Feature Request: Support Let's Encrypt

[TheRealRichii]

Let's Encrypt program needs to read conf file or VHost setting to know what site you need certificates.
But Vesta's way can't let the Let's Encrypt program to find the site, especially the site's DNS records are not in Vesta system.

Why? Let's Encrypt can't read path, or you can't choose where config file are?

So I think Vesta needs to adjust some setting to support Let's Encrypt.
I am a Let's Encrypt tester but can't get a certificates by its program. So sad. :(

When this software will be in production, not in limited beta, then some tests make sense.. now it's just for fun only.

It's a manual process at the moment, but totally doable. I've got a couple of sites up that are managed via Vesta, and now using certificates from the Let's Encrypt production CA. No, the "automatically detect my server and install the certificates" thing doesn't work with Vesta, but a few minutes on the command line sorts it all out.

There are actually a couple of ways forward:

1. The ACME client is based on plugins (Apache is the default, nginx is under development), so they could be forked to support the Vesta configuration.

2. The client could be integrated directly into Vesta (which would be awesome!).

Let me know if you'd like my quick and dirty notes I took while setting up my initial tests.

[danimalweb]

Can you share how you installed the certificates? -- "few minutes on the command line"

I've just got my invite for the beta.

Thanks.

[TheRealRichii]

Can you share how you installed the certificates? -- "few minutes on the command line"

I've just got my invite for the beta.

Thanks.

No problem, I'll clean up my notes and post them.

[TheRealRichii]

For anyone interested, I've put some (very!) quick docs here: https://docs.google.com/document/d/1y5t ... sp=sharing.

[skurudo]

For anyone interested, I've put some (very!) quick docs here: https://docs.google.com/document/d/1y5t ... sp=sharing.

Nice docs! Thanks a lot.

[Jonas]

Anybody else got problems with exim after chaning the main vesta ssl?

Code: Select all

2015-12-16 12:17:37 TLS error on connection from *** [***] (SSL_CTX_use_certificate_chain_file file=/usr/local/vesta/ssl/certificate.crt): error:0200100D:system library:fopen:Permission denied

I tried to

Code: Select all

chown -h root:mail /usr/local/vesta/ssl/certificate.crt

&& set chmod to 644 but still the same error message! Any ideas?

Edit:

Code: Select all

[root@admin exim]# ls -la /usr/local/vesta/ssl/certificate.crt
lrwxrwxrwx 1 root mail 40 Dec 16 09:03 /usr/local/vesta/ssl/certificate.crt -> /etc/letsencrypt/live/***.com/cert.pem

[kodiak]

I've written an script that integrates the Let's Encrypt client with Vesta's command line tools to automate the request process for Vesta. You can clone it from GitHub at https://github.com/interbrite/letsencrypt-vesta. See the README file for installation instructions.

Once you've installed it, all you need to do is run

Code: Select all

letsencrypt-vesta USER DOMAIN

, where USER is a Vesta user account and DOMAIN is a domain hosted under that account. The script will look up the aliases associated with the domain and request a certificate for all of them, use webroot authentication to validate the domains, and then properly install the cert using the Vesta command line tools. The same command is used for new requests and renewals and it will work on any domain, whether or not SSL support has already been enabled on it.

[Neso]

I've written an script that integrates the Let's Encrypt client with Vesta's command line tools to automate the request process for Vesta. You can clone it from GitHub at https://github.com/interbrite/letsencrypt-vesta. See the README file for installation instructions.

Once you've installed it, all you need to do is run

Code: Select all

letsencrypt-vesta USER DOMAIN

, where USER is a Vesta user account and DOMAIN is a domain hosted under that account. The script will look up the aliases associated with the domain and request a certificate for all of them, use webroot authentication to validate the domains, and then properly install the cert using the Vesta command line tools. The same command is used for new requests and renewals and it will work on any domain, whether or not SSL support has already been enabled on it.

Very cool!
Does it also work with Apache+Nginx setup? Or Nginx+PHP-FPM?
Cheers!

[kodiak]

Very cool!
Does it also work with Apache+Nginx setup? Or Nginx+PHP-FPM?
Cheers!

It should work with anything that Vesta supports. It uses Vesta's command line tools to do the cert installs, so as long as the Vesta tools stay in line with how you can configure things in the web panel, the script should always work. Provided you're using both servers, Vesta installs the cert in both Apache and Nginx.

[LouisUK]

For anyone interested, I've put some (very!) quick docs here: https://docs.google.com/document/d/1y5t ... sp=sharing.

Thank you! Good guide - just to add you will need to swap out admin for any web accounts you made under a different user.