Install a Let's Encrypt SSL


Browse by products and services

  • Applies to: Grid
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH access and AccountCenter access
  • Applies to: DV
    • Difficulty: Easy
    • Time Needed: 15
    • Tools Required: Admin/Root Access

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple Grid. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than an (mt) SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site.

This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info.

Requirements

Before you start, you should have handy or be familiar with:

Important specifics to be aware of:

  • Due to the way the Let's Encrypt client functions and the restrictions on the Grid, these steps are only for generating an SSL for either domain.com or www.domain.com. A much more complex method is required for generating a CSR that can be used to create a SSL for both www and non-www. That is outside the scope of this guide and will not be covered here.
  • Let's Encrypt SSLs are only valid for 90 days. They may be renewed prior to their expiration date by following the instructions in this article.
  • WildCard SSLs are currently possible with Let's Encrypt. From Let's Encrypt's FAQ page: Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
  • Because the Let's Encrypt client requires increased privileges (sudo or root) to run, it cannot be run directly on the Grid due to its shared nature. Instead, these are instructions for generating a CSR and then using a 3rd party website (https://gethttpsforfree.com/) for verification of ownership of the domain or server, as well as to contact the Let's Encrypt server to generate the SSL certificate and CA Chain.
  • This site (gethttpsforfree.com) is a PHP page that was created by a 3rd party to run the necessary Let's Encrypt service on their server. The site generates the necessary files and then connects to Let's Encrypt's server to get the SSL issued. Since the site does not ask for your Private Key and the fact that Let's Encrypt SSL generation must be done through Let's Encrypt's own servers, this site is safe to use.

Before Starting

  1. Generate a Certificate Signing Request (CSR).
  2. Open a web browser and go to https://gethttpsforfree.com.
  3. Connect to your server using SSH. 

Instructions

Step 1

a) Input an email address in Account Email
b) Click on "how do I generate this?" and SSH commands should appear.

G-1.png

c) Enter the first command to your server using SSH. The output should be similar to the following.
G-1.25.png

d) Enter the second command. The output should be your Public Key.

G-1.5.png

g) Copy/paste the Public Key into the field provided. Then click Validate Account Info to proceed to the next step.

G-2.png

Step 2

a) Copy/paste your CSR into the appropriate field. Then click Validate CSR to proceed to Step 3.

G-3.png

Step 3

a) Enter the whole command "PRIVKEY./account.key...." into your SSH terminal.

G-4.png

b) The output should look similar to the following.G-4.5.png

c) Copy/paste the output starting at "(stdin)..." into appropriate field. Then click Accept Terms.

G-5.png

d) Repeat similar steps for the "Update your account email" and "Create your certificate order" sections.

G-7.png

Step 4

a) Select "Option 2 - file based"
b) Go to your server and create a file path /.well-known/acme-challenge/FILENAME

replacing FILENAME with the unique file name given to you by gethttpsfree.

G-8.png

c) Copy/paste the text from "Serve this content" into your file. In this example we used the File Manager, but you can also use FTP or SSH

G-8.5.png

d) Click on "I'm now serving this file on example.com"
e) Under "Sign challenge command" and "Finalize order and generate certificate" perform similar commands/actions that were done in Step 3.

G-9.png

Step 5

a) If Steps 1-4 were done correctly and promptly, you should now have a Certificate and Chain in the "Install Certificate" box

G-10.png

b. The Certificate and Chain can be copied from the site, and installed to your server through the Account Center. If you need help, additional instructions on installing a certificate can be found here.

Additionally should you wish to have customers automatically pushed to https:// where our SSL is located you will need to add a redirect or .htaccess rewrite rule.

As a reminder, the SSLs issued by Let's Encrypt are only valid for 90 days by design, so they must be renewed by following these steps again before the expiration date. As always, if you have any questions or concerns, please feel free to contact our award winning 24/7 support team.

Resources

Let's Encrypt website
Connecting via SSH
Generating a CSR
Using the Grid File Manager
 

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple VPS. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than a Media Temple SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site.

This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info.

Important specifics to be aware of:

  • Let's Encrypt SSLs are only valid for 90 days. They may be renewed prior to their expiration date by following the instructions in this article.
  • WildCard SSLs are currently possible with Let's Encrypt. From Let's Encrypt's FAQ page: Yes. Wildcard issuance must be done via ACMEv2 using the DNS-01 challenge. See this post for more technical information.
  • While you can secure your default .accessdomain.com (hostname) with Let's Encrypt SSL's, Let's Encrypt does enforce a limitation on the number of subdomains that can be secured. Due to this limit, we're unable to guarantee the ability to renew a Let's Encrypt SSL Certificate for your access domain. We recommend that you update your hostname to a Fully Qualified Domain Name (FQDM) that you own to secure the Plesk Panel with Let's Encrypt.

Instructions

Install on Plesk

Plesk has native support for Let's Encrypt via a plugin found in the Plesk extension catalogue. Extensions found in the official Plesk catalogue have been vetted by Plesk and may be considered safe to use. However, Media Temple is not affiliated with the creators of these extensions and does not support them any further than the documentation included in this Community article.

1. Begin by logging into your Plesk control panel. Select Extensions from the menu on the left.

LE-1.png

2. While in the Extensions Catalogue, click on Let's Encrypt or you can search for in the search bar.

LE-2.png

3. Click on Go To Extension.

LE-3.png

4. A list of available domains will appear. Click on the domain you wish to install a Let's Encrypt SSL to.

LE-4.png

5. Input a desired email address to associate to the SSL. If you'd also like to secure the 'www' subdomain, check the first box. Otherwise, the certificate will only be installed on example.com, rather than www.example.com. There is also the option to secure webmail.example.com. Once you've selected your desired options, click on Install.

LE-5.5.png

6. A message should appear to indicate that your installation was successful.

LE-6.png

As a reminder, the SSLs issued by Let's Encrypt are only valid for 90 days by design, so the certificate must be renewed. The Plesk Let's Encrypt extension will attempt to renew the certificate automatically, but you will want to verify that it is successful. As always, if you have any questions or concerns, please feel free to contact our award winning 24/7 support team.

Resources

Let's Encrypt website
Plesk Let's Encrypt extension info