Namecheap Shared Hosting + LetsEncrypt

Let’s put it all on the table – Namecheap Shared Hosting does not provide built-in support for LetsEncrypt (see comment section) but you can use LE certs with a little bit of work.  So if you have this type of Namecheap service, are comfortable with bash command line, looking for a LE cert, and can spare 10 minutes continue reading….

Pre-requisites

Namecheap shared hosting website
Website name is resolved by public DNS
SSH is enabled for your Namecheap VPS site
Access to your site’s cPanel console
Spare CentOS 7 system to run certbot (referred to as management server below)
Putty used for SSH sessions

Setup

  1. SSH to Namecheap VPS
  2. mkdir –p ~/www/.well-known/acme-challenge
    1. Check that each folder has 755 permissions and change if needed
    2. This location is used later for LE verification purposes
  3. If your site currently redirects to HTTPS edit .htaccess with vi ~/www/.htaccess
    1. Add RewriteCond %{REQUEST_URI} !^/.well-known  below RewriteEngine On statement
  4. SSH to management server
    1. yum -y update
    2. yum -y install epel-release
    3. yum -y install certbot
  5. From management server run certbot certonly –manual -d yourdomain.com -m mailcontact@yourdomain.com
    1. Accept IP logging
    2. Right-click top left of putty window > Copy all to clipboard > paste to notepad
    3. Look for the section that contains “Make sure your web server displays the following content at” and copy text after .well-known/acme-challenge/
  6. Return to your VPS SSH session and create new folder based on text copied from step 5.3
    1. Chmod 755 the new directory
  7. Go back to your notepad scratch file and copy the longer string displayed below new folder path
    1. That data will need to be piped into an index.html file under the folder created in step 6
    2. Echo longstring > ~/www/.well-known/acme-challenge/newfolder/index.html
  8. Chmod 744 the new index.html file
    1. Verify the new index.html page can be reached over port 80
    2. Use Incognito, InPrivate, Private windows to test http://yourdomin.com/.well-known/acme-challenge/index.html
  9. Return to management server, the certbot session should still be live and hit enter to complete verification
    1. If everything went as planned you will have a new cert in /etc/letsencrypt/live/yourdomain.com
    2.  cat /etc/letsencrypt/live/yourdomain.com/cert.pem and copy file content
  10. Log into cPanel console
    1. SSL/TLS > Upload new certificate > paste in content from Step 9.2 > save certificate
    2. SSL/TLS > Manage SSL Hosts > Browse Certificates > Use Certificate > Install Certificate
      1. Associate new cert with your website
  11. On management server cat /etc/letsencrypt/live/domain/privkey.pem and copy content
  12. Paste content from Step 11 to cPanel console private key input box
  13. Select Install Certificate
  14. Return to VPS SSH session and delete the folder you created under .well-known/acme-challenge

 

Certificate Renewal

  1. From management server run crontab -e
  2. Add 0 0 * * sun certbot renew –manual
    1. run LE cert renewal every sunday at 12am
    2. the cert should renew on the management server when < 30 days remain on LE certificate.
      1. TBD if this actually works for renewal.  Check back summer 2017
      2. 6/4/2017 Update – the manual renew method will error out due to validation check.  It looks like Dehydrated with a custom DNS hook is the best bet for automated renewel.  I may circle back to this in the future but for now I manually renewed the cert using the process above.
  3. You will have to manually copy cert key back through cPanel console until LE is completely supported by Namecheap