Can DH Panel Install Let's Encrypt SSL Cert to a Private Server?

letsencrypt

#1

I have so far been unable to add a Let’s Encrypt SSL certificate to my domain using the DH control panel options. Although the control panel says it has been installed successfully, https://<mydomain.com> is not reachable. Problem seems to be there is no .well-known directory is added to the server.

I’ve previously added Let’s Encrypt SSL certs successfully to my other domains that use DH shared hosting. But both the domains I host on a DH Private Server have this problem.

As explained in the DH help page for Let’s Encrypt, I temporarily deleted .htaccess (in case it was preventing creating of .well-known) but the directory still wasn’t created.

I’m now wondering if the problem is because my Private Server has Web Server set to NOT managed by Dreamhost? (it has to be set that way for the site.)

Has anyone any experience of this? And if it is not possible to use the DH control panel, what’s a good way of installing a Let’s Encrypt SSL certificate (I have shell access)? Thank you.


#2

DreamHost offers free LetsEncrypt SSL certificates to all domains using DreamHost DNS. Please see our help article on installing a LetsEncrypt SSL certificate:

If you are still running into issues, please reach out to support through your web panel here:

https://panel.dreamhost.com/index.cgi?tree=support.msg&


#3

I have read that, thank you - no info or suggestions there what to do when it doesn’t work. So I’ve now contacted Support.


#4

When you say “private server” do you mean something other than shared hosting or a managed VPS? If that’s a yes, then you need to setup your SSL certificate on that server and serve it up with Apache/nginx instead.


#5

Hi Trev,

Thanks for your reply. Yes, a private DH server set to unmanaged. I eventually worked out I had to alter httpd.conf in order to get the https URL of the site to work. <slight_rant>Most DH control panel options work fine for unmanaged servers. So i would have been nice if the control panel for installing SSL certificates warned that further work was required, rather than just saying it was successful, and then not working. It would have saved me time anyway and presumably others.</slight_rant>

FWIW and slightly off-topic, I’m now waiting for DH to support wildcard DNS certs, at least on private servers, as it’s a requirement for our particular site - we will have to remain on http till then (or change host company I guess but trying to avoid the upheaval of that).


#6

Regarding the rant, I agree. If you’ve not set up a domain as “fully hosted” or have it migrated to a managed VPS and fully hosted, the automatic certificate shouldn’t be an option, or at least, it should be a link to some documentation about how to install your own certificates.

I’ve only used a handful of hosts, so I’m not actually aware of all the automated options that exist out there. What I do like about Dreamhost’s dedicated boxes and DreamCompute instances, is that you have 100% control. With that comes the requirement that I learn how to use that control.

After a quick look, wildcard certificates should also be able to be purchased, downloaded, uploaded to your server to wherever you store certificates, and then make the necessary modifications to your apache config to serve it wherever those subdomains are requested. The DNS should just point to the dedicated server.


#7

Side note: I’m curious, what sort of support were you hoping to see? The sale of wildcard certificates? Better documentation on how to install them? Step-by-step guidance? Automated installation?

Does the last one actually get offered fully automated elsewhere without a hitch? Curious minds must know.


#8

Well, in fact I specifically asked DH Support if there was any way I could use a wildcard SSL certificate and they said no, not at all. I don’t know what their reasoning is, or what would be involved on their part, but even with a private DH server, DH customers do not have full access to the DNS records. I believe a DNS record needs to be added support a wildcard SSL certificate (possibly an “A” record type of *.{domain}) but this cannot be done since “*” characters are specifically excluded from DNS entries in the DH control panel (and there is no other access to the DNS records AFAIK).

Re what I am hoping to see: The option of installing a Let’s Encrypt wildcard SSL certificate. I understand they add load to a server so are not welcome on shared servers. But for DreamCompute/VPS/Private servers it should be possible to add them. Even GoDaddy, for Heaven’s sake, support them - just need to purchase a dedicated IP address, which I’d be fine with doing. DreamHost should see themselves as better than GoDaddy in every way.


#9

Really? This is surprising, considering that while I bet it would be nice to add an A record, you could just point it at the server and let the apache/nginx config read the subdomain and point the request in the correct direction all while serving up 1 certificate. Maybe my understanding is flawed here. If anyone else wants to chime in (Dreamhost?) by all means.


#10

While not ‘click a button and go’ automated, you can use certbot to automate your Let’s Encrypt certificates on your server. I currently do this for multiple hosted domains on one dreamcompute box. It even emails me a reminder to go in and run the update command when they’re about to expire.


#11

That’s interesting about certbot. Good to know, Trev. I did try installing it on our private server, but the install failed with error messages I did not understand and could not resolve. I did not pursue it further.

Configuring the Apache config to redirect in such a way as you suggest is beyond me and beyond my understanding if it would work TBF. FWIW when I asked how DH Support how I do this last week, they told me “While it is possible for you to generate a wildcard Let’s Encrypt certificate yourself using the information from their community forum, each subdomain would need to be manually created in the panel and the resulting certificate would have to then be manually imported for each subdomain. :-(” (their sad face emoticon!)

Yes, as you say Trev, if anyone would like to chime in here with thoughts then please do!


#12

Well, yes…because they don’t have wildcard dns

AKA tedious apache/nginx config, but so what if it works.

All this said they (and you) are right about 1 thing: Setting things up in this manner defeats the purpose of wildcarding anything. But SSL is always better than no SSL


#13

PMJI but adding SSL with a free renewing cert is sort of trivial for DreamCompute. I don’t have time at the moment to explain but I’ve setup an Ansible script to SSL-enable a server after it’s instantiated. I’m no pro at this and that wasn’t difficult.

As to wildcard certs for subdomains - yeah, I’d like to see that too.