---
title: "Using Let's Encrypt SSL on Acquia Cloud"
date: "2023-09-19T15:37:00+00:00"
summary:
image:
type: "article"
url: "/acquia-cloud-platform/help/94221-using-lets-encrypt-ssl-acquia-cloud"
id: "d652a92b-f3cf-4c1d-be1b-906135adb8df"
---

[Let's Encrypt](https://letsencrypt.org/), is a Certificate Authority that provides free certificates, and has a mission of enabling SSL everywhere.

This article is intended as a guide to assist with the installation of the LetsEncrypt SSL certificate on to the Acquia Cloud platform.

**Note** that this guide assumes you are using OSX/Linux.

A Warning Note

Acquia does not support automated renewal of LetsEncrypt certificates.  When your certificate comes up for renewal (which, by default for LetsEncrypt, is 90 days), you will need to re-upload a new certificate using the SSL self-service functionality on Acquia Cloud.

**Overall Steps**

1\. Install `certbot` locally (see [https://eff-certbot.readthedocs.io/en/stable/install.html](https://eff-certbot.readthedocs.io/en/stable/install.html))

2\. Update `.htaccess` file in your codebase

*   Just above ''`RewriteRule "(^|/)." - [F]`', add the following snippet :
*   '`RewriteRule "^.well-known/acme-challenge" - [L]`'

3\. Run the command :

*   `certbot --manual certonly`
    

4\. Create files in `docroot/.well-known/acme-challenge` as per instructions

5\. Commit your changes using :

*   `git add`
    
*   `git commit`
    
*   `git push`
    

(_Optional_) If you are using [Pipelines](/node/56196), then perform a build, if you need to.

6\. Go to `/etc/letsencrypt/live/` on your local machine for the certificate files.

7\. Install the certificate, private key, chain in the [Acquia Cloud SSL Self Service UI](/node/56371).

**Detailed Steps**

**1.**  **Note** that this guide assumes you are using OSX/Linux.

[Download certbot](https://certbot.eff.org/) a command line tool from the [EFF](https://www.eff.org/) for managing SSL certificates with Let's Encrypt. Select **_Apache_** and then your appropriate OS from the dropdown.

**2.** Run `sudo certbot certonly --manual --no-eff-email --agree-tos -m [EMAIL] -d [DOMAIN_1] -d [DOMAIN_N]` replacing `[DOMAIN]` and `[EMAIL]` with your email and the domains you want the certificate to cover. You will be presented with:

    -------------------------------------------------------------------------------
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    -------------------------------------------------------------------------------
    (Y)es/(N)o: Y

... select Y in order to continue.

A Warning Note

After selecting Y and pressing enter the script will show you the data and file to create and a message:

"Press Enter to Continue"

**Do NOT press enter to continue.**

You will be presented with:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Create a file containing just this data:
    
    [LONG-STRING-DATA]
    
    And make it available on your web server at this URL:
    
    http://[DOMAIN]/.well-known/acme-challenge/[LONG-STRING]
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue

**Pause the process at this point**.

**3.** For **Drupal 7** you can just **use the module [letsencrypt\_challenge](https://www.drupal.org/project/letsencrypt_challenge)** which allows you to set some output for an `http://[DOMAIN]/.well-known/acme-challenge/[LONG-STRING]` url easily.

**4\. Manual method** for Drupal 8 or 7

**4.1.** Without pressing the Enter, **clone your repository**([see here](/node/56186)).

**4.2. Create the challenge directory** **and place the file in it.** In your repository `docroot` create a file inside a newly created directory replacing \[`LONG-STRING`\] with the one from prompt when you paused the process (see above):

    $ mkdir -p .well-known/acme-challenge
    $ touch .well-known/acme-challenge/[LONG-STRING]

**4.3.** In a **text editor open the file and paste the `[LONG-STRING-DATA]`** provided by the certbot prompt in the file and save it. 

**4.4.** Add and **commit** to git all **the changes** (see [Sending updates to your code repository](/node/56189)) and deploy the branches/tags containing the changes to the Acquia environment you wish (see [Code workflows with Acquia Cloud](/node/56318)).

A Warning Note

This is time sensitive. You will need to create, commit and deploy this file to your site quickly and resume the certbot process. Otherwise the certbot will time out and you will receive an error meage.

**5\. Resuming certbot**, you can now **press enter** in the terminal. You should see:

    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/[domain]/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/[domain]/privkey.pem
       Your cert will expire on [date]. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le

**6\. Copy the contents of the certificate** you just generated on **your local machine** to the **Acquia Cloud interface SSL page**.

**6.1.** On _your local machine_ you can view the content of the `pem` files using the following commands (the default location is `/etc/letsencrypt/live/[domain]/`) :

    $ sudo cat /etc/letsencrypt/live/[domain]/fullchain.pem
    $ sudo cat /etc/letsencrypt/live/[domain]/privkey.pem

**6.2.** Following [Managing SSL certificates](/node/56371) once you reach step 4, you should populate the fields with the contents of the `fullchain.pem` and `privkey.pem`. **Note that the first entry of `fullchain.pem` gs in the SSL certificate field.**

**7\.** You can now proceed to the next steps of [Managing SSL certificates](/node/56371) to Activate the certificate.

If you are using **Drupal 8 and 7.55 or earlier** your `.htaccess` file should need some setting up.

Look for the `FilesMatch` directive. It should be at the very top of the `.htaccess` file and include `(\.(?!well-known).*` here is an example:

    # Protect files and directories from prying eyes.
    <FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
      <IfModule mod_authz_core.c>
        Require all denied
      </IfModule>
      <IfModule !mod_authz_core.c>
        Order allow,deny
      </IfModule>
    </FilesMatch>

In addition to the above look for the `mod_rewrite` section further down the `.htaccess` file it should include `^\.(?!well-known/)`. Here is an example:

    # Various rewrite rules.
    <IfModule mod_rewrite.c>
      RewriteEngine on
      
      # If you do not have mod_rewrite installed, you should remove these
      # directories from your webroot or otherwise protect them from being
      # downloaded.
      RewriteRule "/\.|^\.(?!well-known/)" - [F]
    
    </IfModule>