menu

Let's Encrypt on Host without Root Access


If you are like me, using a shared host for your website, chances are you don’t have root access to your web server and probably run into the following error while using the original certbot by Let’s Encrypt.

“sudo” is not available, will use “su” for installation steps…
Sorry, I don’t know how to bootstrap Certbot on your operating system!

Luckily, there are guys already considering such problem and developed a handy pure shell script called acme.sh. So here’s my experience using it to sign with Let’s Encrypt on a GoDaddy shared host without root access.

Install the script.

First of course you need to grab the acme.sh script. I’ll just copy/paste their instructions on github page here, just some old school git clone stuff. You may want to check their page in case the instructions get updated.

$ git clone https://github.com/Neilpang/acme.sh.git
$ cd ./acme.sh
$ ./acme.sh --install
The above install code will,

  1. copy the script your home directory under ~/.acme.sh/
  2. create an alias of the script
  3. create an daily cron job to update your cert.
Sign your site.

If you don’t know how Let’s Encrypt (LE) works, here’s a brief recap.

  1. You tell LE your site address and webroot folder address.
  2. LE will ask you to put a file with a sequence of characters in your webroot folder.
  3. LE will reach to your site and check for the file, if it’s found, you’re proven to be the owner of the site.
  4. LE will issue you a certificate stating you truly are who you claimed to be, i.e. the owner of the site.

So we already know the official LE client for handling this process needs root access, which we don’t have. That’s why we use acme.sh, it’s basically a powerful wrapper of LE that gets the things done bypassing the root need.

Using acme.sh is simple though. Here are some examples, all are tested on this blog site you are looking at right now.

  1. Sign one domain. -d states your website’s domain name, -w your site’s webroot path on the server.

    $ acme.sh --issue -d yulinling.net  -w /webroot/path/of/your/site
    

  2. Sign multiple domains. Note these domains have to have the same webroot path

    $ acme.sh --issue -d yulinling.net -d www.yulinling.net -w /webroot/path/of/your/site
    

If you have some subdomains that are rooted at different paths on the server, you need to sign them separately. Like for me, I have to sign blog.yulinling.net, gallery.yulinling.net, and technote.yulinling.net individually.

The signed certificates will be placed in _~/.acme.sh/your_domainname/. For example, my certs for yulinling.net include these following files,

$ ls ~/.acme.sh/yulinling.net
ca.cer  fullchain.cer  yulinling.net.cer  yulinling.net.conf  yulinling.net.csr  yulinling.net.csr.conf  yulinling.net.key

Here, _your_domainname.cer is the SSL certificate for your site; ca.cer is the so called Certificate Authority Bundle (CA BUNDLE), which contains all the intermediate certs up to the root for the issuer of your certificate; fullchain.cer is just a combination of the previous two; the .csr file is the certificate request; other .conf files are just for acme.sh’s future ease of renewing your certificate.

Renew your sites.

A major limitation of LE is the short life of a cert, which is only 3 months. And that’s another reason of using acme.sh because it will automatically renew your certs every 60 days. Or you can renew the cert manually with the - -force tag.

$ acme.sh --renew -d yulinling.net --force

By