-
-
Notifications
You must be signed in to change notification settings - Fork 5.1k
Simple guide to add TLS cert to cpanel
Based on https://github.com/Neilpang/acme.sh/blob/master/deploy/README.md
Replace EXAMPLE.COM with your domain
Then install acme running the following command:
$ curl https://get.acme.sh | sh
$ source ~/.bashrc
$ acme.sh --update-account --accountemail
[email protected]
Now let’s issue a test cert to see if everything is in place for the real cert to be issued and put in place.
We will use the webroot method, which requires the user to enter the location of their public_html folder.
The default one is ~/public_html , but if you are using an addon domain, it will be that folder instead.
$ acme.sh --issue --keylength ec-256 --ecc --webroot ~/public_html/ -d
EXAMPLE.COM --staging
$ acme.sh --issue --keylength ec-256 --ecc --webroot ~/public_html/ -d
EXAMPLE.COM --force
$ export DEPLOY_cPanel_USER=_username_
$ acme.sh --deploy --deploy-hook cPanel_uapi -d
EXAMPLE.COM
[Sat Sep 23 06:53:08 EDT 2017] Certificate successfully deployed
[Sat Sep 23 06:53:08 EDT 2017] Success
You can see if a crontab responsible to renew your cert every 60 days has been installed with the following command:
$ crontab -l
56 0 * * * "/home/EXAMPLE.COM/.acme.sh"/acme.sh --cron --home "/home/EXAMPLE.COM/.acme.sh" > /dev/null
In your cPanel account, you should see the new cron and also the new TLS cert applied to your domain.
Go to cPanel File Manager, create a .htaccess file in the root of your public_html folder, edit, and add the following:
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
It's called HSTS Preload. Before continuing, read more at https://scotthelme.co.uk/hsts-preloading/
Once informed, edit .htaccess and add the following:
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=60; " env=HTTPS
</IfModule>
This will add HSTS for 60 seconds. If the site is working as expect, increase it to 86400 seconds (one day).
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=86400; " env=HTTPS
</IfModule>
Once that is proven to work, change to 6 months.
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=15768000; " env=HTTPS
</IfModule>
You may consider to add preload flag and submit to https://hstspreload.org/
Buy me a beer, Donate to acme.sh if it saves your time. Your donation makes acme.sh better: https://donate.acme.sh/
如果 acme.sh 帮你节省了时间,请考虑赏我一杯啤酒🍺, 捐助: https://donate.acme.sh/ 你的支持将会使得 acme.sh 越来越好. 感谢