SSL Certificates on Shared Hosting in Five Minutes
Posted on 10 Feb 2022 in Computing
Security... Ah, security...
There was a time when websites didn't need to have an SSL/TLS certificiate (colloquially SSL, TLS, and SSL/TLS are interchangable). If you're hosting an e-commerce platform, or are running API calls/interactions, you're obviously going to want to have an SSL certificate bound to your traffic. No excuses! As for the rest of us with private sites not selling anything, there's still no reason not to! (I'm talking to you, person who lets their users' experience on their website be suboptimal by having to bypass an invalid / missing cert message!)
If you're like me and are still paying for shared hosting, you don't really want to pay extra for certs (minimize ALL t3h c0stz). In all reality, I should switch over to one of those sweet S3 static websites on AWS for this site, but I like NameCheap and don't mind throwing a little money their way. Plus, they use Cloud Linux and I can't not support that. swoon
Disclaimer: I've only tested this on NameCheap, but it should work fine on other shared hosting, provided you have SSH access.
The following steps make use of the ACME protocol for certificate management. You can find the GitHub project (acme.sh) by acmesh-official used that makes it all possible here.
Pull up a terminal (either SSH or via cPanel). Curl and install:
$ curl https://get.acme.sh | sh
This will create a little home for itself in a local hidden dir
Next, source the environment variable shell script (this will ensure you can type acme.sh anywhere in your session):
$ source ~/.bashrc
Register your email (to stay posted on deadlines, lapses, and/or renewals with the ZeroSSL folks) acme.sh --register-account --accountemail email@example.com
Issue test certificate (note the --staging flag):
$ acme.sh --issue --webroot ~/public_html -d yourdomain.com --staging
Issue actual certificate (note the --force flag):
$ acme.sh --issue --webroot ~/public_html -d yourdomain.com --force
Deploy certificate using cPanel hook:
$ acme.sh --deploy --deploy-hook cpanel_uapi --domain yourdomain.com
Update (10/02/2022): In case the cpanel_uapi hook is temperamental, you can navigate to the SSL/TLS certificates list in cPanel and see if it appears there. If not, you can use SSH to navigate to the ~/.acme.sh/
You should be good. You should always verify that the certificate has been propagated with the full certificate chain using openssl:
$ openssl s_client -connect yourdomain.com:443
You're now the proud owner of a free ZeroSSL certificate that will re-new automatically! You can also ensure that the cronjob has "taken" by inspecting crontab"
$ crontab -l | grep acme.sh
If you have issues with HTTP -> HTTPS redirection, check out the second reference (shout out, dude) for more info!
References: