letsencrypt-vestacp.md

Using Let’s Encrypt (public beta) with Vesta Control Panel

Install the Let’s Encrypt ACME Client

Follow the instructions at https://letsencrypt.readthedocs.org. Assuming you installed as root, the client will be now be located at /root/letsencrypt.

Request a Certificate

By default:

• The beta client will use the test infrastructure to issue a certificate, and thus won’t be trusted by browsers;
• The client uses a temporary web server to authenticate the host which will conflict with the existing web server(s);
• The " auto install " feature tries to detect a standard Apache installation, which fails when confronted with the Vesta configuration.

These issues can be addressed by command line options to modify the client behaviour.

Assuming that the web server content is located at /home/admin/web/<domain>/public_html, from the directory /root/letsencrypt, run the command:

./letsencrypt-auto certonly -a webroot --renew-by-default --webroot-path /home/admin/web/<domain>/public_html -d <domain>

If successful, the certificate files will be located in /etc/letsencrypt/live/<domain>:

• cert.pem Server certificate
• chain.pem Certificate chain (excluding the server certificate)
• fullchain.pem Server certificate and certificate chain
• privkey.pem Private key

This same command can be used to renew an existing certificate. Remember that Let’s Encrypt issues certificates with a 90 day validity period.

Configure the Web Site

Log in to the control panel, and edit the site that will be enabled for SSL. Tick the " SSL Support " box. Copy the text from the certificate files into the text boxes:

• /etc/letsencrypt/live/<domain>/cert.pem into " SSL Certificate "
• /etc/letsencrypt/live/<domain>/privkey.pem into " SSL Key "
• /etc/letsencrypt/live/<domain>/chain.pem into " SSL Certificate Authority "

Note that as long as Vesta can parse the certificates it doesn’t matter what is entered here; these files will be replaced with symbolic links.

Save the changes. If the correct contents have been pasted in, https://<domain> should load without errors or warnings.

Link the Certificate Files

Vesta stores the certificates in /home/admin/conf/web:

• ssl.<domain>.pem Full certificate chain and certificate
• ssl.<domain>.key Private key
• ssl.<domain>.crt Certificate
• ssl.<domain>.ca Certificate chain

Delete the existing files:

rm /home/admin/conf/web/ssl.<domain>.*

Link the actual certificates to the locations Vesta expects:

ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /home/admin/conf/web/ssl.<domain>.pem
ln -s /etc/letsencrypt/live/<domain>/privkey.pem /home/admin/conf/web/ssl.<domain>.key
ln -s /etc/letsencrypt/live/<domain>/cert.pem /home/admin/conf/web/ssl.<domain>.crt
ln -s /etc/letsencrypt/live/<domain>/chain.pem /home/admin/conf/web/ssl.<domain>.ca

Restart the web services:

service nginx restart
service apache2 restart

Load https://<domain> and ensure it loads as a secure site with no errors.

Remember that the certificates will need to be renewed within 90 days. This could be done via a cron job that runs the above command (and then restarts the web services) once per month.

Vesta Interface Certificates

The self-signed SSL certificates for the actual Vesta UI are located in /usr/local/vesta/ssl:

• certificate.crt
• certificate.key

These can be replaced with certificates issued by Let’s Encrypt:

mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate.crt.orig
mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate.key.orig
ln -s /etc/letsencrypt/live/<domain>/privatekey.pem /usr/local/vesta/ssl/certificate.key
ln -s /etc/letsencrypt/live/<domain>/cert.pem /usr/local/vesta/ssl/certificate.crt

Restart the Vesta services:

service vesta restart

The UI will now use the trusted certificates.