Users of the Budget, Standard, Advanced and Corporate
packages can make their domains accessible via https://
without
the need to purchase a commercial certificate thanks to
Let's Encrypt.
When validating more than one domain name, it is necessary to set up
a single Alias such that the URL /.well-known/
maps to the same
directory for all of your domains.
You can configure this from csoftadm using:
$ csoftadm csoftadm> web alias add /.well-known/ /www/example.com/.well-known/
You only need to set up a single Alias as it applies to all your domains. Trailing slashes ("/") are all required.
csoftadm> web alias list +---------------+-------------------------------------------+ | Virtual path | Real path | +---------------+-------------------------------------------+ | /.well-known | /home/MYNAME/www/example.com/.well-known/ | +---------------+-------------------------------------------+
Important: If a created Alias is not working as expected, make sure that all components of the path are real directories and not symlinks. If any of the components of the path happen to be symbolic links, the Alias will not work.
$ mkdir -m 700 ~/ssl $ cd ~/ssl $ mkdir etc logs db $ certbot certonly --config-dir=$HOME/ssl/etc \ --logs-dir=$HOME/ssl/logs \ --work-dir=$HOME/ssl/db \ --webroot -w $HOME/www/example.com \ --cert-path $HOME/ssl/cert \ -d example.com \ -d www.example.com
The first time certbot
runs, it interactively asks for the
administrator e-mail address.
You can request multiple certificates by entering multiple
-d
options.
Finally, copy the live certificate over to ~/ssl/cert and the private
key over to ~/ssl/key:
$ cp $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert $ cp $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key $ chmod 600 $HOME/ssl/key
Use csoftadm to enable HTTPS service using the ssl
option. Make sure that your ssl-name
setting matches the
first domain name in the ~/ssl/cert certificate chain
(i.e., the first of the -d
arguments passed to certbot
).
$ csoftadm csoftadm> conf set ssl-name example.com csoftadm> conf set ssl yes
It may take up to one minute before the SSL server starts (any errors
will be reported to /var/log/users/YOURNAME
). At this point,
https://example.com
should be reachable.
Note: The previous does not apply to Advanced and Corporate
users who are running a dedicated httpd. In that case, the relevant httpd.conf
sections would need to be edited manually and the server restarted with
apachectl
(see: Dedicated Apache Installation Guide).
We can add a cron job to auto-renew the certificate once a month.
Any errors will be reported to the MAILTO
address (which should
be specified at the beginning on your crontab).
$ crontab -e # or: $ env EDITOR=nano crontab -e
MAILTO=admin@example.com # Renew certificates monthly @monthly certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/example.com --cert-path $HOME/ssl/cert -d example.com -d www.example.com; cp -f $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
If you are using the ssl-redirect
feature ("redirect all HTTP traffic to HTTPS")
then it must be turned off before running certbot
since as of this writing, the LetsEncrypt
verification process cannot deal with redirections when accessing the cookie.
$ csoftadm -c "conf set ssl-redirect no"; sleep 180 $ certbot certonly ... $ csoftadm -c "conf set ssl-redirect yes"
The crontab command for renewal would then look like:
# Renew certificates monthly @monthly csoftadm -c "conf set ssl-redirect no"; sleep 180; certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/example.com --cert-path $HOME/ssl/cert -d example.com -d www.example.com; csoftadm -c "conf set ssl-redirect yes"; cp -f $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key