Follow the instructions at https://letsencrypt.readthedocs.org. Assuming you installed as root, the client will be now be located at /root/letsencrypt.
By default:
- The beta client will use the test infrastructure to issue a certificate, and thus won’t be trusted by browsers;
- The client uses a temporary web server to authenticate the host which will conflict with the existing web server(s);
- The " auto install " feature tries to detect a standard Apache installation, which fails when confronted with the Vesta configuration.
These issues can be addressed by command line options to modify the client behaviour.
Assuming that the web server content is located at /home/admin/web/<domain>/public_html
, from the directory /root/letsencrypt
, run the command:
./letsencrypt-auto certonly -a webroot --renew-by-default --webroot-path /home/admin/web/<domain>/public_html -d <domain>
If successful, the certificate files will be located in /etc/letsencrypt/live/<domain>
:
- cert.pem Server certificate
- chain.pem Certificate chain (excluding the server certificate)
- fullchain.pem Server certificate and certificate chain
- privkey.pem Private key
This same command can be used to renew an existing certificate. Remember that Let’s Encrypt issues certificates with a 90 day validity period.
Log in to the control panel, and edit the site that will be enabled for SSL. Tick the " SSL Support " box. Copy the text from the certificate files into the text boxes:
/etc/letsencrypt/live/<domain>/cert.pem
into " SSL Certificate "/etc/letsencrypt/live/<domain>/privkey.pem
into " SSL Key "/etc/letsencrypt/live/<domain>/chain.pem
into " SSL Certificate Authority "
Note that as long as Vesta can parse the certificates it doesn’t matter what is entered here; these files will be replaced with symbolic links.
Save the changes. If the correct contents have been pasted in, https://<domain>
should load without errors or warnings.
Vesta stores the certificates in /home/admin/conf/web
:
ssl.<domain>.pem
Full certificate chain and certificatessl.<domain>.key
Private keyssl.<domain>.crt
Certificatessl.<domain>.ca
Certificate chain
Delete the existing files:
rm /home/admin/conf/web/ssl.<domain>.*
Link the actual certificates to the locations Vesta expects:
ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /home/admin/conf/web/ssl.<domain>.pem
ln -s /etc/letsencrypt/live/<domain>/privkey.pem /home/admin/conf/web/ssl.<domain>.key
ln -s /etc/letsencrypt/live/<domain>/cert.pem /home/admin/conf/web/ssl.<domain>.crt
ln -s /etc/letsencrypt/live/<domain>/chain.pem /home/admin/conf/web/ssl.<domain>.ca
Restart the web services:
service nginx restart
service apache2 restart
Load https://<domain>
and ensure it loads as a secure site with no errors.
Remember that the certificates will need to be renewed within 90 days. This could be done via a cron job that runs the above command (and then restarts the web services) once per month.
The self-signed SSL certificates for the actual Vesta UI are located in /usr/local/vesta/ssl
:
- certificate.crt
- certificate.key
These can be replaced with certificates issued by Let’s Encrypt:
mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate.crt.orig
mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate.key.orig
ln -s /etc/letsencrypt/live/<domain>/privatekey.pem /usr/local/vesta/ssl/certificate.key
ln -s /etc/letsencrypt/live/<domain>/cert.pem /usr/local/vesta/ssl/certificate.crt
Restart the Vesta services:
service vesta restart
The UI will now use the trusted certificates.