Let's Encrypt
Let's Encrypt is an open certificate authority that provides free SSL certificates. The app intelligently integrates the certificate lifecyle and management into Webconfig to be used by other apps - Webconfig, website hosting, Openfire etc.
Installation
From the Marketplace
Install from Webconfig (in the 'System' section).
Manually
yum install app-lets-encrypt
Create Certificates
How It Works
To generate the SSL certificate, the Let's Encrypt system will connect back to your ClearOS system on port 80 in order to verify that you own all domains listed. For example, if you have specified example.com (primary) and www.example.com (other) when submitting a certificate request, the IP address of these two domains must point back to your ClearOS system. This is how Let's Encrypt verifies that you own those domain names.
This same process needs to be done during certificate renewals. These renewals are done automatically, but it also means port 80 access must be permanent if you require automatic renewals.
Potential Problems
Should you receive an error message, please read the instructions carefully. In particular, ensure that connections from the public Internet are able to connect to port 80 on your ClearOS system. Some tips:
- Check your router's port forwarding rules if your ClearOS system is behind another router.
- Check the DNS records for all the domains listed in the certificate request.
ClearOS will manage the local network and system during SSL certificate requests and renewals, so you don't have to worry about those details, notably:
- Enabling port 80 on the local ClearOS firewall
- Disabling port 80 port forward rules on the local ClearOS firewall
- Interference with the ClearOS web server or proxy server
List Certificates
Assign a Certificate to a Website
Replace the self-signed Certificate for Webconfig
Changing Certificates
It is possible to change certificates for example adding or removing a domain or subdomain from an existing certificate. This has to be done from the command line and is easiest done with the web server stopped (or you'll need to know the webroot of every domain). List your certificates with
certbot certificates
and note the certificate name. You can then change the domains on the certificate with something like:
certbot certonly --cert-name your_certificate_name -d your_certificate_name -d domain2 -d domain3 ....
Then follow the prompts. Any new domains in your list will be added and any domains on the certificate missing from your list will be removed.
At the next prompt
How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Apache Web Server plugin - Beta (apache) 2: Spin up a temporary webserver (standalone) 3: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-3] then [enter] (press 'c' to cancel):
Select 2 and enter.
At the following prompt:
Did you intend to make this change? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (U)pdate cert/(C)ancel:
choose U.
After changing your certificate, please restart any services associated with it e.g. apache (httpd), webconfig, mail services etc.