Creating and using a free SSL certificate with Let's Encrypt


#1

emergence doesn’t currently support any of the automated certbot methods, but the kernel is well-positioned to automatically create SSL certificates for all sites at creation time in the future.

For now, certbot's hidden manual mode can be used.

  1. Install certbot on your local workstation
    • On Mac: brew install certbot
  2. The rest needs to be done as root: sudo su
  3. Begin manual certificate generation sudo certbot certonly --manual
  4. Follow wizard prompts until it provides the file to upload and pauses
  5. Use emergence’s /develop interface or WebDAV protocol to create the requested public file path and paste in the provided contents
  6. Continue certificate generation
  7. Delete the verification file created in step 5
  8. Change to the indicated directory, e.g. cd /etc/letsencrypt/live/my.example.com/
  9. Follow steps 2, 4, and 6-8 of the general SSL certification guide
    • Use privkey.pem as your .key file
    • Use fullchain.pem as your .crt file

#2

@chris I got an error when trying to use the cert.pem file as my .key file but the the privkey.pem worked.


#3

Minor update, emergence-kernel ships with scripts now to support automatic auth/renewal for the manual certbot process:

certbot certonly \
    --manual \
    --preferred-challenges=http \
    --manual-auth-hook emergence-certbot-auth \
    --manual-cleanup-hook emergence-certbot-cleanup \
    --agree-tos \
    --manual-public-ip-logging-ok \
    --non-interactive \
    --force-renewal \
    --domains "example.org,www.example.org,example.com,www.example.com" \
    --email "hello@example.org"

This will find the site under /emergence/sites for each domain and handle writing and cleaning up the .well-known/acme-challenge/* files. Certbot will remember these settings and automatically renew every 3 months if the system is set up for it (which it is by default with the ubuntu certbot package)


#4

To have certbot reload nginx after it renews certs (i.e. have the renewals actually go into effect):

Create /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx:

#!/bin/bash -e

/usr/sbin/nginx -c /emergence/services/etc/nginx.conf -s reload

And chmod +x /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx