This page describes how to enable ssl using letsencrypt for example.com. ssh to ssh.hcoop.net, then follow the instructions below <> = First time setup = At the end of these steps, you'll have a certificate for www.example.com. If you want to use a different subdomain (example.com, git.example.com, etc), you'll follow modified versions of these steps in section 2. == Set up your new website with http == {{{ echo 'dom "example.com" with end;' > ~/.domtool/example.com }}} == Set up your environment == These steps are recommended but optional. If you skip them, you'll need to run {{{source ~/.le/le.env}}} each time before you generate certs. The hcoop environment doesn't use a .bashrc file by default, but `le` expects one. First create the file {{{ touch ~/.bashrc }}} Then load it in each new session. Add the following lines to ~/.bash_profile {{{ if [ -f ~/.bashrc ]; then . ~/.bashrc fi }}} == Download and install `le` == Le is a letsencrypt client written in pure bash. The third command may complain that you are not allowed to use crontab. This is fine. {{{ git clone https://github.com/Neilpang/le.git cd le ./acme.sh --install }}} {{{#!wiki warning '''Security Precautions''' Since afs is publicly accessible, you need to take a few precautions to ensure that your certificate and private key remain private. For all key operations, keep the files in a directory that only you and the admins can read. }}} Set the correct permissions: {{{ fs sa ~/.acme.sh -clear YOUR_USERNAME all system:administrators all }}} You'll have to do this once, or you can log out and reconnect (if you set up your .bashrc): {{{ source ~/.acme.sh/acme.sh.env }}} == Generate the cert == Run {{{ acme.sh --issue -d example.com -w ~/public_html/ }}} At the end, it will print a message, `Your cert is in` and then a path to a file ending in `.cer`. Copy this path '''without the .cer extension'''. In the next section, replace `$FILE` with this path. == Request cert installation from hcoop admins == Send a [[https://members.hcoop.net/portal/cert|SSL certificate permission request]]. Fields are filled out with: Subdomain: `www` Domain: `example.com` OpenSSL certificate: `$FILE.cer $FILE.key` See section above for context. == Update domtool config to use SSL == Customize your config file as you wish. Simplest example config, redirecting all traffic to https: {{{ dom "example.com" where SSL = use_cert "/etc/apache2/ssl/YOUR_USERNAME/www.example.com.pem" with web "www" with rewriteRule "^(.*)$" "https://www.example.com$1" [redirectWith temp] end; end; }}} Read more [[DomTool||about domtool]] = Existing setups & tweaks = {{{#!wiki note '''Under construction''' This section is under construction. }}} If you're already set up, you probably know enough that you can adapt the steps above to your setup on your own. Maybe you can even help write this section!