I just finished the process of installing an SSL certificate on my website and since I ran in to a few issues along the way, I thought I’d document the process here in the hope of saving someone some time and headaches in the future.
I use InMotion Hosting for my domain provider but since the majority of the install process uses CPanel, I suspect that what I’ve done will apply to other providers as well.
To perform the install of the certificate you will need SSH access to your site using Putty and also FTP access using the FTP program of your choice.
First open PuTTY and enter in the host name and port for your site. In my case the host name was carnali.com and the port was 2222.
On the left side of the PuTTy dialog select Connection > SSH > Auth. Use the browse button to load your private key file (generated while you were setting up your site for SSH access) and then press the ‘Open’ button.
A console window will open and you will need to enter the user name and SSH password for your site.
The process is as follows:
Download the getssl script from github using the following command:
curl –silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
Add a user agent to the getssl script using the following:
sed -i ‘s/curl -k/curl -Aagent -k/’ ./getssl
Create a directory for the configuration files using the following command. (Make sure you replace www.carnali.com with your own domain name)
domain=www.carnali.com; ./getssl -c $domain
Enter the following commands to generate the needed configuration files:
configFile=.getssl/$domain/getssl.cfg; sed -i ‘s/SANS/#SANS/’ $configFile
echo ‘CA=”https://acme-v01.api.letsencrypt.org”‘; >> $configFile
echo “ACL=(‘public_html/.well-known/acme-challenge’)” >> $configFile
Next, launch your FTP program, navigate to the .getssl/www.carnali.com folder (again substitute your own domain wherever carnali.com occurs) and download:
Log in to your websites CPanel interface and navigate to ‘SSL/TLS > Manage SSL Sites’
Go to the ‘Install an SSL Website’ section and do the following:
Select a Domain: carnali.com
Copy and paste the contents of www.carnali.com.crt to the Certificate section.
Copy and paste the contents of www.carnali.com.key to the Private Key section.
Copy and past the contents of chain.crt to the Certificate Authority Bundle section.
Press the ‘Install Certificate’ button.
That should be it. Open a web browser and enter https://www.carnali.com to see if you can connect without errors.
If you do have a problem DIgiCert has a nice page where you can enter your domain and perform a check on the newly installed certificate.
When I did my own certificate installation I initially could not get it to work. When I attempted to go to my site I would see invalid certificate errors even though the certificate appeared to match the domain name. I ended up figuring out that I needed to use www.carnali.com during the certificate generation process instead of carnali.com. This is required because Lets Encrypt does not yet support wildcard certificates and requires an exact match for the domain name. This also prevents you from using the certificate for subdomains on your server. The good news is that Let’s Encrypt will start to support wildcard certificates in January of 2018 so this problem should go away.