Letsencrypt SSL certificate with namecheap hosting
The “Positive SSL” certificate I bought along with my domain is invalid with any of my subdomains and cannot be used with wildcards. One annoying thing is that namecheap doesn’t offer auto installation of free let’s encrypt certificates, even though, they are saying “Namecheap is dedicated to data security and privacy for all internet users. We believe the movement to encrypt nearly all web traffic is a positive direction. As more sites embrace HTTPS and use of security products, providers of free SSL are beginning to come online.”
Let me show you what it needs to be done in order to “encrypt nearly all web traffic”.
First, not required but it’s helpful to enable ssh access, it is not enabled by default on the base hosting plans, just go an start a live chat and request ssh access.
Letsencrypt nosudo
SSH to your hosting server, visit diafygi/letsencrypt-nosudo and “git clone” the project. You can also follow the tutorial on the project site.
1 2 3 | mkdir tools && cd tools git clone https://github.com/diafygi/letsencrypt-nosudo.git cd letsencrypt-nosudo/ |
Generate an user account key for Let’s Encrypt.
1 2 | openssl genrsa 4096 > user.key openssl rsa -in user.key -pubout > user.pub |
Generate the domain key and a certificate request. Replace “example.com” with the domain you own
For single subdomain.example.com use:
1 2 | openssl genrsa 4096 > domain.key openssl req -new -sha256 -key domain.key -subj "/CN=example.com" > domain.csr |
If you want the certificate to be valid for multiple subdomains create a file name openssl-san.cfg and paste the following (Replace the alt_names “mai.example.com” with the domain and subdomain you own):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | [req] default_bits = 2048 default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = test.example.com DNS.2 = www.example.com DNS.3 = mail.example.com DNS.4 = ftp.example.com |
and run:
1 | openssl req -new -sha256 -key domain.key -subj "/O=My Company Name LTD./C=US" -config openssl-san.cfg >domain.csr |
Create and install new certificate
Next, you run the script using python and passing in the path to your user account public key and the domain CSR.
1 | python sign_csr.py -f --public-key user.pub domain.csr > signed.crt |
When you run the script, it will ask you do do some manual commands. It has to ask you to do these because it doesn’t know your private key or have access to your server. You can edit the manual commands to fit your situation (e.g. if your sudo user is different or private key is in a different location).
When you run the script, it will ask you do do some manual commands, open another terminal and follow the instructions.
At the final step the script will ask you to serve a file on each of your subdomains and you need to create the folders and requseted file in the subdomain root folder.
For example if you have the subdomain test.example.com with root folder in /home/cpanel_user/test.example.com and the script ask you to serve for example:
1 2 3 4 5 6 7 8 9 10 11 12 | STEP 4: Please update your server to serve the following file at this URL: -------------- URL: http://test.example.com/.well-known/acme-challenge/_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM File contents: "_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM.Nh8mz3FnS03KxkGXN4_Cj9j9vcw4wXcZm0Z25CW6Ttw" -------------- Notes: - Do not include the quotes in the file. - The file should be one line without any spaces. Press Enter when you've got the file hosted on your server... |
you need to create in .well-known/acme-challenge/ in /home/cpanel_user/test.example.com and paste the file content in _bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn–uZwPKzM
1 2 3 4 | mkdir -p /home/cpanel_user/test.example.com/.well-known/acme-challenge/ echo "_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM.Nh8mz3FnS03KxkGXN4_Cj9j9vcw4wXcZm0Z25CW6Ttw" > /home/cpanel_user/test.example.com/.well-known/acme-challenge/_bpFRhpfEVHktwEVdjmdCtVcF5MZ7qRvcn--uZwPKzM |
After you done it for all your subdomains you can go and install it your namecheap hosting cpanel. You can use this link for help.
- Go to cpanel > Security > SSL/TLS and press on Manage SSL sites.
- Select the domain you want to install the certificate, for example test.example.com
- In Certificate: (CRT) paste the content of the recently created signed.crt
- In Private Key (KEY) paste the content of domain.key
- Press Autofill by Domain button, next to the domain selection drop-down.
- Press Install certificate.
Congrats you are now using free let’s encrypt certificate on namecheap basic hosting server.
I’m slightly confused. Do you leave these fields intact?
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
Add your own data after ‘=’
You only mention the fields after[alt_names] in the original article. Can modify?
And what about using wildcard domains? This looks like it’s all hardcoded to a specific domain and subdomains.
Great, everything has come out. But after installing the certificate, it keeps saying it is not valid, maybe it takes a while to update the change?
signed.crt is empty.
You might have done something wrong there..
Thanks for this tutorial.
During the script, it keeps telling me that:
register_GELGOX.json: No such file or directory.
Any idea why ?
do we need to perform the above when the certificate are near to expiring or it is auto renew automatically without user intervention?
Yes, sadly. It is possible to automate the entire thing, it is not explained in this tutorial, though.
I would love instructions for
non-ssh
specifically NameCheap easyWP (which does have a cert upload facility with key upload, but one NC refuses to help)
They will however help configure DNS Resource Records should one provide a link to instructions (for domain ownership verificaiton)
sslforfree.com apparently *inflicts* a 90 day expiration. That’s even worse than fighting with SiriusXM every 5 months for their promos.
Hello. First of all, thank you for this guide!
I create the openssl-san.cfg file since I have multiple domains on the same root folder. I also made sure to replaced the info after the “= ” as you pointed to KerosenoDev. I then uploaded that file to letsencrypt-nosudo. However when I run tehe following command openssl req -new -sha256 -key domain.key -subj “/O=My Company Name LTD./C=US” -config openssl-san.cfg >domain.csr (after skipping the command before since it is for a single domain) I get the following:
Error opening Private Key domain.key
140445975095112:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘domain.key’,’r’)
140445975095112:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
What am I doing wrong? Thanks a lot!
I’m not sure, but maybe you copy the tutorial word by word. We should look at that.
Thanks a lot for the tutorial. I was able to install my free certificates without issues on namecheap.
Regards
Glad to hear, remeber, you will have to renew every three months. We might be able to automate that, though.
Is there a reason you couldn’t just prompt the user for their user.key equivalent file-name? And then pipe that into a shell file instead of to the screen, and run that?
I have a bad request response (400);
Error: reg_data:
POST https://acme-v01.api.letsencrypt.org/acme/new-reg
POST https://acme-v01.api.letsencrypt.org/acme/new-reg
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: some data…
}
},
“payload”: some data… ,
“protected”: some data… ,
“signature”: some data…
}
{
“type”: “urn:acme:error:badNonce”,
“detail”: “JWS has invalid anti-replay nonce 0001uo8wfTtwmI3mngUr74vOw2N_NLVOXpCHlt-uAXO-Hww”,
“status”: 400
}
Traceback (most recent call last):
File “sign_csr.py”, line 450, in
signed_crt = sign_csr(args.public_key, args.csr_path, email=args.email, file_based=args.file_based)
File “sign_csr.py”, line 202, in sign_csr
resp = urllib2.urlopen(reg_url, reg_data)
File “/usr/lib64/python2.6/urllib2.py”, line 126, in urlopen
return _opener.open(url, data, timeout)
File “/usr/lib64/python2.6/urllib2.py”, line 397, in open
response = meth(req, response)
File “/usr/lib64/python2.6/urllib2.py”, line 510, in http_response
‘http’, request, response, code, msg, hdrs)
File “/usr/lib64/python2.6/urllib2.py”, line 435, in error
return self._call_chain(*args)
File “/usr/lib64/python2.6/urllib2.py”, line 369, in _call_chain
result = func(*args)
File “/usr/lib64/python2.6/urllib2.py”, line 518, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
urllib2.HTTPError: HTTP Error 400: Bad Request
Does the repo still relevant ?
I’m getting now
“Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.”,
any instructions on how to fix that Python script that uses the old v1?
Thanks