Installing Let's Encrypt SSL Certificates On Namecheap Hosting

From Littledamien Wiki
Jump to navigation Jump to search

Acme.sh

acme.sh overview

This process only needs to be performed once. Running the acme.sh script creates a cron job that will handle certificate renewals.

Updating acme.sh

$ acme.sh --upgrade

Specifying default acme.sh CA server

$ acme.sh --set-default-ca --server letsencrypt

See https://github.com/acmesh-official/acme.sh/wiki/Server

Confirm expiration date of a certificate

Using a browser

  • Load the site in a Chrome browser.
  • Open Developer Tools.
  • Click the Security tab.
  • Certificate > View Certificate button.
  • Expiration Date is displayed in the dialog.

Using cPanel

  • Log into cPanel.
  • Security > SSL/TLS
  • Generate, view, upload, or delete SSL certificates will show who issued the certificates in use.
  • Manage SSL Sites will show which sites have certificates, and when those certificates expire.

Troubleshooting

Certificate not renewing

After installing a certificate with acme.sh it should be renewed automatically.

Certificate failing to verify using .well-known challenge

Use case

  • Log into the server using ssh.
  • Run acme.sh script from the command line to renew certificate.
  • There will be errors to effect of "verify error" and "invalid response from [domain]/.well-knonwn/acme-challenge/...".

Cause

Permissions errors prevent the script from writing the file to .well-known/acme-challenge/ that is used to verify ownership of the domain.

Fix

The last time this happened, I compared the permissions for the web roots and .well-known directories for two sites hosted on the same server where one site's certificate was being renewed and the other was failing. I could not find any differences in the permissions.

What I ended up doing was to move the root directory of the site, create a new directory for the site, put a potboiler index html page in the directory, and then run the acme script. After this allowed me to renew the certificate, I copied all the content from the original directory back into the new one.

Timeout polling order status while issuing certificate

Use case

Manually issue a certificate with the following command: 

$ acme.sh --issue --webroot ~/my_webapp_root -d mydomain.com --force

Expected result

acme.sh sends request to the CA server and receives successful response.

Actual result 

[Sat Apr  9 17:40:56 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw
[Sat Apr  9 17:40:59 EDT 2022] Order status is processing, lets sleep and retry.
[Sat Apr  9 17:40:59 EDT 2022] Retry after: 15
[Sat Apr  9 17:41:15 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw
[Sat Apr  9 17:41:18 EDT 2022] Order status is processing, lets sleep and retry.
[Sat Apr  9 17:41:18 EDT 2022] Retry after: 15

Over and over again until finally the script times out with an error similar to this: 

[Sat Apr  9 17:42:29 EDT 2022] Sign error, wrong status

Solution

This happened using the default acme.sh CA server which is ZeroSSL. Changing the default CA server to Let's Encrypt fixed this. 

$ acme.sh --set-default-ca --server letsencrypt

See also

Let's Encrypt SSL Certificates on Namecheap Hosting (Legacy)

Retrieved from "https://wiki.dbarchowsky.com/index.php?title=Installing_Let%27s_Encrypt_SSL_Certificates_On_Namecheap_Hosting&oldid=3370"