Installing a Let's Encrypt SSL Certificate
SSL certificates can be installed on HelioHost's servers without any need for a dedicated IP, due to support for SNI. This means certificates can be installed free of charge if issued by a free certificate authority such as Let's Encrypt. There are many ways to obtain a certificate from Let's Encrypt, however using web-based tools is one of the most convenient. The following tutorial uses the ZeroSSL online tool to generate a certificate which can then be installed through cPanel.
Step one: Obtain Key and CSR from ZeroSSL
Head over to the ZeroSSL Certificate Wizard to get started. Enter your domain name (and any desired subdomains, space-delimited) into the domain field as below. Additionally, enter your email address if desired. Check both acceptance boxes and leave “HTTP verification” selected.
Click “Next” at the top right of the form and approve the addition of the www prefix. This will ensure the certificate will work for www.[yourdomain].com as well as [yourdomain].com. Wait for the CSR to be generated. (Once this is done, the domain field will be cleared automatically. Don’t panic – just leave it blank). Click “Next” again to generate your RSA private key (AKA private key) and wait for this to complete.
Important: Now copy both the RSA price key and the CSR somewhere (it doesn’t matter where, a text editor window will do) for future reference using the clipboard buttons indicated in the screenshot. Alternatively, they can be downloaded as text files using the download buttons.
Click “Next”. At this point, the site will warn you if it suspects you haven’t saved the key and CSR – so make sure you have.
Step two: Verify site ownership
The verification step will appear. The purpose of this step is to demonstrate domain ownership by creating known files into a certain location. Typically This can be achieved using cPanel as shown in the following steps. Alternatively, FTP or similar can be used. One file is required per domain. Here there are two: one for the domain with www and one for without.
Note: the remainder of this step involves creating folders and files through the cPanel file manager. An alternative such as FTP or WebDisk can be used if desired.
Open cPanel at http://tommy.heliohost.org:2083, and select Files -> File Manager on the main page. The file manager should open.
Note: If you haven’t already, now is probably a good time to show hidden files and folders. Use the “Settings” button at the top right of the file manager to open the settings panel and enable this setting.
Create a new folder named “.well-known” (minus quotes but including full stop) in the public_html folder as shown in the screenshot.
Use the same process to create the “acme-challenge” folder in the public_html/.well-known directory.
In the public_html/.well-known/acme-challenge directory, create a file with the name in the “File” column from the ZeroSSL Verification page. Select and open this file with the “Edit” button.
Paste the file text from the “Text” column corresponding to the file on the ZeroSSL verification page. The first section of text is typically identical to the file name. Save changes when done, then close the editor.
Repeat the file creation process for all the files from the ZeroSSL Verification page. There should be one per subdomain. In this case there are two files to be created: one for the base domain and one for the www-prefixed domain.
Step three: Obtain and install certificate
Back in ZeroSSL, press “Next”. If all goes well the following should appear.
Use the copy or download buttons to store the certificate as before (the most convenient location would be alongside the CSR and key).
Important: Note that the certificate text you just saved is in a two-section form similar to the following:
-----BEGIN CERTIFICATE----- [encoded text A] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [encoded text B] -----END CERTIFICATE-----
The first section of text (including BEGIN and END lines) is the “certificate” (cPanel terminology) and the second section of text (including BEGIN and END lines) is the CABUNDLE. Keep this in mind for the following steps, where the certificate will be installed on the domain through cPanel.
Open cPanel again at http://tommy.heliohost.org:2083. Select Security -> SSL/TLS on the main page. On the following screen, select "Manage SSL Sites".
On the following page, scroll to the “Install an SSL website” section, where there are fields for Certificate, Private Key, and CABUNDLE. Select the appropriate domain and paste the relevant text into each field, as identified and stored in the earlier steps. The pasted text should include BEGIN and END lines. Note the CSR text is not required. “Enable SNI for Mail Services” can remain checked.
Submit the certificate information with the “Install Certificate” button at the bottom of the page.
Note: On Johnny it can take up to 2 hours for your SSL certificate to start working.
You should now have SSL up and running! https can be used on the domain/subdomains you specified.
Additional steps (optional)
Certificate expiry and renewal
Certificates issued by Let's Encrypt, such as the one(s) you just generated with ZeroSSL expire after 90 days. Set a reminder to renew the certificate at an appropriate date.
By default, pages can be accessed either unencrypted (HTTP) or encrypted (HTTPS). .htaccess rules can be used to force HTTPS throughout the site or on certain pages. More information can be found on this httpd wiki page.