Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Let's Encrypt

Let's Encrypt is an open certificate authority that provides free SSL certificates. The app intelligently integrates the certificate lifecyle and management into Webconfig to be used by other apps - Webconfig, website hosting, Openfire etc.

Installation

From the Marketplace

Install from Webconfig (in the 'System' section).

Manually

yum install app-lets-encrypt

Create Certificates

System > Security > Let's Encrypt > Add

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_lets-encrypt-clearos-add-a-certificate_v2.png

The 'www' is not automatically added. For websites, you may want to add a certificate with and without the 'www'. For example: Primary Domain: example.org Other Domains: www.example.org

How It Works

To generate the SSL certificate, the Let's Encrypt system will connect back to your ClearOS system on port 80 in order to verify that you own all domains listed. For example, if you have specified example.com (primary) and www.example.com (other) when submitting a certificate request, the IP address of these two domains must point back to your ClearOS system. This is how Let's Encrypt verifies that you own those domain names.

This same process needs to be done during certificate renewals. These renewals are done automatically, but it also means port 80 access must be permanent if you require automatic renewals.

Potential Problems

Should you receive an error message, please read the instructions carefully. In particular, ensure that connections from the public Internet are able to connect to port 80 on your ClearOS system. Some tips:

  1. Check your router's port forwarding rules if your ClearOS system is behind another router.
  2. Check the DNS records for all the domains listed in the certificate request.

ClearOS will manage the local network and system during SSL certificate requests and renewals, so you don't have to worry about those details, notably:

  1. Enabling port 80 on the local ClearOS firewall
  2. Disabling port 80 port forward rules on the local ClearOS firewall
  3. Interference with the ClearOS web server or proxy server

When creating new certificates or automatically renewing them, ClearOS will temporarily stop the Web Server.

List Certificates

System > Security > Let's Encrypt

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_lets-encrypt-clearos-dashboard_v2.png

Assign a Certificate to a Website

Server > Web > Web Server > Add or Edit > Settings > Options > Digital Certificate

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_lets-encrypt-clearos-use-certificate-for-a-website.png

Replace the self-signed Certificate for Webconfig

System > General Settings > Settings > SSL Certificates > Edit > Pick the Let's Encrypt Certificate

https://clearos.com/dokuwiki2/lib/exe/fetch.php?media=content:en_us:7_lets-encrypt-clearos-use-certificate-for-a-admin-panel.png

If it doesn't take effect right away, just use another web browser.

Changing Certificates

It is possible to change certificates for example adding or removing a domain or subdomain from an existing certificate. This has to be done from the command line and is easiest done with the web server stopped (or you'll need to know the webroot of every domain). List your certificates with

certbot certificates

and note the certificate name. You can then change the domains on the certificate with something like:

certbot certonly --cert-name your_certificate_name -d your_certificate_name -d domain2 -d domain3 ....

Then follow the prompts. Any new domains in your list will be added and any domains on the certificate missing from your list will be removed.

You must specify your_certificate_name as one of your -d parameters or your your_certificate_name will not be covered by your certificate.

At the next prompt

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 

Select 2 and enter.

At the following prompt:

Did you intend to make this change?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(U)pdate cert/(C)ancel: 

choose U.

After changing your certificate, please restart any services associated with it e.g. apache (httpd), webconfig, mail services etc.

content/en_us/7_ug_lets_encrypt.txt · Last modified: 2019/04/10 05:33 by nickh

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3A7_ug_lets_encrypt&1728441679