— Last modified: xiaoke das.xiaoke@gmail.com Thu 16 Feb 2017 21:48:09 CST

I have a personal website (this one) using Godaddy shared hosting. The site can be managed via the cPanel on Godaddy website and ssh connections to my remote account. In the ssh terminal, I am able to make updates to my website which resides in my home folder, but I have no root access and thus no privilege to install software or modify configuration files of any services.

For no reasons, one day I decided to use an SSL certificate to make my website appear green in the address bar of a browser. After days of sifting and on the brink of paying Godaddy for an expensive DV certificate, I found Let's Encrypt. The name didn't sound attractive at all. But I spotted Linux Foundation, some recognisable sponsors and words like free and open on its homepage and instantly decided to give it ago. Unfortunately, Godaddy itself does not support the core functionality of Let's Encrypt, i.e. the automatic management of the SSL certificate through an ACME (Automatic Certificate Management Environment) client, e.g. the Certbot. According to what is says on the Let's Encrypt Get-Started page , it seems that I am left with the only option of the manual mode of Certbot.

Now the story begins.

Fortunately, Godaddy does support third-party SSL certificates. It's help page here gives a detailed description of how a third-party certificate could be installed.

• Basically one needs to open the cPanel, choose SSL/TLS under the Security section.
• Then there are 4 steps listed: Private Keys (KEY), Certificate Signing Requests (CSR), Certificates (CRT), and Install and Manage SSL for your site (HTTPS).
• Before starting any Let's Encrypt business, the first two steps needed to be completed. A private key and a CSR were thus generated for my domain.
• The next two steps should be finished after obtaining the SSL certificate from Let's Encrypt.

The Certbot client can be readily installed through brew on MacOS. After installation, the following command can be used, which I found after some trial and error but turned out to be written on the Certbot User Guide page here.

sudo certbot certonly -d www.xiaokeyang.com -m myemail@myemail.com --manual --csr csrfile 

The csrfile was copied from the CSR generated by the Godaddy cPanel, but I was not sure whether it was essential or not, so the command without '–csr csrfile' would probably also work. Then I was asked to put a file on my website to verify my ownership of the site, for which the message was like

  Make sure your web server displays the following content at
  http://www.xiaokeyang.com/.well-known/acme-challenge/EVDWTv0nVAXzwHYUkE2Y3kQy4jcXJ6BpWLW93Y_pAIg before continuing:
  
  EVDWTv0nVAXzwHYUkE2Y3kQy4jcXJ6BpWLW93Y_pAIg.pU0U7JBogAddZh1h1nLFWxli-3mQlsd1h8IiRxPZ118

This was pretty easy for me, and I logged into my Godaddy account through an ssh connection and created a file in the path .well-known/acme-challenge/EVDWTv0nVAXzwHYUkE2Y3kQy4jcXJ6BpWLW93Y_pAIg with the content of

  EVDWTv0nVAXzwHYUkE2Y3kQy4jcXJ6BpWLW93Y_pAIg.pU0U7JBogAddZh1h1nLFWxli-3mQlsd1h8IiRxPZ118

After that I switched to the Certbot and pressed enter, and the following message was displayed shortly

  Waiting for verification...
  Cleaning up challenges
  Server issued certificate; certificate written to /Users/encore/0001_cert.pem
  Cert chain written to <fdopen>
  Cert chain written to <fdopen>
  
  IMPORTANT NOTES:
   - Congratulations! Your certificate and chain have been saved at
     /Users/myusername/0003_chain.pem. Your cert will expire on 2017-05-17.
     To obtain a new or tweaked version of this certificate in the
     future, simply run certbot again. To non-interactively renew *all*
     of your certificates, run "certbot renew"
   - If you like Certbot, please consider supporting our work by:
  
     Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
     Donating to EFF:                    https://eff.org/donate-le

It seemed that the certificate 0001_cert.pem was successfully generated. I copied and pasted the content of the generated certificate to the cPanel SSL/TLS page, then installed the certificate as guided by the page. My site could be accessed instantly using HTTPS, i.e. https://www.mydomain.com. I had no idea what the other generated file 0003_chain.pem was for, but since the HTTPS connection was working and I saw a green address bar, I was happy and stopped there.

A problem was still left, i.e. HTTPS connections were only used when I explicitly typed https://www.xiaokeyang.com, and HTTP connections were used otherwise. I would like to redirect all HTTP requests to HTTPS ones and this redirection could be simply done by adding the following code to the .htaccess file at the root folder of my site. This was also explained at the Godaddy help page here.

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Note that this redirection should happen after the one which redirects xiaokeyang.com to www.xiaokeyang.com, which is

RewriteCond %{HTTP_HOST} ^xiaokeyang.com [NC]
RewriteRule ^(.*)$ http://www.xiaokeyang.com/$1 [R=301,L]

Now, my site fully operates on HTTPS, despite the fact that the Let's Encrypt certificate is only valid for 3 months, and the certificate needs to be renewed before it expires. Anyway, I'll leave that to two months later.