welcome: please sign in

Diff for "MemberManual/ServingWebsites/SslCert/LetsEncrypt"

Differences between revisions 4 and 6 (spanning 2 versions)
Revision 4 as of 2016-04-18 02:05:22
Size: 3010
Editor: NickMD
Comment: I realised I didn't really understand what I was doing. However some of the 'le' do need updating to 'acme' - programs new name.
Revision 6 as of 2019-05-25 23:19:04
Size: 3131
Editor: ClintonEbadi
Comment: explicitly mention that cert installation must be requested on renewal
Deletions are marked like this. Additions are marked like this.
Line 40: Line 40:
./le.sh install ./acme.sh --install
Line 52: Line 52:
fs sa ~/.le -clear YOUR_USERNAME all system:administrators all fs sa ~/.acme.sh -clear YOUR_USERNAME all system:administrators all
Line 58: Line 58:
source ~/.le/le.env source ~/.acme.sh/acme.sh.env
Line 66: Line 66:
le issue ~/public_html example.com acme.sh --issue -d example.com -w ~/public_html/
Line 84: Line 84:

You must also request certification installation whenever you renew the certificate.

This page describes how to enable ssl using letsencrypt for example.com. ssh to ssh.hcoop.net, then follow the instructions below

1. First time setup

At the end of these steps, you'll have a certificate for www.example.com. If you want to use a different subdomain (example.com, git.example.com, etc), you'll follow modified versions of these steps in section 2.

1.1. Set up your new website with http

echo 'dom "example.com" with end;' > ~/.domtool/example.com

1.2. Set up your environment

These steps are recommended but optional. If you skip them, you'll need to run source ~/.le/le.env each time before you generate certs.

The hcoop environment doesn't use a .bashrc file by default, but le expects one. First create the file

touch ~/.bashrc

Then load it in each new session. Add the following lines to ~/.bash_profile

if [ -f ~/.bashrc ]; then
        . ~/.bashrc

1.3. Download and install `le`

Le is a letsencrypt client written in pure bash. The third command may complain that you are not allowed to use crontab. This is fine.

git clone https://github.com/Neilpang/le.git
cd le
./acme.sh --install

Security Precautions

Since afs is publicly accessible, you need to take a few precautions to ensure that your certificate and private key remain private. For all key operations, keep the files in a directory that only you and the admins can read.

Set the correct permissions:

fs sa ~/.acme.sh -clear YOUR_USERNAME all system:administrators all

You'll have to do this once, or you can log out and reconnect (if you set up your .bashrc):

source ~/.acme.sh/acme.sh.env

1.4. Generate the cert


acme.sh --issue -d example.com -w ~/public_html/

At the end, it will print a message, Your cert is in and then a path to a file ending in .cer.

Copy this path without the .cer extension. In the next section, replace $FILE with this path.

1.5. Request cert installation from hcoop admins

Send a SSL certificate permission request. Fields are filled out with:

Subdomain: www

Domain: example.com

OpenSSL certificate: $FILE.cer $FILE.key

See section above for context.

You must also request certification installation whenever you renew the certificate.

1.6. Update domtool config to use SSL

Customize your config file as you wish. Simplest example config, redirecting all traffic to https:

dom "example.com" where
  SSL = use_cert "/etc/apache2/ssl/YOUR_USERNAME/www.example.com.pem"
  web "www" with
    rewriteRule "^(.*)$" "https://www.example.com$1" [redirectWith temp]

Read more DomTool

2. Existing setups & tweaks

Under construction

This section is under construction.

If you're already set up, you probably know enough that you can adapt the steps above to your setup on your own. Maybe you can even help write this section!

MemberManual/ServingWebsites/SslCert/LetsEncrypt (last edited 2019-05-25 23:19:04 by ClintonEbadi)