Setting up HTTPS (SSL) with LetsEncrypt

Users of the Budget, Standard, Advanced and Corporate packages can make their domains accessible via https:// without the need to purchase a commercial certificate thanks to Let's Encrypt.

Required information
  • Domain name(s) requiring SSL. Domains must be live and accessible from ~/www/.
  • Administrator e-mail address. Address must be reachable.
Setting up a common /.well-known path

When validating more than one domain name, it is necessary to set up a single Alias such that the URL /.well-known/ maps to the same directory for all of your domains. You can configure this from csoftadm using:

  $ csoftadm
  csoftadm> web alias add /.well-known/ /www/example.com/.well-known/

You only need to set up a single Alias as it applies to all your domains. Trailing slashes ("/") are all required.

  csoftadm> web alias list
  +---------------+-------------------------------------------+
  | Virtual path  | Real path                                 |

  +---------------+-------------------------------------------+
  | /.well-known  | /home/MYNAME/www/example.com/.well-known/ |
  +---------------+-------------------------------------------+ 

Important: If a created Alias is not working as expected, make sure that all components of the path are real directories and not symlinks. If any of the components of the path happen to be symbolic links, the Alias will not work.

Installing a Lets's Encrypt certificate
  $ mkdir -m 700 ~/ssl
  $ cd ~/ssl
  $ mkdir etc logs db
  $ certbot certonly --config-dir=$HOME/ssl/etc \
      --logs-dir=$HOME/ssl/logs \
      --work-dir=$HOME/ssl/db \
      --webroot -w $HOME/www/example.com \
      --cert-path $HOME/ssl/cert \
      -d example.com \
      -d www.example.com

The first time certbot runs, it interactively asks for the administrator e-mail address. You can request multiple certificates by entering multiple -d options.

Finally, copy the live certificate over to ~/ssl/cert and the private key over to ~/ssl/key:

  $ cp $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert
  $ cp $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
  $ chmod 600 $HOME/ssl/key
Enabling HTTPS service

Use csoftadm to enable HTTPS service using the ssl option. Make sure that your ssl-name setting matches the first domain name in the ~/ssl/cert certificate chain (i.e., the first of the -d arguments passed to certbot).

  $ csoftadm
  csoftadm> conf set ssl-name example.com
  csoftadm> conf set ssl yes

It may take up to one minute before the SSL server starts (any errors will be reported to /var/log/users/YOURNAME). At this point, https://example.com should be reachable.

Note: The previous does not apply to Advanced and Corporate users who are running a dedicated httpd. In that case, the relevant httpd.conf sections would need to be edited manually and the server restarted with apachectl (see: Dedicated Apache Installation Guide).

Enable auto-renewal of the certificate

We can add a cron job to auto-renew the certificate once a month. Any errors will be reported to the MAILTO address (which should be specified at the beginning on your crontab).

  $ crontab -e           # or:
  $ env EDITOR=nano crontab -e
MAILTO=admin@example.com

# Renew certificates monthly
@monthly certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/example.com --cert-path $HOME/ssl/cert -d example.com -d www.example.com; cp -f $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
Workaround needed if using "ssl-redirect"

If you are using the ssl-redirect feature ("redirect all HTTP traffic to HTTPS") then it must be turned off before running certbot since as of this writing, the LetsEncrypt verification process cannot deal with redirections when accessing the cookie.

  $ csoftadm -c "conf set ssl-redirect no"; sleep 180
  $ certbot certonly ...
  $ csoftadm -c "conf set ssl-redirect yes"

The crontab command for renewal would then look like:

# Renew certificates monthly
@monthly csoftadm -c "conf set ssl-redirect no"; sleep 180; certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/example.com --cert-path $HOME/ssl/cert -d example.com -d www.example.com; csoftadm -c "conf set ssl-redirect yes"; cp -f $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
Links

Csoft.net
© 2024 CubeSoft Communications
All Rights Reserved.