If your website doesn’t use SSL (HTTPS), then it should! Without SSL, someone on the network can see exactly what a user is doing on the site. For security, a trusted third party has to vouch for your public SSL key so that users know they are talking to your site. This page gives you easy-mode Linux commands to set up SSL with the following steps:
$domainby putting a certain files in
Table of Contents
On your webserver, create the directory to host
ssh $domain domain=yourdomain.net public_html="/srv/$domain/http" mkdir -p "$public_html/.well-known/acme-challenge"
Did that last command need root privileges?
sudo to create it and give our non-root user ownership so we don’t have to run
dehydrated as root.
sudo mkdir -p "$public_html/.well-known/acme-challenge" sudo chown $USER:$USER "$public_html/.well-known/acme-challenge"
Now make sure it works:
echo "hello world" > "$public_html/.well-known/acme-challenge/hello.txt" chmod a+r "$public_html/.well-known/acme-challenge/hello.txt" curl "$domain/.well-known/acme-challenge/hello.txt" rm "$public_html/.well-known/acme-challenge/hello.txt"
Did “hello world” print on the terminal? If so, great! If not, please make it work before proceeding.
Next grab the Dehydrated client. Ideally you should run this on your server, but it’s not strictly necessary.
cd $HOME/Downloads/ git clone https://github.com/dehydrated-io/dehydrated.git cd dehydrated
Next we need 2 config files to tell
dehydrated what domain you own (
domains.txt) and what “well-known” directory you’ll use to prove it (
echo "$domain www.$domain" > domains.txt echo "WELLKNOWN=$public_html/.well-known/acme-challenge" > config.sh
You’ll want to regenerate a new certificate every 2 months so it doesn’t expire (after 3 months).
If on your webserver, just run:
git pull # stay up to date ./dehydrated -c -f config.sh
If running from your local machine, make
$public_html accessible via
mkdir -p public_html sshfs $domain:$public_html public_html echo "WELLKNOWN='$PWD/public_html/.well-known/acme-challenge'" > config.sh git pull # stay up to date ./dehydrated -c -f config.sh fusermount -u public_html
cat "certs/$domain/cert.pem" "certs/$domain/privkey.pem" > mynewcert.pem sudo install -m 640 -o root -g root mynewcert.pem "/etc/lighttpd/certs/$domain.pem" rm mynewcert.pem
I haven’t used CPanel for a while, but my process used to be:
http://$domain/cpanel, login, click SSL/TLS, click Install and Manage SSL, select the domain, and then copy/paste the
privkey.pem files into the Certificate and Private Key fields.
The file contents can quickly be copied using the first two
cat "certs/$domain/cert.pem" | xsel -b cat "certs/$domain/privkey.pem" | xsel -b echo 'nothing to see here' | xsel -b # Clear the clipboard selection.
xsel commands don’t work on a webserver, but you can just as easily
ssh from your local machine:
ssh $domain cat "path/to/dehydrated/certs/$domain/cert.pem" | xsel -b`