Users of the Standard, Advanced and Corporate packages can make their domains accessible via https:// without the need to purchase a commercial certificate, using the Let's Encrypt Certificate Authority.

Required information
  • Domain name(s) requiring SSL. Domains must be live and accessible from ~/www/.
  • Administrator e-mail address. Address must be reachable.
Installing a Lets's Encrypt certificate

From your shell, create the Let's Encrypt directories (~/ssl/ is a good place for this), and use the certbot command, as follows:

  $ cd ~/ssl
  $ mkdir etc logs db
  $ certbot certonly --config-dir=$HOME/ssl/etc \
      --logs-dir=$HOME/ssl/logs \
      --work-dir=$HOME/ssl/db \
      --webroot -w $HOME/www/example.com \
      --cert-path $HOME/ssl/cert \
      -d example.com \
      -d www.example.com

The first time certbot runs, it interactively asks for the administrator e-mail address. You can request multiple certificates by entering multiple -d options.

Finally, copy the live certificate over to ~/ssl/cert and the private key over to ~/ssl/key:

  $ cp $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert
  $ cp $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
  $ chmod 600 $HOME/ssl/key
Enabling HTTPS service

Use csoftadm to enable HTTPS service using the ssl option. Make sure that your ssl-name setting matches the first domain name in the ~/ssl/cert certificate chain (i.e., the first of the -d arguments passed to certbot).

  $ csoftadm
  csoftadm> conf set ssl-name example.com
  csoftadm> conf set ssl yes

It may take up to one minute before the SSL server starts (any errors will be reported to /var/log/users/YOURNAME). At this point, https://example.com should be reachable.

Note: The previous does not apply to Advanced and Corporate users who are running a dedicated httpd. In that case, the relevant httpd.conf sections would need to be edited manually and the server restarted with apachectl (see: Dedicated Apache Installation Guide).

Enable auto-renewal of the certificate

We can add a cron job to auto-renew the certificate once a month. Any errors will be reported to the MAILTO address (which should be specified at the beginning on your crontab).

  $ crontab -e           # or:
  $ env EDITOR=nano crontab -e
MAILTO=admin@example.com

# Renew certificates monthly
@monthly certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/example.com --cert-path $HOME/ssl/cert -d example.com -d www.example.com; cp -f $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
Links