Setting up HTTPS (SSL) with LetsEncrypt

All users can make their domains accessible via https:// without the need to purchase any commercial certificate thanks to Let's Encrypt. This guide shows how to install a Let's Encrypt certificate under your Csoft account by yourself. If you want us to perform this installation for you, please contact

Required information
  • The list of domain name(s) you want to make accessible via SSL. Domains must be active.
  • Valid e-mail address for the administrator or webmaster. You can use if you want us to handle any communication from LetEncrypt.
Setting up a common /.well-known path

When validating more than one domain name, it is necessary to set up a single Alias such that the URL /.well-known/ maps to the same directory for all of your domains. You can configure this from csoftadm with the command:

  $ mkdir $HOME/www/.well-known
  $ csoftadm
  csoftadm> web alias add /.well-known/ /www/.well-known/
  csoftadm> web alias list

You only need to set up a single Alias as it applies to all your domains. Make sure to copy the pathname above exactly. All trailing slashes ("/") are required.

Important: If a created Alias is not working as expected, make sure that your ~/www directory is a real directory and not a symbolic link. If any of the components of the path happen to be symlinks, the alias will not work.

Installing a Lets's Encrypt certificate

Enter the following commands in your shell to create and populate your ~/ssl/ directory:

  $ mkdir -m 700 ~/ssl
  $ cd ~/ssl
  $ mkdir etc logs db

Finally, run the certbot command to send the certificate request:

  $ certbot certonly --config-dir=$HOME/ssl/etc \
      --logs-dir=$HOME/ssl/logs \
      --work-dir=$HOME/ssl/db \
      --webroot -w $HOME/www \
      --cert-path $HOME/ssl/cert \
      -d \

The first time certbot runs, it interactively asks for the administrator e-mail address. You can request multiple certificates by entering multiple -d options.

Finally, copy the live certificate over to ~/ssl/cert and the private key over to ~/ssl/key:

  $ cp $HOME/ssl/etc/live/ $HOME/ssl/cert
  $ cp $HOME/ssl/etc/live/ $HOME/ssl/key
  $ chmod 600 $HOME/ssl/key
Enabling HTTPS service

Use the control panel or csoftadm to enable HTTPS service using the ssl option.

  $ csoftadm
  csoftadm> conf set ssl yes

It may take up to one minute before the SSL server starts (any errors will be reported to /var/log/users/YOURNAME). At this point, both and should be reachable.

Create an Auto-Renewal Script

For convenience, we recommend that you create a new script under ~/ssl/, containing:

# Renew my SSL certificate with LetsEncrypt.

certbot certonly \
    --config-dir=$HOME/ssl/etc \
    --logs-dir=$HOME/ssl/logs \
    --work-dir=$HOME/ssl/db \
    --webroot -w $HOME/www \
    --cert-path $HOME/ssl/cert \
    -d $DOMAIN -d www.$DOMAIN \
    -d -d \
    -d -d \
    -d -d \

if [ "$?" == "0" ]; then
        cp -v $HOME/ssl/etc/live/$DOMAIN/fullchain.pem $HOME/ssl/cert
        cp -v $HOME/ssl/etc/live/$DOMAIN/privkey.pem $HOME/ssl/key
        echo "certbot failed"
        exit 1
Enable auto-renewal of the certificate

You can add a cron job to auto-renew the certificate once a month. Any errors will be reported to the MAILTO address (which should be specified at the beginning on your crontab).

  $ crontab -e

Or, if you want to use a specific editor:

  $ env EDITOR=nano crontab -e

Add the following directives:
  # Renew my SSL certificate monthly.
  @monthly (cd $HOME/ssl && sh
Workaround needed if using the "ssl-redirect" option

If you are using the ssl-redirect feature ("redirect all HTTP traffic to HTTPS") then it must be turned off before running certbot since the LetsEncrypt verification process cannot deal with redirections.

  $ csoftadm -c "conf set ssl-redirect no"; sleep 180
  $ certbot certonly ...
  $ csoftadm -c "conf set ssl-redirect yes"

Your crontab command for renewal would then look like:

  # Renew certificates monthly
  @monthly csoftadm -c "conf set ssl-redirect no"; sleep 180; (cd $HOME/ssl && sh; csoftadm -c "conf set ssl-redirect yes"

As of this writing, we are currently working on a simpler solution at the web server level.

© 2024 CubeSoft Communications
All Rights Reserved.