Automatic Let's Encrypt SSL certificates on GoDaddy shared hosting for free

Questions and discussion about web design, search engine optimisation and hosting
Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-7-5 17:24

UPDATE: Here are the most up-to-date instructions and howto for installing and using LetsEncrypt SSL certificates on GoDaddy shared hosting.

Let’s Encrypt offers free SSL certificates necessary for making secure web servers using https protocol. Currently GoDaddy hosting company is offering commercial SSL certificates and providing only defunct instructions for using Let's encrypt certificates. As you can see, this website is running on GoDaddy and it is using fully automated SSL certificates. How did I do that?

First I installed acme.sh using Steve Phillips's awesome instructions. I followed through until "Upload cert and private key via GoDaddy's web interface", where I was supposed to install certificates using cPanel. Let's encrypt certificates have to be renewed every 2-3 months or they will expire and your website stops working properly giving security warnings. Renewing certificates manually at least quarterly was not an option to me.

Reading acme.sh source code revealed that while there is functionality for automatic renewal and installing of certificates using cPanel, it has not been implemented yet. The missing script name is cpanel.sh and it is located at ~/.acme.sh/deploy/cpanel.sh

I wrote the missing script and now it works fully automatically. After the certificate is issued, it is deployed using the following command:
acme.sh --deploy -d www.mydomain.com --deploy-hook cpanel
I have submitted my script to acme.sh GitHub, but it might take a while before it will be merged, if ever. Here is my code in case you want to use it. Simply overwrite the original cpanel.sh with it and you are good to go.

(Script updated on 2017-7-10 with the fix hedgehog provided)

Code: Select all

#!/usr/bin/env sh
# Here is the script to deploy the cert to your cpanel using the cpanel API.
# Uses command line uapi.  --user option is needed only if run as root.
# Returns 0 when success.
# Written by Santeri Kannisto <santeri.kannisto@webseodesigners.com>
# Public domain, 2017

#export DEPLOY_CPANEL_USER=myusername

########  Public functions #####################

#domain keyfile certfile cafile fullchain

cpanel_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  # read cert and key files and urlencode both
  _certstr=$(cat "$_ccert")
  _keystr=$(cat "$_ckey")
  _cert=$(php -r "echo urlencode(\"$_certstr\");")
  _key=$(php -r "echo urlencode(\"$_keystr\");")

  _debug _cert "$_cert"
  _debug _key "$_key"

  if [ "$(id -u)" = 0 ]; then
    _response=$(uapi --user="$DEPLOY_CPANEL_USER" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  else
    _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  fi

  if [ $? -ne 0 ]; then
    _err "Error in deploying certificate:"
    _err "$_response"
    return 1
  fi

  _debug response "$_response"
  _info "Certificate successfully deployed"
  return 0
}
Happy hacking!
Last edited by Santeri on 2017-7-10 12:57, edited 1 time in total.



hedgehog

Unread post by hedgehog » 2017-7-10 06:08

Hi Santeri,

Thanks for this post. I was able to use this code to automatically deploy LE certificate to Godaddy's cPanel.
Had to make a change though. I am not running as root (shared hosting) so $_opt was empty. However having "$_opt" in the command messed things up and UAPI was giving me a "syntax page" result. Removing quotes around this optional parameter made it work ok.

Hope this is integrated soon into the main repository.
Regards.

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-7-10 12:52

hedgehog wrote:
2017-7-10 06:08
Thanks for this post. I was able to use this code to automatically deploy LE certificate to Godaddy's cPanel.
Had to make a change though. I am not running as root (shared hosting) so $_opt was empty. However having "$_opt" in the command messed things up and UAPI was giving me a "syntax page" result. Removing quotes around this optional parameter made it work ok.
Good that you managed to make it work. I don't have an environment for testing the option and it's been 15 years since I wrote shell scripts for GNU/Linux last time :)

I updated my pull request in GitHub including this fix: https://github.com/Neilpang/acme.sh/pull/940

Here is the fixed script:

Code: Select all

#!/usr/bin/env sh
# Here is the script to deploy the cert to your cpanel using the cpanel API.
# Uses command line uapi.  --user option is needed only if run as root.
# Returns 0 when success.
# Written by Santeri Kannisto <santeri.kannisto@webseodesigners.com>
# Public domain, 2017

#export DEPLOY_CPANEL_USER=myusername

########  Public functions #####################

#domain keyfile certfile cafile fullchain

cpanel_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"

  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"

  # read cert and key files and urlencode both
  _certstr=$(cat "$_ccert")
  _keystr=$(cat "$_ckey")
  _cert=$(php -r "echo urlencode(\"$_certstr\");")
  _key=$(php -r "echo urlencode(\"$_keystr\");")

  _debug _cert "$_cert"
  _debug _key "$_key"

  if [ "$(id -u)" = 0 ]; then
    _response=$(uapi --user="$DEPLOY_CPANEL_USER" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  else
    _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
  fi

  if [ $? -ne 0 ]; then
    _err "Error in deploying certificate:"
    _err "$_response"
    return 1
  fi

  _debug response "$_response"
  _info "Certificate successfully deployed"
  return 0
}
Thanks a lot for your help!

ATLWebDesign

Unread post by ATLWebDesign » 2017-7-14 12:38

Thanks for your script, it works great deployed manually.

acme.sh installs a cron job to auto renew the Lets's Encrypt certificate.

Do you need a 2nd cron job then to fire your deploy script, or can it be a parameter added to the acme.sh cron job?

What would the syntax of that cron job be?

I'm using on a GoDaddy server that has multiple websites installed in subfolders.

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-7-14 20:38

ATLWebDesign wrote:
2017-7-14 12:38
Do you need a 2nd cron job then to fire your deploy script, or can it be a parameter added to the acme.sh cron job?
Renewed certificates should deploy fully automatically, at least manually (with --force) renewed did deploy when I tested the script. However, we will see that for sure only after my first certificates renew solely from cron within the next 2 months.

null

Unread post by null » 2017-8-3 04:57

I want to thank you for your cpanel script, I've been manually doing it on godaddy for a while now. Did everything you said in post, and my final cron that works full auto is:
cd /home/GODADDYACCTNAME/.acme.sh; acme.sh --force --issue -d DOMAIN.COM -d WWW.DOMAIN.COM -w ~/www > /dev/null 2>&1; acme.sh --deploy -d DOMAIN.COM -d WWW.DOMAIN.COM --deploy-hook cpanel > /dev/null 2>&1
That does the issue and cpanel deploy with no output that is confirmed working full auto as a cron on godaddy using Santeri's script.

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-8-3 20:14

null wrote:
2017-8-3 04:57
I want to thank you for your cpanel script, I've been manually doing it on godaddy for a while now.
You are welcome and great that you got it working.

I am myself considering ditching GoDaddy and moving to Dreamhost. They offer built-in letsencypt and also support DKIM unlike GoDaddy. Their servers are really slow, like for example this forum, because they use NFS home directories and web roots which sounds pretty insane to me.

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-8-8 11:31

Santeri wrote:
2017-8-3 20:14
I am myself considering ditching GoDaddy and moving to Dreamhost.
I migrated this forum from GoDaddy to Dreamhost today. At least all tools and shell access is lightning fast compared to sluggish GoDaddy and I got also DKIM working there.

Do you see any difference in the speed of this forum?
Last edited by Santeri on 2017-8-17 01:34, edited 1 time in total.

rusty

Unread post by rusty » 2017-8-8 12:46

Hi, I am trying to follow the guide but get stuck at the remark "After the certificate is issued, it is deployed using the following command:
acme.sh --deploy -d www.mydomain.com --deploy-hook cpanel
".

I am not sure if I should be executing this code?
crontab -l shows the scheduled renewal, so that seems fine (using the last "fixed" code from your comments).

However executing the command acme.sh --deploy -d www.<.....>.com --deploy-hook cpanel
gives:
Domain is not valid:'www........com'

What am I doing wrong here?

Also I am not sure at what point, if at all, I should now continue in the post at https://tryingtobeawesome.com/encryptdaddy/
?

thanks for the help

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-8-8 13:00

rusty wrote:
2017-8-8 12:46
I am not sure if I should be executing this code?
crontab -l shows the scheduled renewal, so that seems fine (using the last "fixed" code from your comments).
You need to deploy it. Otherwise acme does not know how to re-deploy renewed certificates. If you don't, your crontab will only renew certificates without deploying them which leaves your system semi-automatic.

I am not 100% sure of this as my certificates are too fresh and have not yet renewed, but this is what I understood when I read their code.
Last edited by Santeri on 2017-8-8 13:45, edited 1 time in total.

rusty

Unread post by rusty » 2017-8-8 13:07

Got it to work! Instead of deploying the www......., I just deployed the name without www, since that seems to have been how it was called.

Thanks, also for the quick reply!!

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-8-22 12:00

Santeri wrote:
2017-7-10 12:52
I updated my pull request in GitHub including this fix: https://github.com/Neilpang/acme.sh/pull/940
My code has been merged to ACME dev branch and can be deployed using

Code: Select all

--deploy-hook cpanel_uapi

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-9-3 08:16

Good news! Automatic renewal worked today and my first certificate got renewed without any manual intervention. The bad news is that I discovered that if you have multiple subdomains in one certificate, only the first domain will be deployed. If you use the following command to issue and deploy domains one by one, it should work fine for you:

Code: Select all

acme.sh --issue -d webseodesigners.com -d www.webseodesigners.com --dns dns_gd

Code: Select all

acme.sh --deploy -d webseodesigners.com --deploy-hook cpanel
My cpanel hook has been merged to the acme.sh master branch so it is now available for all new installations. The only functional difference compared to these instructions (and my original code) is the name of the hook. Instead of cpanel you need to use cpanel_uapi. Here is an example:

Code: Select all

acme.sh --deploy -d webseodesigners.com --deploy-hook cpanel_uapi
Thanks a lot for helping me and happy hacking!

WP-GD-User

Unread post by WP-GD-User » 2017-11-10 21:32

When I checked my shared GoDaddy server it's only using Red Hat 4.4 and they have no schedule upgrade because it's a shared server. I let them know I'm really unhappy about how slow they are on the upgrade since version 4 stopped being supported years ago. However, I doubt they'll do anything about it since they know I want to use Let's Encrypt which I think is shooting themself in the foot, but that's another subject.

When I went to https://certbot.eff.org/ it only listed RHEL 6 and CentOS/REHL 7 as options for using the Certbot ACME client with Red Hat. Does anyone know if I used RHEL 6 if it would cause issues on installing and renewing my SSL Certs?

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-11-11 03:55

When I checked my shared GoDaddy server it's only using Red Hat 4.4 and they have no schedule upgrade because it's a shared server.
I haven't tried certbot, but I am using ACME on multiple GoDaddy accounts on their Asia and Europe servers without issues. You can easily just install it and give it a try. If it does not work for you, let me know and I will help you.

WP-GD
Posts: 1
Joined: 2017-11-10 21:34

Unread post by WP-GD » 2017-11-14 22:28

I didn't see an ACME client just called ACME. This is the list Lets Encrypt gives as options: https://letsencrypt.org/docs/client-options/

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2017-11-15 13:14

WP-GD wrote:
2017-11-14 22:28
I didn't see an ACME client just called ACME. This is the list Lets Encrypt gives as options: https://letsencrypt.org/docs/client-options/
It's listed as acme.sh. I've been working on that project and using Neil's script on 8 websites currently hosted on GoDaddy.

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2018-4-1 12:29

Santeri wrote:
2017-8-3 20:14
I am myself considering ditching GoDaddy and moving to Dreamhost.
Unfortunately I can not recommend Dreamhost any longer. They have a serious configuration error in their email servers. If your email bounces, it takes 3 days before you get a notification. 24 hours should be maximum time for giving a delivery warning.

Dreamhost has refused to fix this problem. I discovered this issue when I notices a mail server configuration error. The emails sent from DreamHost to *@iway.na email addresses in Namibia never go through. Both sides blame each other and neither of them is interested in getting the issue solved. As a customer it is not my problem although both of them seem to think so. Good luck.

mike-bkk

Unread post by mike-bkk » 2018-5-11 13:22

Thanks for all your shares. Will test this tonight.

Regarding Dreamhost, I was mostly quite happy with them for the last few years but they do have a lot of email problems and for the last 2 weeks, they've not replied to any support tickets. Not easy to find a decent, affordable hosting these days, it seems.

Santeri
Posts: 325
Joined: 2017-7-5 09:58

Unread post by Santeri » 2018-5-14 15:44

mike-bkk wrote:
2018-5-11 13:22
Not easy to find a decent, affordable hosting these days, it seems.
Please tell me if you find one. I will move there, too.