in Security, Tutorial

Install Let’s Encrypt SSL Certificate in a Shared Hosting

Let’s encrypt lets you to get https for your website for completely free. It’s the easiest way to get SSL certificate free of cost which will be recognized by major browsers. This tutorial goes through the steps that need to be done to get and setup a free SSL certificate for your shared cPanel hosting. Even though we are talking about cPanel, it’s not exclusively only for cPanel users, the way described here to get the certificate will work for other cases too if the required conditions are met (which are necessary in all cases).


  1. Install letsencrypt in your local machine.
  2. Get a certificate for your domain using letsencrypt.
  3. Install the certificate for your domain using cPanel.

What is Let’s Encrypt:

Getting an SSL certificate for your domain to let the visitors access your website using https (secure protocol) involves buying the certificate from a Certificate Authority (CA) which is generally expensive. For example, with PositiveSSL you can get an SSL cert for 8~9$/yr for a single domain. It may not seem that expensive at first, but if you want to do the same with all of your domains, then the amount may appear to be unreasonable. Here comes the concept of free SSL for those who don’t want to spend a lot of money just to let their visitors have access to the https versions of their websites.

Let’s encrypt is a great project which aims to encrypt the whole web and make https available to general public completely free of cost. It is backed by some big-name sponsors like Electronic Frontier Foundation, mozilla, Akamai, Cisco, Chrome, Facebook, SiteGround, IdenTrust etc… This project is provided by the Internet Security Research Group which is a public benefit organization.

Let’s get free HTTPS for your website:

Getting HTTPS using letsencrypt involves three steps: installing letsencrypt, generating certificate, uploading it with cpanel.

Installing letsencrypt:
  1. Debian based OS.

To install letsencrypt run these commands in a terminal:

cd /usr/local
sudo git clone
#sudo is to get root access, 
sudo ln -sf /usr/local/letsencrypt/letsencrypt-auto /usr/bin/letsencrypt
letsencrypt --hel

This should install letsencrypt in your system.

Generating certificate with letsencrypt:

To generate certificate for the domain and, run the following code in terminal:

letsencrypt certonly --manual --email [email protected] -d -d

It will ask you to agree some license agreements. Hit Enter for OK. It will also give you a challenge to verify your ownership of the domains. An example challenge is:

Make sure your web server displays the following content at before continuing:


To complete this challenge, you will have to create a directory/folder (.well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ) in your remote host (generally in public_html) which will contain a index.html file with content: uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c

Another way is to create the .well-known/acme-challenge/ folder/directory and create a file inside this folder with the name uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ and put uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c as its’ content.

How you do this that’s upto you. You can do this in localhost then upload with filezilla or use ssh to directly create them. Whatever you do, don’t put anything else on that file other than the challenge key, not html/php tag/code, nothing; only the long hash key, and also be sure not put any spaces or newlines in that file.

I am giving an example of how you can do it with ssh (in another terminal):

To create index.html:

ssh -p port [email protected] #Login to remote host
cd public_html #or whatever your document root is
mkdir -p .well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ
cd .well-known/acme-challenge/uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ
echo uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c >index.html

The other method:

ssh -p port [email protected] #Login to remote host
cd public_html #or whatever your document root is
mkdir -p .well-known/acme-challenge
cd .well-known/acme-challenge
echo uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ.B5necJFJvzUyKE_LMUCV7iRrC59E-mdcd4-5PY6rC8c > uN2M3P6ZBWu9wUXhgKFE2y7ThrOmWr3TP-L1HS_WBSQ

That’s it, the challenge is complete, now hit Enter in the terminal which is running letsencrypt. You will have to complete this challenge for each of the domains provided, i.e twice for and

After you complete the challenges you should get a success message like this:


  • Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/ Your cert will expire on 2016-04-10. To obtain a new version of the certificate in the future, simply run Let’s Encrypt again.
  • If you like Let’s Encrypt, please consider supporting our work by:Donating to ISRG / Let’s Encrypt: Donating to EFF:

Yap, the certificate is ready to be used. We just need to set it up with cpanel now.

Automation of completing challenge:

Completing the challenge requires you to open another terminal and run ssh commands or create the index.html/index.php file by other means.

Using ssh and running a few lines of commands in a second terminal can be tedious when we need to do that for each of our domains. For this very reason I have written an expect script (lcget) to do this automatically. The script monitors the output and runs necessary commands using ssh to complete the http challenges. It minimizes all of your commands to a single command in a single terminal. For example, for the above case you could just do

lcget certonly --manual --email [email protected] -d -d

and be done with. All the things would be taken care of automatically.

Setting up the letsencrypt certificate in cpanel:

The certificate is saved in /etc/letencrypt/archive/ directory. You can see several files here:

  1. cert.pem: This is the certificate.
  2. chain.pem: This is known as CABUNDLE (Certificate Authority Bundle).
  3. privkey.pem: This is the private key.

We will upload the certificate and private key files with cpanel and copy paste the content of chain.pem CABUNDLE (Certificate Authority Bundle).