It's time to join the new era of safe internetting. This post descibes how an SSL certificate is acquired, installed and enabled for a server running VestaCP and Wordpress using the free Certificate Authority (CA) Let's Encrypt. The internet and software is ever changing and following one tutorial never suffices to a working solution. This post is my experience following this tutorial using this script. Also this forum post has helped. Prerequisites: This post assumes that you have a webserver with root access and own a domain name. Also that vesatcp is set up to host at least one site on your domain. There is plenty of information about vestacp online and it will therefore not be included here.
Login to your server and aquire root access (sudo su) or append sudo in front of every following command.
We will be using an automated script specifically for vestacp, and CertBot to aquire the certificates. We start by cloning these repositories.
$ cd /usr/local
$ git clone https://github.com/certbot/certbot.git
$ git clone https://github.com/interbrite/letsencrypt-vesta.gitWe create a "webroot" directory to store all of our letsencrypt information and certificates.
$ mkdir -p /etc/letsencrypt/webroot
We create symlinks to certbot and letsencrypt-vesta.
$ ln -s /usr/local/certbot/certbot-auto /usr/local/bin/certbot-auto
$ ln -s /usr/local/letsencrypt-vesta/letsencrypt-vesta /usr/local/bin/letsencrypt-vestaLink apache configuration files to our letsencrypt configuration files.
$ ln -s /usr/local/letsencrypt-vesta/letsencrypt.conf /etc/apache2/conf.d/letsencrypt.conf
Time to install the certificate(s). This assumes you own the domain mydomain.com and that you have an email-address [email protected] attached. It also assumes that your vesta-user is admin and that the domains mydomain.com and subdomain.mydomain.com are created with the vestacp-user admin. If in doubt, check your vestacp-user and check the directory /home//web for these domains. Note: The -a parameter assumes at is installed on the system.
$ letsencrypt-vesta -a 60 -m [email protected] -u admin mydomain.com subdoamin.mydomain.com
Error: Depending on your version of vestacp and/or your version of letsencrypt-vesta this script might create an erroneous output:
[...]
Error: SSL=no doesn't exist
[...]
In this case, someone else on the internet has already come accross this problem and solved it. Edit /usr/local/letsencrypt-vesta/letsencrypt-vesta accordingly:
[...]
HAS_CERT=`$VESTA_PATH/bin/v-list-web-domain-ssl $USER $DOMAIN`
<span class="pl-k">if</span> [[ <span class="pl-smi">$HAS_CERT</span> <span class="pl-k">==</span> <span class="pl-s"><span class="pl-pds">'</span><span class="pl-pds">'</span></span> ]]
[...]
and then run Step 6 again. Now mydomain.com can be accessed with https://mydomain.com.
(Wordpress specific) To ensure that all traffic is routed to https we can install one of multiple wordpress plugins, in this case Really SImple SSL.
Use one of many online services to verify your certificate.
Switch out Vesta's self-signed certificate with the new letsencrypt certificate to use for the vesta control panel. Warning: Make sure to backup the self signed certificate.
$ ln -s /etc/letsencrypt/live/mydomain.com/cert.pem /usr/local/vesta/ssl/certificate.crt
$ ln -s /etc/letsencrypt/live/mydomain.com/privkey.pem /usr/local/vesta/ssl/certificate.key
$ service vesta restart
We have now successfully configured a secure connection to our server for all connections coming through Apache and also when using the control panel (given the optional step 9 was followed). SSL certificates are FREE from Let's Encrypt so there is no reason NOT to get one.