Users of the Standard, Advanced and Corporate packages can make their domains accessible via https:// without the need to purchase a commercial certificate, using the Let's Encrypt Certificate Authority.

Required information
  • Domain name(s) requiring SSL. Domains must be live and accessible from ~/www/.
  • Administrator e-mail address. Address must be reachable.
Setting up a common /.well-known path

When validating more than one domain name, it is necessary to set up an Alias such that the URL /.well-known/ maps to the same directory for all domains:

  $ csoftadm
  csoftadm> web alias add /.well-known/ /www/
  csoftadm> web alias list
  | Virtual path  | Real path                                 |
  | /.well-known  | /home/MYNAME/www/ |
Installing a Lets's Encrypt certificate
  $ cd ~/ssl
  $ mkdir etc logs db
  $ certbot certonly --config-dir=$HOME/ssl/etc \
      --logs-dir=$HOME/ssl/logs \
      --work-dir=$HOME/ssl/db \
      --webroot -w $HOME/www/ \
      --cert-path $HOME/ssl/cert \
      -d \

The first time certbot runs, it interactively asks for the administrator e-mail address. You can request multiple certificates by entering multiple -d options.

Finally, copy the live certificate over to ~/ssl/cert and the private key over to ~/ssl/key:

  $ cp $HOME/ssl/etc/live/ $HOME/ssl/cert
  $ cp $HOME/ssl/etc/live/ $HOME/ssl/key
  $ chmod 600 $HOME/ssl/key
Enabling HTTPS service

Use csoftadm to enable HTTPS service using the ssl option. Make sure that your ssl-name setting matches the first domain name in the ~/ssl/cert certificate chain (i.e., the first of the -d arguments passed to certbot).

  $ csoftadm
  csoftadm> conf set ssl-name
  csoftadm> conf set ssl yes

It may take up to one minute before the SSL server starts (any errors will be reported to /var/log/users/YOURNAME). At this point, should be reachable.

Note: The previous does not apply to Advanced and Corporate users who are running a dedicated httpd. In that case, the relevant httpd.conf sections would need to be edited manually and the server restarted with apachectl (see: Dedicated Apache Installation Guide).

Enable auto-renewal of the certificate

We can add a cron job to auto-renew the certificate once a month. Any errors will be reported to the MAILTO address (which should be specified at the beginning on your crontab).

  $ crontab -e           # or:
  $ env EDITOR=nano crontab -e

# Renew certificates monthly
@monthly certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/ --cert-path $HOME/ssl/cert -d -d; cp -f $HOME/ssl/etc/live/ $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/ $HOME/ssl/key