Easy WordPress walkthrough for Let'sEncrypt

William Johnston edited this page Jun 13, 2018 · 5 revisions

This applies to v2 and no longer works with v3

Thanks to @ElectricFeet for contributing this guide!

This guide has been updated for version 2.1 of this utility. Version 2.1 uses the WebFaction API to create certificates; no longer sends emails to WebFaction Support; and allows you to generate one certificate for several domain/app combinations (which is probably the simplest, yet most comprehensive, use-case).

If this is the first time you are using the utility, install it using the instructions below; if you installed the utility prior to version 2.1, please upgrade to the latest version before following these instructions.

Scope of this guide

This is a step-by-step guide for:

  • installing a Let's Encrypt certificate ...
  • ... using LetsEncrypt WebFaction ...
  • ... for simple WebFaction WordPress sites ...
  • ... using a Mac.

This guide is written with (relative) newbies in mind. If you managed to set up a WordPress website with WebFaction, you should be able to complete these steps.

0. Before you start

IMPORTANT: Read the LetsEncrypt WebFaction readme before starting these steps. Don't worry if you don't understand it all; it will become clearer as you go through these steps.

You will need to know, or have, the following:

  • Your WebFaction username (referred to here as webfaction-username) — the WebFaction username that you use to sign on to the WebFaction control panel.

  • The password for the above username (referred to here as webfaction-password).

  • Your SSH/FTP password. If you cannot remember this, follow WebFaction's instructions to change your FTP/SSH password.

  • A valid email address (referred to here as you@youremail.com) that Let's Encrypt can associate with the certificates — so, for example, they can send you expiry notices, or other critical information should the need arise.

  • Your WebFaction servername (referred to here as web123.webfaction.com) — your server's name, as shown in the "Web Server" widget on the dashboard of your WebFaction control panel.

  • The domain(s) for which you would like to create a certificate. This guide will assume that you have the following:

    Domains Linked by WebFaction websites Served by WebFaction applications (apps)
    yourdomain1.com yoursite1 yourapp1
    www.yourdomain1.com yoursite1 yourapp1
    yourdomain2.com yoursite2 yourapp2
    www.yourdomain2.com yoursite2 yourapp2

    and that the the WebFaction websites yoursite1, yoursite2 are currently-unencrypted (http). You will create one certificate for all these domain/website/app combinations.

    To see the names of your WebFaction websites/applications, sign in to the WebFaction control panel and select "Websites"/"Applications" under the "DOMAINS/WEBSITES" tab.

  • The path to the apps that serve your WordPress websites. If you installed WordPress using the standard WebFaction installation, then the folder that serves your WordPress site will be something like ~/webapps/yourapp/. If you installed WordPress yourself, rather than through the standard WebFaction installation, then you may have chosen to install it in a folder such as ~/webapps/yourapp/wordpress. In either case, the app folder is the one that contains the index.php file.

    In this guide, we will assume that your two apps yourapp1 and yourapp2 are in the folders ~/webapps/yourapp1 and ~/webapps/yourapp2, relative to your home folder. Substitute with the correct folder names, depending on your setup.

    IMPORTANT: Your WebFaction app names are not the same thing as your WebFaction website names. You need to refer to your app folder names here, not your website names.

  • (Optional) An FTP client that supports Secure FTP. Alternatively, you can skip using Secure FTP if you are comfortable navigating and manipulating/editing files through an SSH session to your server. (See the WebFaction guide on connecting with FTP for more information.)

1. Install LetsEncrypt WebFaction

IMPORTANT: You only need to follow the steps in this installation section once per WebFaction account. If you have previously installed LetsEncrypt WebFaction for this WebFaction user, then you don't need to do it again. However, it's always a good idea to upgrade to the latest version of LetsEncrypt WebFaction before using it. See the readme on how to upgrade — the command to upgrade is the same as the command to install.

Login to your WebFaction server using SSH

(See the WebFaction guide on SSH if you have problems using SSH.)

  1. Open the Terminal app (you should find this in Finder > Applications > Utilities).

  2. At the command line, enter ssh webfaction-username@web123.webfaction.com (substituting webfaction-username with your WebFaction username and web123 with your WebFaction servername) and press Enter.

  3. Enter your WebFaction SSH/FTP password and press Enter. (In Terminal on a Mac, you won't see the pasword or asterisks as you type, which is a little disconcerting, but don't worry: it's accepting the input.)

    Note that the first time you do this, you will probably get a warning like this:

    The authenticity of host 'web123.webfaction.com (xx.xx.xx.xxx)' can't be established.
    ECDSA key fingerprint is SHA256: ... (hash)...
    Are you sure you want to continue connecting (yes/no)?
    

    This is normal the first time you connect to a server, because your Mac cannot know whether the key that is being sent to it really belongs to the server you're trying to connect to or not. Respond yes to the question, so that your Mac will allow you to connect. Subsequent connections will work fine, as your Mac stores the server details for next time.

Install LetsEncrypt WebFaction

This section uses the "System Ruby" (simpler) installation.

  1. In your SSH session, enter the command:

     GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib gem2.2 install letsencrypt_webfaction
    

    After a few moments, a series of messages should appear. Give the process time to complete, at which point the final messages should look something like this:

    Done installing documentation for ... after xx seconds
    xx gems installed
    

Set some variables

In order to work, LetsEncrypt WebFaction needs to know where to find the files it needs. This is done by setting variables to point to the right place on the server. To do this:

  1. Logon with your FTP client, using Secure FTP (alternatively, if you can find your way around and edit files via SSH, do it that way). The username is your webfaction-username and the password is the same as the SSH password that you used above.

  2. Locate the file .bash_profile in your home folder (your home folder is top-level folder that contains the webapps folder). If you cannot see it, make sure that your FTP client is displaying hidden files (a dot/period at the beginning of the file name makes it a "hidden" file).

  3. Edit the .bash_profile file through your FTP client or, if you prefer, via the command line/SSH.

    [Note that if you use Apple's TextEdit to edit the file, then you need to make sure that the text is saved in Plain text format. To do this, go to File > Preferences and:

    • in the "New Document" tab, check "Plain text" and uncheck "Smart quotes" and "Smart dashes"

    • in the "Open and Save" tab, check "Display HTML files as HTML code..." and "Display RTF files as RTF code...".

    You can switch these settings back later.]

  4. Add the following to the .bash_profile file:

    function letsencrypt_webfaction {
    	PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction $*
    }
    
  5. Save the file.

  6. To make these settings active, switch back to your SSH session and run the command:

     source $HOME/.bash_profile
    

    (If your session has timed out or become unresponsive, you may need to open another Terminal window (with cmd-n) and login again).

LetsEncrypt WebFaction is now ready to use.

2. Test getting a certificate

Now that you've installed LetsEncrypt WebFaction and you've set up its environment, you need to check that everything works before you can request your real-life certificate.

Let's Encrypt has limits on how many times you can get things wrong (per week) on their real certificate server, so it's best to try everything out first on their test server (with a different "end point"), which doesn't have the same limits (nor does it issue real certificates).

Create a configuration file for testing

Creating configuration files saves time and makes things easier to understand. It will also be important later, when you automate the renewal of your certificates. To do this:

  1. Open a new file in your favourite text editor [using the correct settings for Apple's TextEdit (as above) if you use it].

  2. Paste the text:

    # Configuration file for letsencrypt_webfaction utility
    domains: [yourdomain1.com,www.yourdomain1.com,yourdomain2.com,www.yourdomain2.com]
    public: [~/webapps/yourapp1,~/webapps/yourapp2]
    letsencrypt_account_email: 'you@youremail.com'
    username: 'webfaction-username'
    password: 'webfaction-password'
    cert_name: 'TestCert'
    endpoint: 'https://acme-staging.api.letsencrypt.org/'
    

    substituting:

    • yourdomain1.com / www.yourdomain1.com / yourdomain2.com / www.yourdomain2.com with the domain(s) you want certificates for. If you want to get certificates for more domains, then add them here, separated by commas with no spaces.

    • ~/webapps/yourapp1, ~/webapps/yourapp2 with the names of the folders of the apps that serve the domains above. If you have more than two apps, add their folder names here, separated by commas with no spaces.

    • you@youremail.com with the email to be associated with your certificate.

    • webfaction-username with your WebFaction username.

    • webfaction-password with the password that you use to logon to the WebFaction control panel (not your SSH/SFTP password, nor your webmail password).

  3. Save the file on your desktop, giving it a name of LetsEncryptComboTestConfig.yml. You will use this configuration file only for testing.

  4. Switch to your SFTP session and copy this file into your top-level directory (the one where the .bash_profile is). Don't delete the file from your desktop yet.

Request a dummy certificate

  1. Enter the following command in your SSH session (if your session has timed out or become unresponsive, you may need to open another Terminal window (with cmd-n) and login again):

     letsencrypt_webfaction --config ~/LetsEncryptComboTestConfig.yml
    
  2. Press Enter.

  3. After a short wait, you should be returned to the command prompt with a message similar to:

    Your new certificate is now created and installed.
    You will need to change your application to use the TestCert certificate.
    Add the `--quiet` parameter in your cron task to remove this message.
    

    If things didn't work, check carefully: (a) that you assigned the parameters in your configuration file correctly; (b) that you named the file correctly; (c) that you typed the file's name correctly in the --config parameter in the command above; and (d) that the file is in your home folder. Read the section Before you start, above, to make sure that you have correctly interpreted the things you needed to substitute in the configuration file. As long as your command specifies the test configuration file (which contains the line endpoint: 'https://acme-staging.api.letsencrypt.org/'), you can try as many times as you like to get things right.

  4. If you got confirmation that the certificate was created and installed, sign in to the WebFaction control panel and select the "SSL certificates" tab under "DOMAINS/WEBSITES". You should see a new (dummy, non-functional) certificate created there, called "TestCert". If you don't see the certificate, check out the Troubleshooting section of the LetsEncrypt WebFaction wiki to see what might have gone wrong.

  5. Check that the test certificate covers all the domains that you want it to cover (which you specified in your configuration file). They are shown in the "Valid for" column in the "SSL certificates" tab.

  6. Once you have confirmed that your test-run worked fine, you can delete the "TestCert" certificate that you just created. To do this, select the "SSL certificates" tab under "DOMAINS/WEBSITES", select the "TestCert" certificate and click "Delete" (you can always delete certificates as long as they haven't been linked to websites).

3. Get a real certificate

If everything went OK, you can now get a real certificate.

Create a configuration file for getting real certificates

  1. Open LetsEncryptComboTestConfig.yml on your desktop and modify it by changing the cert_name parameter and deleting the endpoint parameter, so that it now looks as follows:

    # Configuration file for letsencrypt_webfaction utility
    domains: [yourdomain1.com,www.yourdomain1.com,yourdomain2.com,www.yourdomain2.com]
    public: [~/webapps/yourapp1,~/webapps/yourapp2]
    letsencrypt_account_email: 'you@youremail.com'
    username: 'webfaction-username'
    password: 'webfaction-password'
    cert_name: 'ComboCert'
    

    (with, of course, all the domains, app folders, email, username and password parameters still substituted for your setup).

    [You don't need to use the name 'ComboCert' for the certificate name if you don't want to. You can choose any name that will be easy to understand in the WebFaction control panel — something that reflects the domains it's covering (such as 'AllMyCerts' or 'Domain1Domain2'. The name you choose will be re-used each time you automatically renew your certificate.]

  2. Save the file on your desktop, using "Save As..." to give it a new name of LetsEncryptComboConfig.yml. You will use this configuration file to get your first real certificate and for subsequent renewals.

  3. Switch to your SFTP program and copy this file into your top-level directory (the one where the .bash_profile is). Don't delete the file from your desktop yet.

Request a real certificate

  1. Enter the following command in your SSH session (if your session has timed out or become unresponsive, you may need to open another Terminal window (with cmd-n) and login again):

     letsencrypt_webfaction --config ~/LetsEncryptComboConfig.yml
    
  2. Press Enter.

  3. After a short wait, you should be returned to the command prompt with a message similar to:

    Your new certificate is now created and installed.
    You will need to change your application to use the ComboCert certificate.
    Add the `--quiet` parameter in your cron task to remove this message.
    

    If things didn't work, check carefully: (a) that you modified the LetsEncryptComboConfig.yml file correctly; (b) that you named it correctly; (c) that you typed the file's name correctly in the --config parameter in the command above; and (d) that it is in your home folder.

  4. To check that the certificate got generated, sign in to the WebFaction control panel and select the "SSL certificates" tab under "DOMAINS/WEBSITES". You should see the new (real) certificate created there, called "ComboCert" (or whatever name you chose). If you don't see the certificate, check out the Troubleshooting section of the LetsEncrypt WebFaction wiki to see what might have gone wrong.

  5. Check that the certificate covers all the domains that you want it to cover (which you specified in your configuration file). They are shown in the "Valid for" column in the "SSL certificates" tab.

    Once you have confirmed that your new (real) certificate covers the sites you intended, you can delete the LetsEncryptComboConfig.yml and LetsEncryptComboTestConfig.yml files on your desktop — but not on the server, where they should remain, as they will be used in the renewal process and any future tests.

4. Secure your sites

You now have a real certificate, but it has not yet been linked to your sites in the WebFaction control panel. There are still have a few more steps to make you sites secure.

Create secure WebFaction websites

The next thing you need to do is to setup new, secure WebFaction websites — with https — for your soon-to-be secure domain(s). Setting up a secure WebFaction website is a simple action in the WebFaction control panel and doesn't require any modification (yet) to your existing (http) site. To do it:

  1. Sign in to the WebFaction control panel.

  2. Under the "DOMAINS/WEBSITES" tab, select "Websites" and add a new website as follows:

    • Name: yoursite1_ssl (substituting yoursite1 with your current WebFaction website name). Giving it the same name as your existing website with a suffix of _ssl or _secure will probably make it clearer for you to remember later, but you can choose any name you like.

    • Security: Encrypted website (https)

      In the "Choose a certificate" drop-down, select the "ComboCert" that you generated earlier.

    • Status: Enabled

    • Domains: Add yourdomain1.com and www.yourdomain1.com

    • Contents: Select Reuse an existing application and choose the same app (yourapp1) that serves your current unencrypted (http) site.

    When you select your current app, you will get a warning:

     Warning: Adding the "yourapp1 - Web123" Wordpress app to this site will configure its Wordpress options to use "https://yourdomain.com/" for generated URLs.
    

    This is good news: WebFaction is re-configuring your WordPress site for https. It will save you some time later.

    (More info on creating websites is available in the Webfaction guide to creating a new website.)

  3. Save the app information.

  4. Save the website information.

  5. Repeat steps 1-4 for the second yoursite2_ssl / yourdomain2.com and www.yourdomain2.com / yourapp2 combination, linking them also to the new "ComboCert" certificate.

Access your https sites and check things are OK

Even though your new certificate is now installed and you can connect to your sites over https, it's likely that browsers will still give warnings when accessing the sites. This is because some elements on your pages will still be being served across http. For a web page to be secure, all elements on the page need to be served securely.

For example, if you have added an image to a page using <img src="http://yourdomain1.com ... >, then accessing that page will give a browser warning: the image link needs to point to an https URL instead.

You can use a WordPress plugin such as Search Regex to replace all occurrences of http://yourdomain1.com or http://www.yourdomain1.com with https://yourdomain1.com (and similarly for yourdomain2.com).

While running a find/replace will solve the majority of the problems, you may find some other things that need changing. As well as images, check that:

  • Your sites contain only https and non-www URLs internal links (again, Search Regex is good for this);
  • All other links in your sites refer only to https — for example: menus, sliders/carousels, icons etc.;
  • The WordPress and Site URLs in the "Settings" > "General" section of your WP Admin are set to the https addresses; and
  • Any custom PHP code is modified to point to https.

5. Redirect ALL traffic to your secure sites

This section shows you how to redirect all URLs for your yourdomain1 domain to the single URL https://yourdomain1.com.

While you could keep your unencrypted http sites active, it's better to redirect all your traffic via https. Not only does it simplify your site-management, keep it more secure and avoid browser warnings, your site will also be more likely to be viewed favourably by search engines — Google, for example, up-ranks sites that use https. Forcing https will also make your site much faster.

If you wish, and in addition, you can configure your apps to redirect the URL https://www.yourdomain1.com (www) to https://yourdomain1.com (non-www). While this isn't strictly necessary, (a) it's simpler to serve users only one version of your site; and (b) some search engines see the www version of your site as a duplicate of your non-www version, unless you tell them otherwise (see Google's take on this), so it's best to choose one or the other and stick to it.

First a summary of what you've done so far...

You've installed LetsEncrypt WebFaction, got a certificate, and created new WebFaction websites for https traffic. At this point in the process, URLs flow through your server as follows:

  • The http URLs http://yourdomain1.com / http://www.yourdomain1.com are still handled, as before, by the WebFaction website called yoursite1 (http), which is served by yourapp1.

  • The https URLs https://yourdomain1.com / https://www.yourdomain1.com are handled by the new WebFaction website called yoursite1_ssl (https), which is also served by yourapp1.

(With similar flows for yourdomain2/yoursite2/yourapp2.)

To direct all traffic only to your secure site, you need to change your setup so that the http URLs get immediately rewritten as https URLs. This way, they will then be handled by yoursite1_ssl /yoursite2_ssl and be served over https.

The following shows you how to do the redirection in a generic way, redirecting any http URL you want to its equivalent https URL. This simplifies things significantly if you have many WebFaction domains.

To rewrite the http domains as https domains, you will need to:

  • Create a new redirection WebFaction Website (called redirect_to_https) and make it re-write http URLs as https URLs;
  • Remove your http domains from the insecure (http) WebFaction websites yoursite1 and yoursite2.
  • Add them instead to your new, secure (https) redirect_to_https website;
  • (Optional) Redirect www-prefixed URLs to the equivalent non-www URLs.

The detailed steps to do all this are below.

Create a new redirection app and make it re-write http URLs as https URLs

  1. Sign in to the WebFaction control panel.

  2. Under the "DOMAINS/WEBSITES" tab, select "Applications".

  3. In the "Add new application" panel enter:

    • Name: redirect_to_https

    • App category: Static

    • App type: Static/CGI/PHP-7.0

  4. Save the app information.

  5. To make the app redirect_to_https redirect all http traffic to the equivalent https URL, you need to edit the .htaccess file in the app's folder.

    To do this, logon to FTP via Secure FTP (alternatively, if you can find your way around and edit files via SSH, do it that way).

  6. Locate the folder ~/webapps/redirect_to_https. If you have set up the app as shown above, it should have only one file in it (index.html). If for some reason it already contains a file called .htaccess, then you will need to edit that existing file, rather than create it (as shown in the next step).

  7. Open a new file in your favourite text editor [using the correct settings for Apple's TextEdit (as above) if you use it].

  8. Add the following lines to it:

    RewriteEngine On
    RewriteCond %{HTTP:X-Forwarded-SSL} !on
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    

    These are instructions to the server to redirect http URLs to the equivalent https URL.

    Background info is available in the Webfaction guide to redirecting http sites.

    [You may wish to use a 302 response while testing (by using [R=302,L] instead of [R=301,L] — which indicates a temporary move, rather than a permanent one). If you do this, your browser will keep trying to get to the old http URL (rather than caching the new one), allowing you to test the redirection fully. Change it to [R=301,L] after you have finished testing.]

  9. Save the file on your desktop, giving it a name of temp_htaccess.

    [Giving it a "normal" name (without a dot/period as the first letter) will make sure that it doesn't disappear as an hidden file on your Mac. You will rename it correctly once you have transferred it to the server.]

  10. Switch to your SFTP program and copy the temp_htaccess file on your desktop to the ~/webapps/redirect_to_https folder.

  11. Rename the file on the server from temp_htaccess to .htaccess.

Remove your http domains from the insecure (http) WebFaction websites

WARNING: Removing your domains from their current WebFaction websites will also de-link them from their app and briefly take your http sites offline until you link them to the redirection app. If you know your way around the WebFaction control panel, this should only take you a few seconds (if you're not familiar with it, and it's critical to minimize downtime, walk yourself through the changes first, without saving them, and plan a good time to do this work).

  1. In the WebFaction control panel, under the "DOMAINS/WEBSITES" tab, select "Websites".

  2. Select yoursite1 — the unencrypted (http) website that links http://yourdomain1.com / http://www.yourdomain1.com to yourapp1.

  3. In "Domains", delete http://yourdomain1.com and http://www.yourdomain1.com (using the "x" on the right of each). This will de-link the websites from yourapp1.

  4. Save the website information.

  5. Follow steps 1-4 for yoursite2/yourdomain2.

Add your http domains instead to the secure redirection website

  1. In the WebFaction control panel, under the "DOMAINS/WEBSITES" tab, select "Websites".

  2. Select redirect_to_https — the app you created earlier.

  3. In "Domains", add http://yourdomain1.com, http://www.yourdomain1.com, http://yourdomain2.com and http://www.yourdomain2.com.

  4. Save the website information.

After a few moments (perhaps more, depending on DNS propagation time), your http URLs will redirect to their https equivalent (which are already being served with their new certificates.

(Optional) Redirect www-prefixed URLs to equivalent non-www URLs

At this point, all traffic to your domains is going through the yoursite1_ssl/yoursite2_ssl WebFaction websites (and being served by yourapp1/yourapp2). To additionally redirect www URLs to non-www URLs, you need to modify the .htaccess file in ~/webapps/yourapp1 and ~/webapps/yourapp2. To do this:

  1. Switch to your SFTP session and locate the .htaccess file in the folder ~/webapps/yourapp1 (or ~/webapps/yourapp1/wordpress, depending on your setup).

    (It's possible, but unlikely, that the .htaccess file does not exist and you will need to create it, as shown in the section Create a new redirection app and make it redirect http traffic to https.)

  2. Edit the file, either via the command line/SSH, or through your FTP client [using the correct settings for Apple's TextEdit (as above) if you use it].

  3. Add the following at the top of of the .htaccess file:

    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1/$1 [R=301,L]
    

    This will permanently redirect any https/www URLs to their equivalent https/non-www URLs.

  4. Save the file.

  5. Follow steps 1-4 for yourapp2.

Test your setup to make sure everything works

Test that the redirection works by making sure that:

  • All http URLs redirect to https;
  • All www URLs redirect to non-www URLs.

If you temporarily added a 302 response while testing (by using* [R=302,L] instead of [R=301,L]), change it to 301 once you have confirmed that everything works, to indicate a permanent move. You can also now delete the (http) websites yoursite1 and yoursite2 (checking first that they have no domains associated with them at this point).

6. Set up a recurring renewal task

Let's Encrypt certificates expire after 90 days, so you will need to renew yours before then.

To automate the process, you can use the "Cron" time-based job-scheduler to renew the certificates using LetsEncrypt WebFaction. The commands are stored in a "crontab" file — which contains a list of commands meant to be run at specified times — and Cron will take care of it without you needing to worry about it. WebFaction has documentation on Scheduling Tasks with Cron.

Decide on a schedule

A good rule of thumb is to renew Let's Encrypt certificates every 2 calendar months, which gives you plenty of time to fix things if a renewal fails for some reason. Choose a start date a couple of months from when you created the certificate.

Let's assume you decide to renew the certificate at 4am on the 10th day of every 2nd month. That is, at 04:00 on the 10th of months Jan, Mar, May, Jul, Sep and Nov. In Cron terms, this is written as 0 4 10 */2 * (in "minute · hour · day · month · day-of-week" notation). To help you get the right syntax for the dates and times that you have chosen, use this site.

Edit your crontab entries

So to set up your Cron tasks, you need to edit your crontab as follows:

  1. Open a new file in your favourite text editor [using the correct settings for Apple's TextEdit (as above) if you use it]. It's advisable to do this in an editor of your choice because it may be easier than wrestling with an editor on the server later. If you're comfortable using editors on the server, then you can of course edit this command directly on the server.

  2. Paste the following lines into your editor:

    MAILTO=you@youremail.com
    MAILFROM=you@youremail.com
    0 4 10 */2 *     PATH=$PATH:$GEM_HOME/bin:/usr/local/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config ~/LetsEncryptComboConfig.yml --quiet
    

    substituting:

    • you@youremail@com with the email where you wish to receive error messages;
    • 0 4 10 */2 * with the expression for your chosen schedule.

    Notes on the crontab entries:

    • The email lines ensure that you will receive an email if things go wrong. The format assumes that you are on a WebFaction CentOS 6 Server (web300 and greater or dweb89 and greater). If not, see the WebFaction Cron documentation for the correct mailing information. The WebFaction Cron documentation also shows you how to output to a log instead, or send the output via mail, to add subject lines and so on to the email.

    • You need to specify the path to the LetsEncrypt WebFaction command each time because, unlike the user environment, the Cron environment doesn't pick up the path from your .bash_profile.

    • The --quiet parameter can be removed if you wish to get an email every time things go right as well as when things go wrong.

    • [(Optional) If you want, you can test the Cron functionality first — to issue dummy certificates. To do this:

      • Specify your test configuration file ~/LetsEncryptComboTestConfig.yml instead of your real one — this will use the Let's Encrypt test server, allowing mistakes without limits;
      • Remove the --quiet parameter while testing, in order to get emails every time;
      • Alter the password in your configuration file to test failures;
      • Specify a time and date that is just a few minutes away from the current time, or alternatively specify the time-and-date fields as */5 * * * *, which will run a Cron command every five minutes, allowing repeated tests with different parameters (if you need to know the time on the server, use the timedatectl command);
      • Remember to correct the crontab entries and any password you may have altered when you finish testing, and delete any test certificates in your WebFaction control panel.]
  3. If you have more than one certificate to renew (other than your "ComboCert" certificate), paste another entry (with the same or different schedule, as you prefer) on the next line. You need the two email lines only once, at the top.

  4. Switch to your SSH session. Type crontab -l and press Enter (if your session has timed out or become unresponsive, you may need to open another Terminal window (with cmd-n) and login again).

    The crontab -l command is for information only — it shows you the tasks you currently have set up in Cron (possibly none). You might wish to take a copy of these current tasks, so you can restore them if you accidentally delete some lines while editing.

  5. Type EDITOR=nano crontab -e and press Enter. This takes you into the Nano editor. Here you can edit your Cron tasks. (Your crontab entries are not stored in your own server folders, so you cannot edit them via an FTP client.)

    Use uppercase for EDITOR, otherwise you will be thrown into the vi editor, which is harder to understand. If you find your screen filled with ~ characters down the left hand side, then you have accidentally entered the vi editor. To exit vi, press Esc, then type :q! and press Enter.

  6. Copy the text (with your substitutions) from your text editor and paste it into the open Nano editor on your server. If, when you paste it, some of the command seems to disappear, don't worry; it's still there; the Nano editor has just wrapped the lines. Press Enter and you will see it all again.

    If this is not the first time that you are modifying your crontab, then you will see your previous Cron tasks in the editor. Make sure you leave them intact, adding the new Cron tasks below them.

  7. Press ctrl-x/control-x (note: not cmd-x), answer y, and press Enter to save the changes and fully exit the editor.

  8. Type crontab -l and press Enter to check that the Cron tasks are as they should be, with the mailing information at the top and each command on its own line with its scheduling time-and-date fields at the beginning of each line.

Set a reminder in your calendar

Set a reminder in your calendar a few days before each renewal will run, so you can first upgrade to the latest version of LetsEncrypt WebFaction (see the readme on how to upgrade). After the renewals, check everything worked OK. If you elected not to use the -- quiet parameter you should get an email every time the certificates are renewed; otherwise, you will only get an email if the process fails for some reason.

All done! :-)

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.