© 2024 CubeSoft Communications
All Rights Reserved.
All Rights Reserved.
All csoft.net users can make their domains accessible via
https:// without the need to purchase any commercial
certificate thanks to
Let's Encrypt.
This guide shows how to install a Let's Encrypt certificate under
your Csoft account by yourself. If you want us to perform this
installation for you, please contact tech@csoft.net.
tech@csoft.net if you want us to handle any
communication from LetEncrypt.
When validating more than one domain name, it is necessary to set up
a single Alias such that the URL /.well-known/ maps to the same
directory for all of your domains.
You can configure this from csoftadm with the command:
$ mkdir $HOME/www/.well-known $ csoftadm csoftadm> web alias add /.well-known/ /www/.well-known/ csoftadm> web alias list
You only need to set up a single Alias as it applies to all your domains.
Make sure to copy the pathname above exactly.
All trailing slashes ("/") are required.
Important:
If a created Alias is not working as expected, make sure that your
~/www directory is a real directory and not a symbolic link.
If any of the components of the path happen to be symlinks, the alias
will not work.
Enter the following commands in your shell to create and populate your
~/ssl/ directory:
$ mkdir -m 700 ~/ssl $ cd ~/ssl $ mkdir etc logs db
Finally, run the certbot command to send the certificate request:
$ certbot certonly --config-dir=$HOME/ssl/etc \
--logs-dir=$HOME/ssl/logs \
--work-dir=$HOME/ssl/db \
--webroot -w $HOME/www \
--cert-path $HOME/ssl/cert \
-d example.com \
-d www.example.com
The first time certbot runs, it interactively asks for the
administrator e-mail address.
You can request multiple certificates by entering multiple
-d options.
Finally, copy the live certificate over to ~/ssl/cert and the private
key over to ~/ssl/key:
$ cp $HOME/ssl/etc/live/example.com/fullchain.pem $HOME/ssl/cert $ cp $HOME/ssl/etc/live/example.com/privkey.pem $HOME/ssl/key $ chmod 600 $HOME/ssl/key
Use the control panel or csoftadm to enable HTTPS service using
the ssl option.
$ csoftadm csoftadm> conf set ssl yes
It may take up to one minute before the SSL server starts (any errors
will be reported to /var/log/users/YOURNAME).
At this point, both
https://example.com and https://www.example.com should be reachable.
For convenience, we recommend that you create a new script under
~/ssl/renew.sh, containing:
#!/bin/sh
#
# Renew my SSL certificate with LetsEncrypt.
#
DOMAIN=example.com
certbot certonly \
--config-dir=$HOME/ssl/etc \
--logs-dir=$HOME/ssl/logs \
--work-dir=$HOME/ssl/db \
--webroot -w $HOME/www \
--cert-path $HOME/ssl/cert \
-d $DOMAIN -d www.$DOMAIN \
-d extra-domain1.com -d www.extra-domain1.com \
-d extra-domain2.com -d www.extra-domain2.com \
-d extra-domain3.com -d www.extra-domain3.com \
if [ "$?" == "0" ]; then
cp -v $HOME/ssl/etc/live/$DOMAIN/fullchain.pem $HOME/ssl/cert
cp -v $HOME/ssl/etc/live/$DOMAIN/privkey.pem $HOME/ssl/key
else
echo "certbot failed"
exit 1
fi
You can add a cron job to auto-renew the certificate once a month.
Any errors will be reported to the MAILTO address (which should
be specified at the beginning on your crontab).
$ crontab -e
Or, if you want to use a specific editor:
$ env EDITOR=nano crontab -e
Add the following directives:
MAILTO=admin@example.com # Renew my SSL certificate monthly. @monthly (cd $HOME/ssl && sh renew.sh)
If you are using the ssl-redirect feature ("redirect all HTTP traffic to HTTPS")
then it must be turned off before running certbot since the LetsEncrypt
verification process cannot deal with redirections.
$ csoftadm -c "conf set ssl-redirect no"; sleep 180 $ certbot certonly ... $ csoftadm -c "conf set ssl-redirect yes"
Your crontab command for renewal would then look like:
# Renew certificates monthly @monthly csoftadm -c "conf set ssl-redirect no"; sleep 180; (cd $HOME/ssl && sh renew.sh); csoftadm -c "conf set ssl-redirect yes"
As of this writing, we are currently working on a simpler solution at the web server level.