Install a Let's Encrypt SSL


Browse by products and services

  • Applies to: Grid
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH access and AccountCenter access
  • Applies to: DV
    • Difficulty: Easy
    • Time Needed: 15
    • Tools Required: Admin/Root Access

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple Grid. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than an (mt) SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site.

This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info.

Interested in automated Let's Encrypt SSLs?
Add your site to (mt) Security and get automated renewal AND install for Let's Encrypt. For information on that service, feel free to check out our website here.

Requirements

Before you start, you should have handy or be familiar with:

Important specifics to be aware of:

  • Due to the way the Let's Encrypt client functions and the restrictions on the Grid, these steps are only for generating an SSL for either domain.com or www.domain.com. A much more complex method is required for generating a CSR that can be used to create a SSL for both www and non-www. That is outside the scope of this guide and will not be covered here.
  • Let's Encrypt SSLs are only valid for 90 days. They may be renewed prior to their expiration date by following the instructions in this article.
  • WildCard SSLs are currently possible with Let's Encrypt. From Let's Encrypt's FAQ page: Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
  • Because the Let's Encrypt client requires increased privileges (sudo or root) to run, it cannot be run directly on the Grid due to its shared nature. Instead, these are instructions for generating a CSR and then using a 3rd party website (https://gethttpsforfree.com/) for verification of ownership of the domain or server, as well as to contact the Let's Encrypt server to generate the SSL certificate and CA Chain.
  • This site (gethttpsforfree.com) is a PHP page that was created by a 3rd party to run the necessary Let's Encrypt service on their server. The site generates the necessary files and then connects to Let's Encrypt's server to get the SSL issued. Since the site does not ask for your Private Key and the fact that Let's Encrypt SSL generation must be done through Let's Encrypt's own servers, this site is safe to use.

Before Starting

  1. Generate a Certificate Signing Request (CSR).
  2. Open a web browser and go to https://gethttpsforfree.com.
  3. Connect to your server using SSH. 

Instructions

Step 1

a) Input an email address in Account Email
b) Click on "how do I generate this?" and SSH commands should appear.

G-1.png

c) Enter the first command to your server using SSH. The output should be similar to the following.

G-1.25.png

d) Enter the second command. The output should be your Public Key.

G-1.5.png

g) Copy/paste the Public Key into the field provided. Then click Validate Account Info to proceed to the next step.

G-2.png

Step 2

a) Copy/paste your CSR into the appropriate field. Then click Validate CSR to proceed to Step 3.

G-3.png

Step 3

a) Enter the whole command "PRIVKEY./account.key...." into your SSH terminal.

G-4.png

b) The output should look similar to the following.G-4.5.png

c) Copy/paste the output starting at "(stdin)..." into appropriate field. Then click Accept Terms.

G-5.png

d) Repeat similar steps for the "Update your account email" and "Create your certificate order" sections.

G-7.png

Step 4

a) Select "Option 2 - file based"
b) Access your domain's files using File Manager, FTP, or SSH.
c) Create a file path example.com/html/.well-known/acme-challenge/FILENAME.

replacing example.com with your actual domain name, and FILENAME with the unique file name given to you by gethttpsfree.

G-8.png

c) Copy/paste the text from "Serve this content" into your file. In this example we used the File Manager.

G-8.5.png

d) Click on "I'm now serving this file on example.com"
e) Under "Sign challenge command" and "Finalize order and generate certificate" perform similar commands/actions that were done in Step 3.

G-9.png

Step 5

a) If Steps 1-4 were done correctly and promptly, you should now have a Certificate and Chain in the "Install Certificate" box

G-10.png

b. The Certificate and Chain can be copied from the site, and installed to your server through the Account Center. If you need help, additional instructions on installing a certificate can be found here.

Additionally should you wish to have customers automatically pushed to https:// where our SSL is located you will need to add a redirect or .htaccess rewrite rule.

As a reminder, the SSLs issued by Let's Encrypt are only valid for 90 days by design, so they must be renewed by following these steps again before the expiration date. As always, if you have any questions or concerns, please feel free to contact our award winning 24/7 support team.

Resources

Let's Encrypt website
Connecting via SSH
Generating a CSR
Using the Grid File Manager

 

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple VPS. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than a Media Temple SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site.

This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info.

Interested in automated Let's Encrypt SSLs?
Add your site to (mt) Security and get automated renewal AND install for Let's Encrypt. For information on that service, feel free to check out our website here.

Important specifics to be aware of:
  • Let's Encrypt SSLs are only valid for 90 days. They may be renewed prior to their expiration date by following the instructions in this article.
  • WildCard SSLs are currently possible with Let's Encrypt. From Let's Encrypt's FAQ page: Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
  • While you can secure your default .accessdomain.com (hostname) with Let's Encrypt SSL's, Let's Encrypt does enforce a limitation on the number of subdomains that can be secured. Due to this limit, we're unable to guarantee the ability to renew a Let's Encrypt SSL Certificate for your access domain. We recommend that you update your hostname to a Fully Qualified Domain Name (FQDM) that you own to secure the Plesk Panel with Let's Encrypt.

Instructions

Plesk

Plesk has native support for Let's Encrypt via a plugin found in the Plesk extension catalogue. Extensions found in the official Plesk catalogue have been vetted by Plesk and may be considered safe to use. However, Media Temple is not affiliated with the creators of these extensions and does not support them any further than the documentation included in this Community article.

The following guide was created using Plesk Obsidian (18.0.25). If you are on a different version of Plesk, some instructions may vary slightly.

1. Begin by logging into your Plesk control panel. On the left-menu, look for Server Management >> Extensions.

p-1.png

2. While in the Extensions Catalogue, click on Let's Encrypt or you can search for in the search bar.

p-2.png

3. Click on Open.

p-3.png

4. A list of available domains will appear. Click on the domain you wish to install a Let's Encrypt SSL to.

p-4.png

5. Fill out the options for Let's Encrypt, then click on Install.

p-5.png

  • Email address: Input a valid email address.
  • Include the "www": If you wish to also secure the www URL of your domain.
  • Secure webmail on this domain: If you plan to use webmail to check your email.
  • Issue a wildcard SSL/TLS certificate: If you wish to secure all subdomains (mail.example.com, shop.example.com, blog.example.com, etc).

NOTE:
Selecting the Issue a wildcard SSL/TLS certificate option does require additional DNS verification which we will cover later on. If you do not need to secure subdomains, you can choose to skip this option and the additional DNS verification step.

6. A message should appear to indicate that your installation was successful.

p-6.png

Securing mail and other subdomains

1. If you wish to secure mail and other subdomains, we advise using the Issue a wildcard SSL/TLS certificate.

pm-1.png

2. You will be prompted to verify your domain through a DNS record.

pm-2.png

NOTE:
The location of where you create this TXT record depends on your nameservers. You can look up your domains DNS and search for the NS records to find out where to create this TXT.

3. In this example, we went to the Edit DNS page in our Media Temple account and created the TXT.

pm-3.png

4. Once the TXT record is created, return to Let's Encrypt and click Continue.

pm-2.png

6. A message should appear to indicate that your installation was successful.

p-6.png

7. While on the SSL/TLS Certificate page, click on Advanced Settings.

pm-5.png

8.  Select the Let's Encrypt SSL. Then click Secure Mail.

pm-6.png

9. That's it! Your Let's Encrypt SSL will now be securing your mail server!

pm-7.png

As a reminder, the SSLs issued by Let's Encrypt are only valid for 90 days by design, so the certificate must be renewed. The Plesk Let's Encrypt extension will attempt to renew the certificate automatically, but you will want to verify that it is successful. As always, if you have any questions or concerns, please feel free to contact our award winning 24/7 support team.

cPanel

Before starting, in order to install the Let's Encrypt plugin, you will need to ensure your WHM version is Version 84 or above. For information on updating your WHM version, feel free to check out our guide below:

cp-1.png

  1. Connect to your server via SSH using the root user.
  2. Run the following command:
    /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider
  3. Log into WHM.
  4. On the left-menu, navigate to SSL/TLS >> Manage AutoSSL
    cp-3.png
  5. Select Let's Encrypt, the agreement to the terms of service, then click Save.
    cp-2.png
  6. Click Manage Users. Ensure that Enable AutoSSL is selected for your desired site.
    cp-4.png
  7. That's it! Let's Encrypt SSL has been installed to your site!

Securing mail and other subdomains

  1. By using Let's Encrypt through AutoSSL should secure your mail server and other subdomains.
  2. This can be checked by logging into the cPanel account for your domain.
  3. Click on SSL/TLS.
    cp-5.png
  4. Click Manage SSL sites.
    cp-6.png
  5. You should see mail and a list of other subdomains secured by Let's Encrypt.
    cp-7.png

Resources