Date: 2018-08-12
Update: 2021-01-18
If your website doesn’t use SSL (HTTPS), then it should! Without SSL, someone on the network can see exactly what a user is doing on the site. For security, a trusted third party has to vouch for your public SSL key so that users know they are talking to your site. This page gives you easy-mode Linux commands to set up SSL with the following steps:
$domain by putting a certain files in http://$domain/.well-known/acme-challenge/.Table of Contents
On your webserver, create the directory to host http://$domain/.well-known/acme-challenge/.
ssh $domain
domain=yourdomain.net
public_html="/srv/$domain/http"
mkdir -p "$public_html/.well-known/acme-challenge"
Did that last command need root privileges?
Let’s use sudo to create it and give our non-root user ownership so we don’t have to run dehydrated as root.
sudo mkdir -p "$public_html/.well-known/acme-challenge"
sudo chown $USER:$USER "$public_html/.well-known/acme-challenge"
Now make sure it works:
echo "hello world" > "$public_html/.well-known/acme-challenge/hello.txt"
chmod a+r "$public_html/.well-known/acme-challenge/hello.txt"
curl "$domain/.well-known/acme-challenge/hello.txt"
rm "$public_html/.well-known/acme-challenge/hello.txt"
Did “hello world” print on the terminal? If so, great! If not, please make it work before proceeding.
Next grab the Dehydrated client. Ideally you should run this on your server, but it’s not strictly necessary.
cd $HOME/Downloads/
git clone https://github.com/dehydrated-io/dehydrated.git
cd dehydrated
Next we need 2 config files to tell dehydrated what domain you own (domains.txt) and what “well-known” directory you’ll use to prove it (config.sh).
echo "$domain www.$domain" > domains.txt
echo "WELLKNOWN=$public_html/.well-known/acme-challenge" > config.sh
You’ll want to regenerate a new certificate every 2 months so it doesn’t expire (after 3 months).
If on your webserver, just run:
git pull # stay up to date
./dehydrated -c -f config.sh
If running from your local machine, make $public_html accessible via sshfs first.
mkdir -p public_html
sshfs $domain:$public_html public_html
echo "WELLKNOWN='$PWD/public_html/.well-known/acme-challenge'" > config.sh
git pull # stay up to date
./dehydrated -c -f config.sh
fusermount -u public_html
cat "certs/$domain/cert.pem" "certs/$domain/privkey.pem" > mynewcert.pem
sudo install -m 640 -o root -g root mynewcert.pem "/etc/lighttpd/certs/$domain.pem"
rm mynewcert.pem
I haven’t used CPanel for a while, but my process used to be:
Navigate to http://$domain/cpanel, login, click SSL/TLS, click Install and Manage SSL, select the domain, and then copy/paste the cert.pem and privkey.pem files into the Certificate and Private Key fields.
The file contents can quickly be copied using the first two xsel commands.
cat "certs/$domain/cert.pem" | xsel -b
cat "certs/$domain/privkey.pem" | xsel -b
echo 'nothing to see here' | xsel -b # Clear the clipboard selection.
Those xsel commands don’t work on a webserver, but you can just as easily cat via ssh from your local machine:
ssh $domain cat "path/to/dehydrated/certs/$domain/cert.pem" | xsel -b`