4.
    exception ‘Kelunik\Acme\AcmeException’ with message ‘Issuance failed, not all challenges could be solved.’ in /home/username/acme-client/src/Commands/Issue.php:106

    1. Hi there, failing this step means that you failed to prove that “domainname.com” is yours. The way to prove that “domainname.com” is yours is by the tool creating a textfile a certain folder “.well-known/acme-challenge” and Let’s Encrypt will try to read the content of the file through Internet. In my experience, this step usually failed because of intermittent connectivity (so I will just retry the issuance command again). Other times, it could be that you have setup a “.htaccess” filed in the “public_html” folder that redirects every attempt to read the specified file inside that “.well-known/acme-challenge” folder.

  5. hello, when I generated using this method I got error “chain issues incomplete” when testing using ssllabs. I saw other site who also use letsencrypt on hostinger doesn’t have this problem. Do you know what I might have missed? I use it static [dot] zharasonline [dot] com. As a result the pictures I stored in the subdomain cannot be viewed on certain browser.

    thanks!

    1. When you fill in the “CRT” field at Hostinger’s control panel, make sure you use the full content of fullchain.pem file on your server (there are two occurrences of each BEGIN CERTIFICATE and END CERTIFICATE; I think if you only copy-pasted only one of them, it will cause this issue). Let me know if it works. Thanks

  6. Mohammed Emad Iqbal Ali

    Thank you so much, man! Hostinger should link their guide to install SSL to yours. I spent there so much time until I find you. You pretty much explained so clearly. Keep writing such tutorials.
    Cheers!

    1. You’re welcome! I’m grateful that it still works!

      They actually wrote their tutorial based on this one without linking back nor giving credit to me on their page.

  7. Hi. Thanks for your article. I was getting the incomplete certificate chain from SSL Labs similar to one of the commenters above but was able to resolve the issue by reinstalling the Let’s Encrypt certificate by pasting the entire fullchain.pem file into the CRT field, the private key to its field and leaving the CABUNDLE field blank according to your article. I had previously been using the CABUNDLE field according to some other directions.

    One note to others having this problem. I had to wait a bit after reinstalling the certificate for SSL Labs to report no problems. Seems like it takes a while for things to properly propogate.

  8. Hi,

    Thanks for the procedure!
    However 2 comments:

    1/ You need to update this line:
    “php bin/acme setup –server letsencrypt –email [your email]”

    You now need to add “–agree-terms” for the line to work.

    2/ I have a problem right after this step.
    Everything if working fine until Step 3.
    This command…
    “php bin/acme issue –domains mydomain.com:www.mydomain.com –path /home/u000000093/domains/mydomain.com/public_html:/home/u000000093/domains/mydomain.com/public_html –server letsencrypt”

    …generates this error message:
    “Amp\Parallel\Worker\TaskFailureException: Uncaught Amp\File\FilesystemException in worker with message “Failed to change owner for ‘/home/u000000093/acme-client/data/certs/acme-v02.api.letsencrypt.org.directory/mydomain.com/key.pem’: chown(): Operation not permitted” and code “0”; use Amp\Parallel\Worker\TaskFailure Exception::getOriginalTrace() for the stack trace in the worker in /home/u000000093/acme-client/vendor/amphp/parallel/lib/Worker/Internal/TaskFailure.php:63

    Next Amp\File\FilesystemException: The file operation failed in /home/u000000093/acme-client/vendor/amphp/file/src/Driver/ParallelDriver.php:132

    Next Kelunik\AcmeClient\Stores\KeyStoreException: Could not save key: The file operation failed in /home/u000000093/acme-client/src/Stores/KeyStore.php:54″

    It seems to be related to “Failed to change owner” for the ‘key.pem’ file. “Operation not permitted”.
    Of course, as I’m on a shared hosting, I can’t log on the “root” account.
    But I don’t think it is required as this procedure is supposed to work fine without.

    At last FYI, in the command processing log, before the error message we can see 2 times 3 certificates and at least a first “key.perm” file is generated. But the certificate it contains is none of the 3 we can see in the log.

    Any idea? :-/

    Thanks!

    1. Hi, I actually haven’t been using this method for some time. I’ll try it some time out soon and see if I could find workaround for this.

      Edit: I tried again, but couldn’t reproduce your issue. Hmm

  9. I tried this method, but Hostinger wrote: “SSL certificate and/or key is invalid for [domain name]”
    Then, instead of using ‘fullchain.pem’ like you say in the instructions, I tried to use ‘cert.pem’. This file worked!

Leave a Reply to KenrickCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.