Five days ago we had to renew a number of SSL certificates using free Let’s Encrypt SSL authority to a few Apache servers which were installed in Jelastic PaaS environment. The Apache servers were installed in an environment where:

  1. We did have SSH access.

  2. We did not have any root privileges or sudo command permission.

  3. The SSH access was done using a limited apache user.

  4. The underlying operating system was CentOS release 6.6 (Final) . (found out about it by running: cat /etc/centos-release)

Thus we could not use the official Let’s Encrypt client as it requires root privileges. After 3 hours of searching and striving to use multiple client implementations, we stumbled upon With the guidance of a tutorial written in German!! we finally managed to create our SSL certificates. So today, at last, we will show you how!!!

In this example, we assume that our domain name is We want to create a certificate for and Note that Let’s Encrypt does not generate wildcard certificates yet!!.


  1. No root access or sudo is required.

  2. We Obtain an A record for and which points to the IP of the server you are using.

  3. Inside the aforementioned server we have to run a web server which listens to port 80. Listening to port 443 is optional.

  4. Shell access to the server.

If you want to have a thourough understanding of why we are going to perform the following steps, you can refer to How it works official article. Few! It is high time we started. Shall we?

  1. Know thy environment.
  2. Clone script.
  3. Configure the script.
  4. Configure your web server.
  5. Run the script.
  6. Find the certificates.
  7. Configure your web server to use the certificates
  8. Upload SSL certificates to Jelastic Administration Panel
  9. Reload or restart web server and test configuration

Know thy environment

After login via SSH we are in /var/www/ directory:

[email protected] ~ $ pwd

Then we check CentOS version, because we can!

[email protected] ~ $ cat /etc/centos-release 
CentOS release 6.6 (Final)

Clone script

While being in that directory we clone

[email protected] ~ $ git clone
Cloning into ''...
remote: Counting objects: 873, done.
remote: Total 873 (delta 0), reused 0 (delta 0), pack-reused 873
Receiving objects: 100% (873/873), 223.44 KiB | 0 bytes/s, done.
Resolving deltas: 100% (530/530), done.
Checking connectivity... done.
[email protected] ~ $ chown -R apache:apache
[email protected] ~ $ cd
[email protected] ~ $ pwd

Configure the script

Then, we have perform a little configuration so the script is aware of our environment and the domains for which we want to generate free SSL certificates:

  1. Prepare base and conf directories:
    [email protected] ~/ $ mkdir conf 
    [email protected] ~/ $ mkdir base
    [email protected] ~/ $ cp conf/
    [email protected] ~/ $ cp conf/domains.txt
  2. Edit configuration in /var/www/
    CONTACT_EMAIL="[email protected]"
  3. Add the domain names in /var/www/```:

Configure your web server

Now we have to put the following lines in your site’s special apache conf i.e. /etc/httpd/sites-available/bobos.conf or in /etc/httpd/conf/httpd.conf. This will help Let’s Encrypt to access your server, perform domain validation and perform some challenges in order to generate our SSL certificate.

   Alias /.well-known/acme-challenge /var/www/

   <Directory /var/www/>
         Options None
         AllowOverride None
         Order allow,deny
         Allow from all

Run the script

[email protected] ~/ $ ./ --config /var/www/ -c
# INFO: Using main config file /var/www/
# INFO: Using additional config file /var/www/
Processing with alternative names:
 + Signing domains...
 + Creating new directory /var/www/ ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for
 + Requesting challenge for
 + Responding to challenge for
 + Challenge is valid!
 + Responding to challenge for
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

Find the certificates

The certificates are created in $BASE/certs// directory:

[email protected] ~/ $ ls -l base/certs/
total 20
-rw------- 1 apache apache 1655 Jul  7 06:49 cert-1457333387.csr
-rw------- 1 apache apache 2143 Jul  7 06:49 cert-1457333387.pem
lrwxrwxrwx 1 apache apache   19 Jul  7 06:50 cert.csr -> cert-1457333387.csr
lrwxrwxrwx 1 apache apache   19 Jul  7 06:50 cert.pem -> cert-1457333387.pem
-rw------- 1 apache apache 1675 Jul  7 06:50 chain-1457333387.pem
lrwxrwxrwx 1 apache apache   20 Jul  7 06:50 chain.pem -> chain-1457333387.pem
-rw------- 1 apache apache 3818 Jul  7 06:50 fullchain-1457333387.pem
lrwxrwxrwx 1 apache apache   24 Jul  7 06:50 fullchain.pem -> fullchain-1457333387.pem
-rw------- 1 apache apache 3243 Jul  7 06:49 privkey-1457333387.pem
lrwxrwxrwx 1 apache apache   22 Jul  7 06:50 privkey.pem -> privkey-1457333387.pem

Configure your web server to use the certificates

Configure Apache in order to use the created certificates. It might by your site’s special conf i.e. /etc/httpd/sites-available/bobos.conf or global /etc/httpd/conf/httpd.conf:

SSLEngine On
SSLCertificateFile      /var/www/
SSLCertificateKeyFile   /var/www/
SSLCertificateChainFile /var/www/
SSLCACertificateFile    /var/www/
SSLHonorCipherOrder On

IMPORTANT NOTE!! The previous configuration will not work in Jelastic Paas environment, as it forces us to add the certificates via Jelastic Administration Panel. Jelastic puts the certificates to /var/lib/jelastic/SSL.

SSLEngine on

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On

SSLCertificateFile /var/lib/jelastic/SSL/jelastic.crt
SSLCertificateKeyFile /var/lib/jelastic/SSL/jelastic.key
SSLCACertificateFile /var/lib/jelastic/SSL/jelastic-ca.crt

Upload SSL certificates to Jelastic Administration Panel

Then we have to upload SSL certificates to Jelastic Administration Panel. To achieve that you can use this guide. Otherwise (i.e. putting files via SSH) it will not work.

Reload or restart web server and test configuration

Finally we reload sudo /etc/init.d/apache2 reload or restart (sudo /etc/init.d/apache2 restart) Apache web server and verify that works.

That is all folks! Greetings from a hot and striving for the best Greece!

Leave a Comment