Users of the Standard, Advanced and Corporate packages can make their domains accessible via https:// without the need to purchase a commercial certificate, using the Let's Encrypt Certificate Authority.

Required information
  • Domain name(s) requiring SSL. Domains must be live and accessible from ~/www/.
  • Administrator e-mail address. Address must be reachable.
Setting up a common /.well-known path

When validating more than one domain name, it is necessary to set up a single HTTP Alias such that the URL /.well-known/ maps to the same directory for all domains:

  $ csoftadm
  csoftadm> web alias add /.well-known/ /www/example.com/.well-known/

You only need to set up a single alias. This alias applies to all your domains. Note that all trailing slashes are required.

  csoftadm> web alias list
  +---------------+-------------------------------------------+
  | Virtual path  | Real path                                 |
  +---------------+-------------------------------------------+
  | /.well-known  | /home/MYNAME/www/example.com/.well-known/ |
  +---------------+-------------------------------------------+ 
Installing a Lets's Encrypt certificate
  $ cd ~/ssl
  $ mkdir etc logs db
  $ certbot certonly --config-dir=$HOME/ssl/etc \
      --logs-dir=$HOME/ssl/logs \
      --work-dir=$HOME/ssl/db \
      --webroot -w $HOME/www/example.com \
      --cert-path $HOME/ssl/cert \
      -d example.com \
      -d www.example.com

The first time certbot runs, it interactively asks for the administrator e-mail address. You can request multiple certificates by entering multiple -d options.

Finally, copy the live certificate over to ~/ssl/cert and the private key over to ~/ssl/key:

  $ cp $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert
  $ cp $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
  $ chmod 600 $HOME/ssl/key
Enabling HTTPS service

Use csoftadm to enable HTTPS service using the ssl option. Make sure that your ssl-name setting matches the first domain name in the ~/ssl/cert certificate chain (i.e., the first of the -d arguments passed to certbot).

  $ csoftadm
  csoftadm> conf set ssl-name example.com
  csoftadm> conf set ssl yes

It may take up to one minute before the SSL server starts (any errors will be reported to /var/log/users/YOURNAME). At this point, https://example.com should be reachable.

Note: The previous does not apply to Advanced and Corporate users who are running a dedicated httpd. In that case, the relevant httpd.conf sections would need to be edited manually and the server restarted with apachectl (see: Dedicated Apache Installation Guide).

Enable auto-renewal of the certificate

We can add a cron job to auto-renew the certificate once a month. Any errors will be reported to the MAILTO address (which should be specified at the beginning on your crontab).

  $ crontab -e           # or:
  $ env EDITOR=nano crontab -e
MAILTO=admin@example.com

# Renew certificates monthly
@monthly certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/example.com --cert-path $HOME/ssl/cert -d example.com -d www.example.com; cp -f $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
UPDATE (4 / 2019)
Workaround needed when using the ssl-redirect option

If you are using the new ssl-redirect feature ("redirect all HTTP traffic to HTTPS") then it must be turned off before running certbot since as of this writing, the LetsEncrypt verification process cannot deal with redirections when accessing the cookie.

  $ csoftadm -c "conf set ssl-redirect no"; sleep 180
  $ certbot certonly ...
  $ csoftadm -c "conf set ssl-redirect yes"

The crontab command for renewal would then look like:

# Renew certificates monthly
@monthly csoftadm -c "conf set ssl-redirect no"; sleep 180; certbot certonly --config-dir=$HOME/ssl/etc --logs-dir=$HOME/ssl/logs --work-dir=$HOME/ssl/db --webroot -w $HOME/www/example.com --cert-path $HOME/ssl/cert -d example.com -d www.example.com; csoftadm -c "conf set ssl-redirect yes"; cp -f $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert; cp -f $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key
Links