|
Let's Encrypt SSL/TLS Certificates |
Let's Encrypt is a free and open certificate authority that is run by the Internet Security Research Group (ISRG) and provides certificates to secure websites (HTTPS) and communications (SSL/TLS). It provides free 90-day certificates and allows automated certificate renewal through client software. By providing these key benefits, Let's Encrypt simplifies the use of SSL/TLS by removing many of the barriers that previously prevented its use.
For information about Let's Encrypt, visit About Let's Encrypt.
For information about using SSL/TLS certificates, see SSL/TLS Security Certificates.
(Support for Let's Encrypt was added in PxPlus 2019.)
Installation
The steps for the installation process are as follows:
|
Step |
Description |
|
1. |
Visit the Certbot website. |
|
2. |
From the "I'm using" drop down menu, select None of the above. |
|
3. |
From the "on" drop down menu, select your target operating system. |
|
4. |
Follow the installation instructions provided on the website. This will likely be done using the operating system's package management software such as apt-get or yum, adding the software source for Certbot and then installing. If this installation method is used, Certbot is run from the command line with the command certbot. If not available from the package manager, Cerbot is installed by downloading it directly. The first time it is run, it will install all the dependencies and set up the environment: wget https://dl.eff.org/certbot-auto If this installation method was used, Certbot is run from the command line with /path/certbot-auto (where path is the path where it was downloaded). Treat references to certbot in the examples in the next steps as /path/to/certbot-auto. |
Run Client to Obtain New Certificate
For the documentation on using the Certbot client to request certificates, visit Certbot Documentation. The instructions below explain how to use it with PxPlus EZWeb.
The first certificate you request must accept the Let's Encrypt Terms of Service and optionally provide an e-mail address to which upcoming expiry notifications can be sent. This is done by including the following in the first command:
--agree-tos and
--email admin@example.com
To request a certificate, use one of the following two methods, --webroot or --standalone:
|
--webroot Method
|
If you have a Web server already running on port 80, use this method: certbot certonly --webroot --agree-tos --email admin@example.com -w /pxplus/lib/_plus/inomads -d example.com -d www.example.com Where:
| ||||||
|
--standalone Method |
If you do not have a Web server running on port 80, use this method: certbot certonly --standalone --agree-tos --email admin@example.com -d example.com -d www.example.com Where:
|
The new certificate files can be found at:
/etc/letsencrypt/live/example.com/fullchain.pem
and
/etc/letsencrypt/live/example.com/privkey.pem
Where:
|
|
example.com |
The first domain you specified in your certbot certonly certificate request |
Set Up Automatic Certificate Renewal
The steps for setting up automatic certificate renewal are as follows:
|
Step |
Description |
|
1. |
Test that the Cerbot renew program can automatically renew your certificate: certbot renew --dry-run |
|
2. |
If Certbot was installed via a package manager, it will have set up a cron/systemd/inittab job to automatically renew within 30 days of expiry all certificates that Certbot generates. If Certbot was installed via the downloaded script, you will have to set up a cron/systemd/inittab job that runs twice a day to check for and renew any certificates that are within 30 days of expiry. The recommendation is that you run the job at a random minute within the hour to avoid everyone hitting the servers at the same time. The job should run the following command: certbot renew Example: This example of a cron job will run at noon and midnight every day: 0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew |
Run EZWeb Server Using Certificate
Run the EZWeb Server, pointing it at the live version of the Let's Encrypt certificate chain and private key for your domain:
/pxplus/pxplus "*ezweb/server" -arg 443 "/etc/letsencrypt/live/example.com/fullchain.pemprivkey=/etc/letsencrypt/live/example.com/privkey.pem"
Where:
|
|
/pxplus/pxplus |
Path to the PxPlus executable |
|
|
example.com |
First domain you specified in your certbot certonly certificate request |
EZWeb will automatically reload the certificate after automatic renewal so there is no need to manually restart EZWeb to avoid expired certificates. See EZWeb Automatic Security Certificate Reload.
Installation
The steps for the installation process are as follows:
|
Step |
Description |
|
1. |
Visit the Certify the Web website. |
|
2. |
Download the latest stable Certify the Web Release from their website. |
|
3. |
Run the downloaded installer and follow the on-screen instructions. |
|
4. |
Register a new contact by providing an e-mail address to which upcoming expiry notifications can be sent and accepting the Let's Encrypt subscriber's agreement. |
Request a New Certificate
For documentation on using the Certify the Web client to request certificates, visit the Certify the Web Documentation website. The instructions below explain how to use it with PxPlus EZWeb.
|
Step |
Description |
|
1. |
Click the New Certificate button in the upper left corner of the Certify screen. |
|
2. |
Select Certificate Domains from the menu on the right. In the Add domains to certificate field, input the domains for which to get a certificate; e.g. example.com, www.example.com. Select the ADD DOMAINS button. |
|
3. |
Select Authorization from the menu on the right. For the Challenge Type, select http-01. For the Website Root Directory field, select the path to the *plus/inomads directory. Important Note: |
|
4. |
Select Deployment from the menu on the right. From the Deployment Mode drop down menu, select No Deployment. |
|
5. |
The Certify the Web client generates a new filename every time a certificate is renewed. To use with PxPlus EZWeb server, the filename must stay the same after it is renewed. To accomplish this, a Post-Request Script is required. Follow these steps: a) Select the Show Advanced Options check box on the right, just above the menu. b) Select Scripting from the menu on the right. c) For Post-Request PS Script, use the … button to select the path to the *ezweb\certifytheweb.ps1 script file. |
|
6. |
Select the Test button to make sure that the certificate request will work and that there are no problems with the setup. If any problems are found, they must be addressed before proceeding to the next step. |
|
7. |
Select the Request certificate button. The generated PFX certificate file can be found at: C:\ProgramData\Certify\certes\assets\pfx\example.com.pfx Where: example.com is the first domain you input in the Add domains to certificate field, followed by .pfx. |
Set Up Automatic Certificate Renewal
Automatic renewal is set up when the Certify the Web client is installed. By default, every 30 days the client will renew any certificates it has generated that are within 30 days of expiry.
Run EZWeb Server Using Certificate
Run the EZWeb Server, pointing it at the PFX certificate generated by Certify the Web:
"C:\PVX Plus Technologies\PVX Plus\pxplus.exe" *ezweb\server -arg 443 "C:\ProgramData\Certify\certes\assets\pfx\example.com.pfx"
Where:
|
|
"C:\PVX Plus Technologies\PVX Plus\pxplus.exe |
Your path to the PxPlus executable |
|
|
example.com.pfx |
First domain you input in the Add domains to certificate field, followed by .pfx |
EZWeb will automatically reload the certificate after automatic renewal so there is no need to manually restart EZWeb to avoid expired certificates. See EZWeb Automatic Security Certificate Reload.