From Just another day in the life of a linux sysadmin
Jump to navigation Jump to search

Lets Encrypt

TLS is the new name for SSL. Namely, SSL protocol got to version 3.0; TLS 1.0 is "SSL 3.1". TLS versions currently defined include TLS 1.1 and 1.2. Each new version adds a few features and modifies some internal details. We sometimes say "SSL/TLS".

HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts. HTTP is a protocol for sending requests and receiving answers, each request and answer consisting of detailed headers and (possibly) some content. HTTP is meant to run over a bidirectional tunnel for arbitrary binary data; when that tunnel is an SSL/TLS connection, then the whole is called "HTTPS".

To explain the acronyms:

"SSL" means "Secure Sockets Layer". This was coined by the inventors of the first versions of the protocol, Netscape (the company was later bought by AOL). "TLS" means "Transport Layer Security". The name was changed to avoid any legal issues with Netscape so that the protocol could be "open and free" (and published as a RFC). It also hints at the idea that the protocol works over any bidirectional stream of bytes, not just Internet-based sockets. "HTTPS" is supposed to mean "HyperText Transfer Protocol Secure", which is grammatically unsound. Nobody, except the terminally bored pedant, ever uses the translation; "HTTPS" is better thought of as "HTTP with an S that means SSL". Other protocol acronyms have been built the same way, e.g. SMTPS, IMAPS, FTPS... all of them being a bare protocol that "got secured" by running it within some SSL/TLS.

Joels Handy Guide to forcing a site to use an SSL

Edit .htaccess for the site
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1 [R,L]

Change domain to the domain obviously :)


Info needed for CSR

Verify Password: 	
Host to make cert for: 	
(2 letter abbreviation) 	
Company Name: 	
Company Division:

Approval E-mails

Manual Install without WHM

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

# openssl genrsa -des3 -out 1024
Generating RSA private key, 1024 bit long modulus
e is 73547 (0x01001)
Enter pass phrase for
Verifying - Enter pass phrase for

# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root   963 Jun 13 20:26

The generated private key looks like the following.

# cat
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,485B3C6371C9916E


2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

# openssl req -new -key -out
Enter pass phrase for
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Los Angeles
Organization Name (eg, company) [My Company Ltd]:The Geek Stuff
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []: thegeekstuff
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# ls -ltr www.thegeekstuff.*
-rw-r--r-- 1 root root   963 Jun 13 20:26
-rw-r--r-- 1 root root   664 Jun 13 20:35

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

# openssl x509 -req -days 365 -in -signkey -out
Signature ok
subject=/C=US/ST=California/L=Los Angeles/O=thegeekstuff/OU=IT/
Getting Private key
Enter pass phrase for

# ls -l www.thegeekstuff*
-rw-r--r-- 1 root root   963 Jun 13 20:26
-rw-r--r-- 1 root root   664 Jun 13 20:35
-rw-r--r-- 1 root root   879 Jun 13 20:43

# cat

Canned Response

If you would like to renew this SSL certificate, please visit the account management interface's SSL dashboard at and renew your certificate from the SSL dashboard by clicking the "Renew" button, selecting the renewal period and then re-verify the certificate .

Lets Encrypt

Let's Encrypt now has official cPanel support for WHM version 58 and later. Prior versions of WHM and core managed servers are still considered Best Effort and you should consult the information below for further assistance.
All that is needed to install this in WHM 58 is to run the following command:


This enables letsencrypt as a provider for the autossl feature in WHM. You can disable letsencrypt using the following command: