If you are like me, using a shared host for your website, chances are you don't
have root access to your web server and probably run into the following error
while using the original certbot by Let's Encrypt.
"sudo" is not available, will use "su" for installation steps... \Sorry, I don't know how to bootstrap Certbot on your operating system!
Luckily, there are guys already considering such problem and developed a handy
pure shell script called acme.sh. So
here's my experience using it to sign with Let's Encrypt on a GoDaddy shared host without root access.
First of course you need to grab the acme.sh script. I'll just copy/paste their instructions on github page here, just some old
school git clone stuff. You may want to check their page in case the
instructions get updated.
$ git clone https://github.com/Neilpang/acme.sh.git
$ cd ./acme.sh
$ ./acme.sh --install
If you don't know how Let's Encrypt (LE) works, here's a brief recap.
So we already know the official LE client for handling this process needs root
access, which we don't have. That's why we use acme.sh, it's basically a
powerful wrapper of LE that gets the things done bypassing the root need.
Using acme.sh is simple though. Here are some examples, all are tested on this
blog site you are looking at right now.
Sign one domain. -d states your website's domain name, -w your site's
webroot path on the server.
$ acme.sh --issue -d yulinling.net -w /webroot/path/of/your/site
Sign multiple domains. Note these domains have to have the same webroot path
$ acme.sh --issue -d yulinling.net -d www.yulinling.net -w /webroot/path/of/your/site
If you have some subdomains that are rooted at different paths on the server,
you need to sign them separately. Like for me, I have to sign
blog.yulinling.net, gallery.yulinling.net, and technote.yulinling.net
The signed certificates will be placed in ~/.acme.sh/your_domain_name/. For
example, my certs for yulinling.net include these following files,
$ ls ~/.acme.sh/yulinling.net
ca.cer fullchain.cer yulinling.net.cer yulinling.net.conf yulinling.net.csr yulinling.net.csr.conf yulinling.net.key
Here, your_domain_name.cer is the SSL certificate for your site; ca.cer is
the so called Certificate Authority Bundle (CA BUNDLE), which contains all
the intermediate certs up to the root for the issuer of your certificate;
fullchain.cer is just a combination of the previous two; the .csr file is
the certificate request; other .conf files are just for acme.sh's future
ease of renewing your certificate.
A major limitation of LE is the short life of a cert, which is only 3 months.
And that's another reason of using acme.sh because it will automatically
renew your certs every 60 days.
Or you can renew the cert manually with the - -force tag.
$ acme.sh --renew -d yulinling.net --force
26 Oct 2016
26 Oct 2016