Let’s Encrypt

With prior  release of v3.4.0, EasyEngine now comes with built in support for Let’s Encrypt .

Let assume  the domain is already pointed to  server IP address. If not please point the domain to server before proceeding below. Also  confirm both www and non-www is pointed to the server.

Lets create a wordpress site  with SSL enabled.

ee site create example.com --wp --letsencrypt

That’s it .

This will create a default wordpress site with SSL configuration provided by let’s Encrypt.

What if you already have a site  ?

If the site was created with easyengine, let’s secure it with HTTPS  now.

Just run

ee site update example.com --letsencrypt

Type ‘y’ when prompt to continue ..

Letsencrypt is currently in beta phase.
Do you wish to enable SSl now for in?
Type "y" to continue [n]:y
Downloading LetsEncrypt          [Done]
Let's Encrypt successfully setup for your site
Your certificate and chain have been saved at /etc/letsencrypt/live/example.com/fullchain.pem
Configuring Nginx SSL configuration
Adding /var/www/example.com/conf/nginx/ssl.conf
Adding /etc/nginx/conf.d/force-ssl-example.com.conf
Added HTTPS Force Redirection for Site  http://example.com
Creating Cron Job for cert auto-renewal
Reload : nginx     [OK]
Congratulations! Successfully Configured SSl for Site  https://example.com
Your cert will expire within 89 days.

Do not like extra security . OK you can disable  HTTPS  with

ee site update example.com --letsencrypt=off

Please note disabling  HTTPS does not revoke your SSL Cert from Let’s Encrypt.

Currently SSL cert provided by lets encrypt comes with maximum certificate lifetime of 90 days. After 90 days it is required to renew the license .

But manually renewing every 90 days is burdensome. So in easyengine we provide automated way to renew Let’s Encrypt certificates 30 days before certificate expiry with Linux cron .

~# crontab -l

For every sites with HTTPS enabled, similar cron is set on root user.

0 12 * * * ee site update --le=renew --all 2> /dev/null # Renew letsencrypt SSL cert. Set by EasyEngine

 

Do not like to set cron. Okay you can comment out above cron and run manual update command on every 90 days

ee site update example.com --letsencrypt=renew

Linux commands are sometimes subjected to failure. So we provide Mail Notification for every renewal successful/unsuccessful status . Email is sent to the address provided in .gitconfig file.

Sample mail for unsuccessful attempt of certificate renewal:

Hey Hi,

SSL Certificate renewal for https://example.com was unsuccessful.
Please check easyengine log for reason. Your SSL Expiry date : Sun Mar 30 16:53:00 IST 2016

For support visit https://easyengine.io/support/ .


Your's faithfully,
EasyEngine

Sample mail for successful attempt of certificate renewal:

Hey Hi,

Your SSL Certificate has been renewed for https://example.com .
Your SSL will Expire on : Sun Mar 20 16:53:00 IST 2016


Your's faithfully,
EasyEngine

Also Check site’s SSL status and expiry date with

~# ee site info example.com
Information about example.com:

Nginx configuration     wp wpredis (enabled)

. . .

SSL                      enabled
SSL PROVIDER             Lets Encrypt
SSL EXPIRY DATE          Wed Mar 30 11:25:00 IST 2016

. . .

Alias command:

--le=on/off/renew

If you are facing some locale issue with LetsEncrypt, you can run these commands as root user.
locale-gen en_US en_US.UTF-8
dpkg-reconfigure locales

Then add the following to your /etc/profile
export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"

To load the above setting into the current shell environment, run source /etc/profile

Important Notes:

  1. Let’s Encrypt will not work with cloudflare enabled.

  2. Please point both www.example.com  and example.com to server before requesting SSL cert.