MemberManual/ServingWebsites/SslCert/LetsEncrypt172024-02-25 17:57:43173.93.103.73162023-09-07 00:10:58StephenMichelUpdate letsencrypt-renew script152023-01-30 01:40:43RobinTempletonacme.sh should request an RSA key142022-05-12 00:00:34StephenMichelAdd renew function132021-09-14 22:38:34jeremiaacme.sh defaults have changed.122021-02-03 12:40:00AaronFenyesLink multi-domain configuration steps112021-02-03 12:37:17AaronFenyesCert generation does work as written! Clarify webroot setting102021-02-03 12:20:20193.51.104.22Explain how to find cert path92020-03-20 14:17:24StephenMichel82020-03-20 14:16:35StephenMichel72020-03-20 11:51:53StephenMichelThe real purpose of this is adding a version with the apostrophe so that a search for "Let's Encrypt" will find this page.62019-05-25 23:19:04ClintonEbadiexplicitly mention that cert installation must be requested on renewal52019-01-30 20:33:33SrikanthSastryUpdated acme shell script install and usage instructions42016-04-18 02:05:22NickMDI realised I didn't really understand what I was doing. However some of the 'le' do need updating to 'acme' - programs new name.32016-04-18 01:32:37NickMDupdated for new script name22016-03-31 19:28:41c-71-192-154-186.hsd1.ma.comcast.net12016-03-31 19:27:44c-71-192-154-186.hsd1.ma.comcast.netLet's Encrypt! This page describes how to enable SSL using letsencrypt for example.com. Log in through ssh to ssh.hcoop.net, then follow the instructions below First time setupAt the end of these steps, you'll have a certificate for www.example.com. If you want to use a different subdomain (example.com, git.example.com, etc.), you can follow this multi-domain configuration example. Set up your new website with http ~/.domtool/example.com]]>Set up your environmentThese steps are recommended but optional. If you skip them, you'll need to run source ~/.acme.sh/acme.sh.env each time before you generate certs. The hcoop environment doesn't use a .bashrc file by default, but acme.sh expects one. First create the file Then load it in each new session. Add the following lines to ~/.bash_profile Download and install `acme.sh`Acme.sh is a client for the ACME protocol, written in pure bash. The third command may complain that you are not allowed to use crontab. This is fine. Security PrecautionsSince afs is publicly accessible, you need to take a few precautions to ensure that your certificate and private key remain private. For all key operations, keep the files in a directory that only you and the admins can read. Set the correct permissions: You'll have to do this once, or you can log out and reconnect (if you set up your .bashrc): Additionally, acme.sh now uses ZeroSSL as their default CA service, which requires providing an email to the client, linked to a server. If you want to continue using LetsEncrypt, you may want to run the following to change the default CA back to LetsEncrtpy, before continuing: Generate the certIf the example.com document root is ~/public_html/, run (If the document root is some weird subdirectory, like ~/public_html/weird, set the -w option to that instead.) The -k 2048 argument requests a 2048-bit RSA key; by default, acme.sh generates ECC keys, which aren't yet supported (as of January 2023). At the end, it will print Your cert is in and then a path to a file ending in .cer. Copy this path without the .cer extension. In the next section, replace $FILE with this path. Request cert installation from hcoop adminsSend a SSL certificate permission request. Fields are filled out with: Subdomain: wwwDomain: example.comOpenSSL certificate: $FILE.cer $FILE.keySee section above for context. You must also request certificate installation whenever you renew the certificate. Update domtool config to use SSLNow that your cert has been installed, its path will appear on the certificate permission request page, under the heading "Your certificates." Let's say the cert path is /etc/apache2/ssl/user/www.example.com.pem. (That directory is really called user; it's not a username stand-in!) You need to add this path to your domtool configuration. Here's a simple example config, which redirects all traffic to https in a single domain. Here are more single-domain examples and a multi-domain example. For reference, here's the domtool manual. Existing setups & tweaksUnder constructionThis section is under construction. Multi-domain configuration example.domtool/lib.dtl.domtool/elektrubadur.se: begin
web name with elektrubadurRewrite; end;
web name where SSL = elektrubadurCertificate; with elektrubadurRewrite; end;
end;
]]>command: And later on just ~/.acme.sh/acme.sh --renew-allMostly-automated renewalsYou can edit example.com in the command below to be your domain paths and put the following into your ~/.bashrc. Then you just need to run letsencrypt_renew and open the link to submit the request. "$keyfile"
]]>&2 printf 'Open this link to submit:\n'
>&2 printf \
'https://members.hcoop.net/portal/cert?cmd=request&cert=%s&domain=%s&subdomain=&msg=routine+renewal\n' \
"$keyfile" "$domain"
else
>&2 printf 'Error renewing cert, see above for more info (hopefully)\n'
fi
}]]>