This blog runs on a shared host. The hosting provider runs an old version of DirectAdmin that does not support Let’s Encrypt. (The latest version does.) I wanted to have TLS enabled for my blog, so took the plunge to do a manual install using certbot. It wasn’t as painful as I feared. Here’s what I did.

This guide by Remy van Elst was very helpful, but is based on an older version of the Let’s Encrypt client. That’s why I’m documenting my own steps here.

I run MacOS Sierra, with homebrew installed. I guess the instructions below should work for any *nix based system, though.

To install Certbot I created a directory in which I ran

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto

This does not install certbot yet, actually. This happens once you start it to generate the certificate for your site. To do so (and install or update all required packages), run

./certbot-auto –debug certonly –manual -d sub.domain.tld -d sub2.domain.tld

The --debug flag is necessary because otherwise certbot complains that “macOS support is very experimental at present” (and stops). I did not encounter any problems…

The certonly --manual option tells certbot that we are not running it on the webserver itself. This means we will prove ownership of each domain ‘by hand’ and will install the generated keys and certificates manually. The -d sub.domain.tld tells certbot for which (sub)domain the certificate should be valid. You can specify more than one. A single certificate will be generated covering all specified domains.

For each of the domains you specify, certbot will generate a random challenge text string and ask you to store it in a randomly named file in a directory

sub.domain.tld/.well-known/acme-challenge/

on your webserver. Make sure you have access. Certbot will give you detailed instructions and pause until you pasted the challenge string into the specified file. Make sure that did this correctly by visiting the file you just created with a browser to check that it is accessible and contains the right challenge string.

If all goes well, certbot creates a private key and the certificates in the local directory

/etc/letsencrypt/live/sub.domain.tld/

The files are privkey.pem, fullchain.pem, chain.pem and cert.pem. The are only readable by root.

Now open DirectAdmin to copy these (all except fullchain.pem) to your site. Here is how. Under “Advanced Features” click “SSL Certificates”.

Select the third radio button (“Paste a pre-generated certificate and key”). In the textfield below, first paste the contents of the cert.pem file. Below that, paste the contents of the privkey.pem file. Then click ‘Save’.

Go back to the DirectAdmin homepage and navigat to “Advanced Features” –> “SSL Certificates” again. Now scroll all the way down and open the link under ‘here’ in “Click Here to paste a CA Root Certificate”. Mark the checkbox ‘Use a CA Cert’ and paste the contents of the chain.pem file in the textfield. Again click ‘Save’.

The last step is to actually enable TLS for your site. Again go back the DirectAdmin homepage. Click “Domain Setup”. Open your domain. Mark the “Secure SSL” checkbox and click the ‘Save’ button. Now, under “private_html setup for certificatemonitor.org – (SSL must be enabled above)”, mark the radio button “Use a symbolic link from private_html to public_html” and click the ‘Save’ button again. Now TLS is enabled for site!