Let's Encrypt is an open certificate authority that provides free SSL certificates. The app intelligently integrates the certificate lifecyle and management into Webconfig to be used by other apps - Webconfig, website hosting, Openfire etc.
Install from Webconfig (in the 'System' section).
yum install app-lets-encrypt
This is where you want any e-mails from Let's Encrypt to go, e.g in case the certificates are expiring.
The first domain you want the ceritifcate to cover - it can be a subdomain such as www.example.com and/or example.poweredbyclear.com.
Any addition domains and sub-domains you want the certificate to cover
To generate the SSL certificate, the Let's Encrypt system will connect back to your ClearOS system on port 80 in order to verify that you own all domains listed. For example, if you have specified example.com (primary) and www.example.com (other) when submitting a certificate request, the IP address of these two domains must point back to your ClearOS system. This is how Let's Encrypt verifies that you own those domain names.
This same process needs to be done during certificate renewals. These renewals are done automatically, but it also means port 80 access must be permanent if you require automatic renewals.
Should you receive an error message, please read the instructions carefully. In particular, ensure that connections from the public Internet are able to connect to port 80 on your ClearOS system. Some tips:
ClearOS will manage the local network and system during SSL certificate requests and renewals, so you don't have to worry about those details, notably:
<navigation> Server > Web > Web Server > Add or Edit > Settings > Options > Digital Certificate</navigation>
<navigation> System > General Settings > Settings > SSL Certificates > Edit > Pick the Let's Encrypt Certificate
It is possible to change certificates for example adding or removing a domain or subdomain from an existing certificate. This has to be done from the command line and is easiest done with the web server stopped (or you'll need to know the webroot of every domain).
Make sure you have the incoming http and https ports open in the firewall.
List your certificates with:
certbot certificates
and note the certificate name. You can then change the domains on the certificate with something like:
certbot certonly --cert-name your_certificate_name -d your_certificate_name -d domain2 -d domain3 ....
Then follow the prompts. Any new domains in your list will be added and any domains on the certificate missing from your list will be removed.
At the next prompt
How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Apache Web Server plugin - Beta (apache) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-3] then [enter] (press 'c' to cancel):
Select 2 and enter.
At the following prompt:
Did you intend to make this change? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (U)pdate cert/(C)ancel:
choose U.
After changing your certificate, please restart any services associated with it e.g. apache (httpd), webconfig, mail services etc and close the firewall again if you opened it in the first step.