Install a Let's Encrypt SSL


  • Applies to: Grid
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH access and AccountCenter access
  • Applies to: DV
    • Difficulty: Easy
    • Time Needed: 15
    • Tools Required: Admin/Root Access
  • Applies to: Shared Hosting
    • Difficulty: Easy
    • Time Needed: 15
    • Tools Required: SSH access, File access

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple Grid. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than an (mt) SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site.

This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info.

Interested in automated Let's Encrypt SSLs?
Add your site to (mt) Security and get automated renewal AND install for Let's Encrypt. For information on that service, feel free to check out our website here.

Requirements

Before you start, you should have handy or be familiar with:

Important specifics to be aware of:

  • Due to the way the Let's Encrypt client functions and the restrictions on the Grid, these steps are only for generating an SSL for either domain.com or www.domain.com. A much more complex method is required for generating a CSR that can be used to create a SSL for both www and non-www. That is outside the scope of this guide and will not be covered here.
  • Let's Encrypt SSLs are only valid for 90 days. They may be renewed prior to their expiration date by following the instructions in this article.
  • WildCard SSLs are currently possible with Let's Encrypt. From Let's Encrypt's FAQ page: Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
  • Because the Let's Encrypt client requires increased privileges (sudo or root) to run, it cannot be run directly on the Grid due to its shared nature. Instead, these are instructions for generating a CSR and then using a 3rd party website (https://gethttpsforfree.com/) for verification of ownership of the domain or server, as well as to contact the Let's Encrypt server to generate the SSL certificate and CA Chain.
  • This site (gethttpsforfree.com) is a PHP page that was created by a 3rd party to run the necessary Let's Encrypt service on their server. The site generates the necessary files and then connects to Let's Encrypt's server to get the SSL issued. Since the site does not ask for your Private Key and the fact that Let's Encrypt SSL generation must be done through Let's Encrypt's own servers, this site is safe to use.

Before Starting

  1. Generate a Certificate Signing Request (CSR). Certificate Signing Request (CSR).
  2. Open a web browser and go to https://gethttpsforfree.com.
  3. Connect to your server using SSH. 

Instructions

Step 1: Account Info

  1. Input an email address into the Account Email section.
  2. Click on "how do I generate this?" Some SSH commands should appear.
    site-1.png
  3. Enter the first command:
    openssl genrsa 4096 > account.key
  4. The output should look similar to the following:
    code-1.png
  5. Next, enter the second command:
    openssl rsa -in account.key -pubout
  6. The output will be your Public Key.
    code-2.png
  7. Copy/paste the Public Key into the field provided. Then click Validate Account Info to proceed to the next step.
    site-2.png

Step 2: Certificate Signing Request

  1. Copy/paste your CSR into the appropriate field. Then click Validate CSR to proceed to Step 3.
    site-3.png

Step 3: Sign API Requests

  1. Copy/paste the provided command PRIVKEY./account.key.... into your SSH terminal.
    site-4.png
  2. You should get a long output similar to the following.
    code-3.png
  3. Copy/paste the output starting at (stdin)... into appropriate field. Then click Accept Terms.
    site-5.png
  4. Repeat similar steps for the Update your account email and Create your certificate order sections.
    site-6.png

Step 4: Verify Ownership

  1. Repeat the similar steps above of copy/pasting the PRIVKEY./account.key.... code and pasting the (stdin)... output. Then click Load Challeneges.
    site-7.png
  2. You can select your desired verification method. In this example, we will use Option 2- file-based.
  3. Access your website files using File Manager, FTP, or SSH.
  4. Create a file path using the following template: example.com/html/.well-known/acme-challenge/FILENAME.
    site-8.png
    • Replace example.com with your actual domain name. In this example, we will use mt-domain.com.
    • Replace FILENAME with the unique file name that is generated by gethttpsfree. In this example, our filename will be ImMcrKCtzWDFNUxKY_mSAqoDveQ-q_Bh8KGiUo_8foI.
    • Make sure to create the file path within the /html folder as that is your domain's root directory.
  5. Copy the text in Serve this content and paste it into the file. Then click I'm serving this file... to continue.
    • The example below is using the Grid File Manager.
      file-2.png
  6. Repeat similar steps above of copy/pasting the PRIVKEY./account.key.... code and pasting the (stdin)... output for the remaining sections.
    site-10.png
  1. Repeat the similar steps above of copy/pasting the PRIVKEY./account.key.... code and pasting the (stdin)... output. Then click Load Challeneges.
    site-7.png
  2. You can select your desired verification method. In this example, we will use Option 2- file-based.
  3. Access your website files using File Manager, FTP, or SSH.
  4. Create a file path using the following template: example.com/public_html/.well-known/acme-challenge/FILENAME.
    site-8.png
    • Replace example.com with your actual domain name. In this example, we will use mt-domain.com.
    • Replace FILENAME with the unique file name that is generated by gethttpsfree. In this example, our filename will be ImMcrKCtzWDFNUxKY_mSAqoDveQ-q_Bh8KGiUo_8foI.
    • Make sure to create the file path within the /public_html folder as that is your domain's root directory.
  5. Take the text in Serve this content and copy/paste it into the file. Then click I'm serving this file... to continue.
    • The example below is using the cPanel File Manager.
      file-1.png
  6. Repeat similar steps above of copy/pasting the PRIVKEY./account.key.... code and pasting the (stdin)... output for the remaining sections.
    site-10.png

Multiple Domains:
If you have multiple domains on your CSR, you will need to verify each one.

Step 5: Install Certificate

  1. Congratulations! You should now have an SSL Certificate and CA Chain Certificate.
    • You may notice two certificates were generated. The top one is your SSL Certiciate. The bottom one is your CA Chain Certificate.
      site-12.png
  2. Take these certificates and follow the SSL Installation guide below:
  3. When installing in cPanel, you can select Autofill by domain to generate the Private Key.
    install-1.png

Redirecting to https
If you wish to have customers automatically pushed to https:// where our SSL is located you will need to add a redirect or .htaccess rewrite rule.

Resources

 

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple VPS. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than a Media Temple SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site.

This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info.

Interested in automated Let's Encrypt SSLs?
Add your site to (mt) Security and get automated renewal AND install for Let's Encrypt. For information on that service, feel free to check out our website here.

Important specifics to be aware of:
  • Let's Encrypt SSLs are only valid for 90 days. They may be renewed prior to their expiration date by following the instructions in this article.
  • WildCard SSLs are currently possible with Let's Encrypt. From Let's Encrypt's FAQ page: Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
  • While you can secure your default .accessdomain.com (hostname) with Let's Encrypt SSL's, Let's Encrypt does enforce a limitation on the number of subdomains that can be secured. Due to this limit, we're unable to guarantee the ability to renew a Let's Encrypt SSL Certificate for your access domain. We recommend that you update your hostname to a Fully Qualified Domain Name (FQDM) that you own to secure the Plesk Panel with Let's Encrypt.

Instructions

Plesk

Plesk has native support for Let's Encrypt via a plugin found in the Plesk extension catalogue. Extensions found in the official Plesk catalogue have been vetted by Plesk and may be considered safe to use. However, Media Temple is not affiliated with the creators of these extensions and does not support them any further than the documentation included in this Community article.

The following guide was created using Plesk Obsidian (18.0.25). If you are on a different version of Plesk, some instructions may vary slightly.

1. Begin by logging into your Plesk control panel. On the left-menu, look for Server Management >> Extensions.

p-1.png

2. While in the Extensions Catalogue, click on Let's Encrypt or you can search for in the search bar.

p-2.png

3. Click on Open.

p-3.png

4. A list of available domains will appear. Click on the domain you wish to install a Let's Encrypt SSL to.

p-4.png

5. Fill out the options for Let's Encrypt, then click on Install.

p-5.png

  • Email address: Input a valid email address.
  • Include the "www": If you wish to also secure the www URL of your domain.
  • Secure webmail on this domain: If you plan to use webmail to check your email.
  • Issue a wildcard SSL/TLS certificate: If you wish to secure all subdomains (mail.example.com, shop.example.com, blog.example.com, etc).

NOTE:
Selecting the Issue a wildcard SSL/TLS certificate option does require additional DNS verification which we will cover later on. If you do not need to secure subdomains, you can choose to skip this option and the additional DNS verification step.

6. A message should appear to indicate that your installation was successful.

p-6.png

Securing mail and other subdomains

1. If you wish to secure mail and other subdomains, we advise using the Issue a wildcard SSL/TLS certificate.

pm-1.png

2. You will be prompted to verify your domain through a DNS record.

pm-2.png

NOTE:
The location of where you create this TXT record depends on your nameservers. You can look up your domains DNS and search for the NS records to find out where to create this TXT.

3. In this example, we went to the Edit DNS page in our Media Temple account and created the TXT.

pm-3.png

4. Once the TXT record is created, return to Let's Encrypt and click Continue.

pm-2.png

6. A message should appear to indicate that your installation was successful.

p-6.png

7. While on the SSL/TLS Certificate page, click on Advanced Settings.

pm-5.png

8.  Select the Let's Encrypt SSL. Then click Secure Mail.

pm-6.png

9. That's it! Your Let's Encrypt SSL will now be securing your mail server!

pm-7.png

As a reminder, the SSLs issued by Let's Encrypt are only valid for 90 days by design, so the certificate must be renewed. The Plesk Let's Encrypt extension will attempt to renew the certificate automatically, but you will want to verify that it is successful. As always, if you have any questions or concerns, please feel free to contact our award winning 24/7 support team.

cPanel

Before starting, in order to install the Let's Encrypt plugin, you will need to ensure your WHM version is Version 84 or above. For information on updating your WHM version, feel free to check out our guide below:

cp-1.png

  1. Connect to your server via SSH using the root user.
  2. Run the following command:
    /usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider
  3. Log into WHM.
  4. On the left-menu, navigate to SSL/TLS >> Manage AutoSSL
    cp-3.png
  5. Select Let's Encrypt, the agreement to the terms of service, then click Save.
    cp-2.png
  6. Click Manage Users. Ensure that Enable AutoSSL is selected for your desired site.
    cp-4.png
  7. That's it! Let's Encrypt SSL has been installed to your site!

Securing mail and other subdomains

  1. By using Let's Encrypt through AutoSSL should secure your mail server and other subdomains.
  2. This can be checked by logging into the cPanel account for your domain.
  3. Click on SSL/TLS.
    cp-5.png
  4. Click Manage SSL sites.
    cp-6.png
  5. You should see mail and a list of other subdomains secured by Let's Encrypt.
    cp-7.png

Resources