Applying Let’s Encrypt SSL certificate in Namecheap in August 2020 – Verified & working – Using getSSL

PS : there is a easier way with ACME script, which does autorenewal as well l, I prefer that over getSSL, Use getSSL only if ACME is not working, Refer below link to use ACME:

https://devops.egyan.space/applying-lets-encrypt-ssl-certificate-in-namecheap-in-2020-with-autorenewal-verified-working-using-acme-sh/

Since NameCheap doesn’t support Let’s Encrypt natively, i was looking for implementing SSL for my blog, After researching a bit found below option which had me SSL implemented within 20 minutes.

Follow below steps to Enable SSL :

Ignore Step 1 & 2 if you want to use NameCheap’s Terminal instead of yours – cPanel -> Advanced -> Terminal

1 – Login to NameCheap portal & enable SSH access first :

Select manageShell & enable checkbox for Enable SSH Access

Note down IP/username & port, Use same password which you use to login to cPanel, In case you don’t have same, have password reset with the support team.

2 – If you don’t had the RSA keys yet, generate a new key pair , if you already have then use same to login to server

  • View the private key & copy it to .ssh folder of any SSH client with name id_rsa and permission 600
vi ~.ssh/id_rsa
paste the private key data here
chmod 600  ~.ssh/id_rsa

Try connecting now: with details obtained from step 1
ssh -p <port> <cpanel_user>@IP

3 – Once logged in use below commands to generate the Certs: for more details SRC: https://github.com/srvrco/getssl

getSSL is recommended method apart from acme.sh by Let’s Encrypt refer: https://letsencrypt.org/docs/client-options/

mkdir ~/letsencrypt
cd ~/letsencrypt

curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl

./getssl -c yourdomain.com

#update ACL as per below date
vi ~/.getssl/yourdomain.com/getssl.cfg
ACL=('/home/<cpanel_username>/yourdomain.com/.well-known/acme-challenge')

cd ~/letsencrypt
getssl yourdomain.com

#You will see below in output if all good.
"Certificate saved in /home/cpanel_user/.getssl/yourdomain.com/yourdomain.com.crt"

#Ignore warning " RSA certificate obtained but certificare on server is different from the new certificate.

If you got CRT file in above step, that means all looks ok, don’t use those cert as of now as those are test certs, just for testing using a fake CA, so it will not work.

4 – Change CA URL from staging to Prod & order actual certs.

#Uncomment below line to point CA to Prod, this will overwrite staging CA
vi ~/.getssl/yourdomain.com/getssl.cfg
CA="https://acme-v02.api.letsencrypt.org"

cd ~/letsencrypt
getssl yourdomain.com

#You will see below in output if all good.
"Certificate saved in /home/cpanel_user/.getssl/yourdomain.com/yourdomain.com.crt"

#Verify your cert issuer Authority it should say Let's Encypt now.
cat ~/.getssl/yourdomain.com/yourdomain.com.crt"
#copy from above and paste in below link to verify : 
https://www.geocerts.com/certificate-decoder

cat ~/.getssl/yourdomain.com/yourdomain.com.key
cat ~/.getssl/yourdomain.com/chain.crt

5 – You will need output from above three cat commands for this step to implement SSL for yourdomain.com

  • In Cpanel – Security -> SSL/TLS – > Install and Manage SSL for your site (HTTPS) -> Manage SSL Sites
  • in Domain DropDown select the domain yourdomain.com for which you requested the certs
  • Put the output of below in Certificate(CRT) TextBox
cat ~/.getssl/yourdomain.com/yourdomain.com.crt"
  • Put the output of below in Private Key (KEY) TextBox
cat ~/.getssl/yourdomain.com/yourdomain.com.key
  • Put the output of below in Certificate Authority Bundle: (CABUNDLE) TextBox
cat ~/.getssl/yourdomain.com/chain.crt
  • Click on Install Certificate

6 – If no errors it will say certificate installed successfully.

test your website in new window with URL: https://yourdomain.com

You should not see any warning now that site is not secure, Padlock should be visible & connection is secure , also certificate will show valid

If you click on Certificate, it will show Issuer as Let’s Encrypt:

in Firefox/chrome you should see connection as secure.

If you see error that some part of website is not secure, you can check which part of your website is still insecure using below link

https://www.whynopadlock.com/

7 – Default expiry is 90 days so cert will expire after 90 days, ensure to renew it before expiry. there is another method also which takes care of renewal using cpanel, will be testing it and updating it in new post if it works out.

Let me know if it works for you or you get any errors with any step.

Leave a Reply

Your email address will not be published. Required fields are marked *