Follow

Install a Let's Encrypt SSL

  • Applies to: Grid
    • Difficulty: Medium
    • Time Needed: 20
    • Tools Required: SSH access and AccountCenter access
  • Applies to: DV
    • Difficulty: Easy
    • Time Needed: 15
    • Tools Required: Admin/Root Access

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple Grid. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than an (mt) SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site

 

This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info. 

Requirements

Before you start, you should have handy or be familiar with:

 

Important specifics to be aware of:

  • Due to the way the Let's Encrypt client functions and the restrictions on the Grid, these steps are only for generating an SSL for either domain.com or www.domain.com. A much more complex method is required for generating a CSR that can be used to create a SSL for both www and non-www. That is outside the scope of this guide and will not be covered here.
  • Let's Encrypt SSLs are only valid for 90 days. They may be renewed prior to their expiration date by following the instructions in this article.
  • WildCard SSLs are currently not possible with Let's Encrypt. 
  • Because the Let's Encrypt client requires increased privileges (sudo or root) to run, it cannot be run directly on the Grid due to its shared nature. Instead, these are instructions for generating a CSR and then using a 3rd party website (https://gethttpsforfree.com/) for verification of ownership of the domain or server, as well as to contact the Let's Encrypt server to generate the SSL certificate and CA Chain.

 

Instructions

1. Generate a CSR - A Certificate Signing Request needs to be created for the domain that you will be installing the SSL on. The easiest way to do this is through the CSR generator provided in the Grid AccountCenter. If you need help, instructions can be found here

2. Open a new browser tab and navigate to https://gethttpsforfree.com. Also open a terminal window and SSH to your Grid server.

This site (gethttpsforfree.com) is a PHP page that was created by a 3rd party to run the necessary Let's Encrypt service on their server. The site generates the necessary files and then connects to Let's Encrypt's server to get the SSL issued. Since the site does not ask for your Private Key and the fact that Let's Encrypt SSL generation must be done through Let's Encrypt's own servers, this site is safe to use.

 

Instructions for gethttpsforfree.com:

Step 1. Register an email with Let's Encrypt by generating a public key and submitting it:

  • Connect to your Grid using SSH and generate a new key.
openssl genrsa 4096 > account.key

You should see an output similar to this:

  • Print the public key to your terminal
openssl rsa -in account.key -pubout

You should see an output similar to this:

 

Copy and paste the public key into the field provided. 

 

Step 2. The CSR that needs to be entered is the one that you created earlier via the AccountCenter.

Step 3. Use your private key to sign your Let's Encrypt requests. Enter each of the three commands using a terminal connected to the Grid via SSH. Copy and paste the results back to the site. Wait until you've entered all 3 commands and pasted their outputs before using the "validate signatures" button. If you used the generic command provided to create your keys, the command should work without being altered. Otherwise, add the file path to your key. 

Step 4. Make sure that you select the tab labeled Option 2 - file-based. The Python option will not work on the Grid as it requires changes to server level configuration files. Run the command given in SSH while connected to the Grid, then copy/paste the results back to the site.  This step will require you to create two specifically named directories and a file within the domain's HTML directory to prove you have access to it. You can use SSH, FTP, or the AccountCenter File Manager to create and upload the directories and verification file. This step must be completed within 10-15 minutes or you may have to start over from step 1. 

  • Create the 2 directories (.well-known/acme-challenge/) and then add the verification file to the acme-challenge directory.
~/domains/yourdomain.com/html/.well-known/acme-challenge/VERIFICATION_FILE_NAME

VERIFICATION_FILE_NAME must be the exact string of characters provided:

 

This is a file, not a directory. Do not create this file with an extension such as html or php. You will be placing the domain verification string in this file. 

 

  • Now put the verification string text inside the verification file. Do not include anything extra in the file. There should only be one line and it will be the verification string that's listed under Serve This Content. You may either cut and paste using a bash text editor, or simply use echo to automatically add the content.  
echo serve-this-content > path/to/VERIFICATION_FILE_NAME

 

  • Verify that this file is properly being served before continuing. Navigate to http://DOMAIN.COM/.well-known/acme-challenge/VERIFICATION_FILE_NAME and make sure it's outputting the verification string (replace domain.com with your domain) let the site verify this and you will receive your SSL and CA Chain certificates.

3. Copy the generated SSL and CA Chain certificates and install both through the AccountCenter. If you need help, both video and text instructions may be found here.  

 

As a reminder, the SSLs issued by Let's Encrypt are only valid for 90 days by design, so they must be renewed by following these steps again before the expiration date. As always, if you have any questions or concerns, please feel free to contact our award winning 24/7 support team

Overview

This article shows you how to install and configure a Let's Encrypt SSL certificate on your Media Temple VPS. Let's Encrypt is an open SSL Certificate Authority (CA) that's maintained by the Internet Security Research Group (ISRG). One of their goals is to make the internet more secure by increasing the availability of SSL certificates. While a Let's Encrypt SSL is only valid for 90 days and requires much more effort than a Media Temple SSL to install, Let's Encrypt SSLs are completely free and as secure as any other SSL certificate. For more information, visit Let's Encrypt's Web site

 This information is provided as a courtesy. Media Temple does not support 3rd party products and services in any capacity beyond what is written here. Please see our statement of support for more info. 

 

Instructions 

Install on Plesk

Plesk has native support for Let's Encrypt via a plugin found in the Plesk extension catalogue. Extensions found in the official Plesk catalogue have been vetted by Plesk and may be considered safe to use. However, Media Temple is not affiliated with the creators of these extensions and does not support them any further than the documentation included in this Community article. 

 

1. Begin by logging into your Plesk control panel. Select Extensions from the menu on the left. 

 

2. Select Extensions Catalogue from the menu at the top. 

3. Find the Let's Encrypt extension and click install. This process may take a couple of minutes. If the installation takes longer than 2-3 minutes, refresh the page and attempt to install again.

4. Once the installation completes, select Let's Encrypt from the extensions list. This will redirect you to a page listing your available domains. Select the domain that you'd like to install a Let's Encrypt SSL on. 

5. If you'd also like to secure the 'www' subdomain, check the first box. Otherwise, the certificate will only be installed on example.com, rather than www.example.com. Let's Encrypt also includes the option to secure connections to Plesk (example.com:8443). This will replace the default self-signed certificate that Plesk uses with the Let's Encrypt SSL. This is similar to navigating to Tools & Settings > SSL Certificates and selecting an available certificate to secure Plesk. 

6. Your installation may take 2-3 minutes. If the installation fails, it will likely be accompanied by an error message. Use this to resolve any issues and attempt to install again. 

  

As a reminder, the SSLs issued by Let's Encrypt are only valid for 90 days by design, so the certificate must be renewed. The Plesk Let's Encrypt extension will attempt to renew the certificate automatically, but you will want to verify that it is successful. As always, if you have any questions or concerns, please feel free to contact our award winning 24/7 support team

 

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk