John's Blog: Let's Encrypt Certificates

June 23, 2017

This article currently applies to Mac servers only. We are in the process of researching and documenting the procedure for Windows servers.

Let's Encrypt is a free, automated and open Certificate Authority. Through Let's Encrypt, you can obtain a trusted SSL certificate at no charge. Rumpus is compatible with Let's Encrypt certificates, so let's take a look at how to go about enabling HTTPS using this free service.

Important Note: The process of obtaining and installing Let's Encrypt certificates relies on the use of 3rd party software. Maxum makes no claim about the usability of these applications, and can't provide detailed support for them. See the respective Web sites for licensing restrictions, documentation, support, and other usage details.

For an overview on getting started with Let's Encrypt in general, visit their Web site:

https://letsencrypt.org/getting-started/

Software Installation

Let's Encrypt is made possible by a free utility called Certbot, which itself is installed by the package management utility Homebrew.

https://brew.sh

Go to the Homebrew Web site, then open Terminal on the server. Copy and paste the installation command from the Homebrew home page into Terminal to install. There are a couple of prompts to complete, including supplying your system administration password.

With Homebrew successfully installed, the next step is to install Certbot, which you can do by copy and pasting this command into Terminal.

brew install certbot

Enable "Well-Known" Support In Rumpus

Certbot will use a special file, served by your Rumpus Web service, to confirm your domain name and server access. This file is saved in the "well-known" folder automatically by Certbot, but you need to enable "well-known" support in Rumpus.

In Rumpus, choose "Open Config Folder" from the "File" menu. In the config folder, create a folder named exactly "well-known". In Rumpus, click "Stop Server" and "Start Server" so that Rumpus detects the folder, which enables well-known support.

Obtain Your Certificate

You're ready to use Certbot. Still in Terminal, enter this command:

sudo certbot certonly

Certbot will ask you a few questions, the first of which is "How would you like to authenticate with the ACME CA?" The answer to this question is "Place files in webroot directory".

You will also be asked for the server's domain name, and possibly one or two other pieces of information about your server.

When asked for the webroot for your server, enter the following path to the Rumpus config folder, exactly:

/usr/local/Rumpus/

Certbot will process for a few moments, displaying various messages about how it is proceeding, and finally, you should receive a "Congratulations!" message telling you where your certificate and key files are stored.

Make Sure The Cert and Key Files Are Readable

Certbot will likely lock the certificate and key files, so you'll probably need to make them readable.

In the Finder, from the "Go" menu, choose "Go To Folder..." and open the normally hidden folder "/etc".

Next, move down into the "letsencrypt" folder.

Use the Finder's "Get Info" window to make sure that the "live" and "archive" folders, and the contents of those folders, are readable. (For example, select the "live" folder and choose "Get Info" from the "File" menu, then click the lock icon to edit Sharing & Permissions and set the folder so that "Everyone" has at least "Read" access.)

Install The Certificate and Key Files

In Rumpus, open the Network Settings window and flip to the "Secure Services" tab, then click "View/Load Certificate" button to open the cert/key selection sheet.

Click "Load Certificate" to open the file selection sheet. Certbot probably put the files in the folder "/etc/letsencrypt/live/". The "etc" folder is invisible in OS X, by default, so to select the file, move up to the top level of your hard drive and then press "Command-Shift-." (hold down the command and shift keys, and type a period) to reveal invisible files and folders. Now you can move down into the "etc" folder, then the "letsencrypt" folder, then "live" and then the folder named with your domain name. The certificate file you want is "fullchain.pem".

Now click "Load Private Key" and follow the same selection process, selecting the "privkey.pem" file as the private key.

Back on the Rumpus certificate/key sheet, click "Save Changes", then "Done" and restart the service to load your new certificate and key.

Questions? Suggestions?

While Let's Encrypt, Certbot, and other tools described here aren't under my control and I can't promise to provide detailed support for them, I would like to make this article as helpful as possible. If you get stuck, have questions, or have suggestions on how I can improve the instructions above, please let me know. As always, I can be reached at support@maxum.com.

© Copyright 2017, Maxum Development Corp.