content:en_us:7_ug_lets_encrypt

Let's Encrypt

Let's Encrypt is an open certificate authority that provides free SSL certificates. The app intelligently integrates the certificate lifecyle and management into Webconfig to be used by other apps - Webconfig, website hosting, Openfire etc.

Installation

From the Marketplace

Install from Webconfig (in the 'System' section).

Manually

yum install app-lets-encrypt

Create Certificates

<navigation>System > Security > Let's Encrypt > Add</navigation>

E-mail Address

This is where you want any e-mails from Let's Encrypt to go, e.g in case the certificates are expiring.

Primary Domain

The first domain you want the ceritifcate to cover - it can be a subdomain such as www.example.com and/or example.poweredbyclear.com.

Other Domain

Any addition domains and sub-domains you want the certificate to cover

The 'www' is not automatically added. For websites, you may want to add a certificate with and without the 'www'. For example: Primary Domain: example.org Other Domains: www.example.org

How It Works

To generate the SSL certificate, the Let's Encrypt system will connect back to your ClearOS system on port 80 in order to verify that you own all domains listed. For example, if you have specified example.com (primary) and www.example.com (other) when submitting a certificate request, the IP address of these two domains must point back to your ClearOS system. This is how Let's Encrypt verifies that you own those domain names.

Any domain or subdomain you want a certificate for should resolve back to your Internet IP

This same process needs to be done during certificate renewals. These renewals are done automatically, but it also means port 80 access must be permanent if you require automatic renewals.

Potential Problems

Should you receive an error message, please read the instructions carefully. In particular, ensure that connections from the public Internet are able to connect to port 80 on your ClearOS system. Some tips:

  1. Check your router's port forwarding rules if your ClearOS system is behind another router.
  2. Check the DNS records for all the domains listed in the certificate request.

ClearOS will manage the local network and system during SSL certificate requests and renewals, so you don't have to worry about those details, notably:

  1. Enabling port 80 on the local ClearOS firewall
  2. Disabling port 80 port forward rules on the local ClearOS firewall
  3. Interference with the ClearOS web server or proxy server
When creating new certificates or automatically renewing them, ClearOS will temporarily stop the Web Server.

List Certificates

<navigation>System > Security > Let's Encrypt</navigation>

Assign a Certificate to a Website

<navigation> Server > Web > Web Server > Add or Edit > Settings > Options > Digital Certificate</navigation>

Use the Certificate for the Webconfig

<navigation> System > General Settings > Settings > SSL Certificates > Edit > Pick the Let's Encrypt Certificate

If it doesn't take effect right away, just use another web browser or try refreshing the page
For this to work on your LAN, your DNS server needs to resolve your domain to your ClearOS LAN IP

Changing Certificates

It is possible to change certificates for example adding or removing a domain or subdomain from an existing certificate. This has to be done from the command line and is easiest done with the web server stopped (or you'll need to know the webroot of every domain).
Make sure you have the incoming http and https ports open in the firewall.
List your certificates with:

certbot certificates

and note the certificate name. You can then change the domains on the certificate with something like:

certbot certonly --cert-name your_certificate_name -d your_certificate_name -d domain2 -d domain3 ....

Then follow the prompts. Any new domains in your list will be added and any domains on the certificate missing from your list will be removed.

You must specify your_certificate_name as one of your -d parameters or your your_certificate_name will not be covered by your certificate.

At the next prompt

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 

Select 2 and enter.

At the following prompt:

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: 

choose U.

After changing your certificate, please restart any services associated with it e.g. apache (httpd), webconfig, mail services etc and close the firewall again if you opened it in the first step.

You can change the certificate with the webserver still running. You will need to choose option 3 above, but then you will need to know and specify the webroot of every domain the certificate covers.
content/en_us/7_ug_lets_encrypt.txt · Last modified: 2021/11/17 08:56 by 62.30.63.90