How do I add a Let`s Encrypt certificate to my Unmanaged VPS?

SSL Certificates
Virtual Private Server
Andrew Porter
Published: 2 December 2019
Share:

Unlike our shared web hosting platforms, some manual intervention is required to enable and install Let's Encrypt certificates on a 20i Unmanaged VPS. The process of installing Let's Encrypt certificates depends on the operating system in use, and whether or not one is using a control panel, such as cPanel. 

cPanel

To install a Let's Encrypt SSL on a cPanel VPS you'll need to do the following.

1). Login to the VPS via SSH. 
2). Once logged in, preferably as root, or a user with sudo access, run the following command:

/scripts/install_lets_encrypt_autossl_provider

Once ran, the Let's Encrypt plugin will be installed.

Once installed, you will then be able to issue a Let's Encrypt certificate via the WHM interface. Specifically, you will need to access Home > SSL/TLS > Manage AutoSSL.

Within the Manage AutoSSL section, you will need to select Let's Encrypt from the list of available AutoSSL providers. Once selected, agree to the terms of service, and select 'Save'. 

After agreeing to the terms of service, you will then be able to issue certificates for the users/domains/accounts on the VPS.

This can then be done by selecting the 'Run AutoSSL For All Users' facility, which will then subsequently attempt to issue Let's Encrypt certificates for all users. Alternatively, certificates can be issued on a user by user basis by selecting 'Manage Users' on the 'Manage AutoSSL' page.

CentOS 6

For those without a control panel, Let's Encrypt certificates can be installed through the installation and use of Certbot. 

To get started, you'll need to access the VPS via SSH, as either the root user, or a user with sudo privleges.

Once you've logged into your VPS, you'll need to run the following commands:

wget https://dl.eff.org/certbot-auto
sudo mv certbot-auto /usr/local/bin/certbot-auto
sudo chown root /usr/local/bin/certbot-auto
sudo chmod 0755 /usr/local/bin/certbot-auto

You'll then need to run Certbot to grab and install your certificates. The exact command you need to run will differ depending on whether you're running an Apache setup, or an Nginx setup. 

For those running an Apache setup, you will need to run the following:

sudo /usr/local/bin/certbot-auto --apache

Those running Nginx will need to run:

sudo /usr/local/bin/certbot-auto --nginx

Upon the enacting of either command, you may then be prompted to install a number of packages and dependencies. If this happens, once the list of packages and dependencies are present, simply enter 'Y' to accept and install.

Once the packages and dependencies have been installed (if you were prompted to do so), Certbot will then prompt you to enter several credentials.

Firstly, you'll be prompted to enter an email address for any urgent renewal or security notices. This can be anything you like, though we recommend ensuring it is an address you manage, and have access-to. Once you have entered the email address, press 'ENTER' on your keyboard.

Subsequently, you'll then be prompted to accept the Let's Encrypt Terms of Service, which must be accepted in order to be able to issue certificates. To accept, simply enter the letter 'A' and press 'ENTER'.

You will then be prompted to share your email address with the Electronic Frontier Foundation. Sharing your email address is up to you. To share, you will want to enter the letter 'Y', and then press 'ENTER'. Conversely, if you do not wish to share your email address, enter the letter 'N', and press 'ENTER'.

Once complete, a list of available domains will be displayed in a numbered menu. The numbered menu is generated based on the virtualhosts/domains defined in your Apache/Nginx configuration file. To install a certificate for a particular domain, you'll need to enter the number(s) you desire, and 'ENTER'.

A certificate will then be generated and installed for your chosen domain(s). 

To ensure that the certificate renews automatically in the future, you may want to ensure a cronjob has been set-up to renew it automatically. This can be done by running the following command:

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && /usr/local/bin/certbot-auto renew" | sudo tee -a /etc/crontab > /dev/null

CentOS 7

The setup of Certbot via CentOS/RHEL 7 is slightly different to that of CentOS 6.

Firstly, you'll want to ensure that the Extra Packages for Enterprise Linux (EPEL) repository has been enabled. To enable the EPEL repository, run the following command:

sudo yum install epel-release

Once you have enabled access to the repository, you can then run the following to install Certbot:

sudo yum install certbot python2-certbot-apache

If you are running Nginx, you will need to run the following:

sudo yum install certbot python2-certbot-nginx

Once installed, you can then look to issue a certificate for any of the domains/virtualhosts mentioned in your Apache and Nginx configuration files. 

To begin the process for Apache servers, run the following:

sudo certbot --apache

For Nginx, you will need to run:

sudo certbot --nginx

Again, as with the CentOS 6 example above, you'll be prompted to enter information, i.e. an email address through which you can be contacted, whether you agree to the Let's Encrypt Terms of Service, and whether you wish to share the entered email address.

Next, you'll be prompted to enter the number of the domain/virtualhost for which you would like to install a Let's Encrypt certificate. Enter the number you desire, and then press 'ENTER' on your keyboard.

Once issued, you will then want to set-up the automatic renewal of your Let's Encrypt certificate(s) by running the following command:

echo "0 0,12 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null