How to use letsencypt ssl certificates on webfaction via acme.sh
2017-06-06
letsencrypt provides free ssl certificates, but webfaction doesn't provide an integration for this in their control panel, so certificates must be manually renewed. This post outlines how you can issue a free ssl certificate from letsencrypt using acme.sh, and set it up to automatically renew using the webfaction API.
Installation
Install acme.sh:
curl https://get.acme.sh | sh
Download acme_webfaction.py
from https://github.com/gregplaysguitar/acme-webfaction and move it into your bin directory - i.e. /home/USER/bin
. Make sure it's executable:
cp /path/to/acme_webfaction.py ~/bin/
chmod +x ~/bin/acme_webfaction.py
Issue the certificate
Issue a certificate for your webfaction site as per the acme.sh documentation:
acme.sh --issue -w /path/to/webroot -d example.com -d www.example.com
Note you'll need to set up your site to serve the files in /path/to/webroot/.well-known
at http://example.com/.well-known. If you're working with a static or php site, you can just add your actual webroot here. For sites without a webroot, i.e. django or rails, use a temp directory as your webroot and add an alias in /home/USER/webapps/APPNAME/apache2/conf/httpd.conf
:
Alias /.well-known/ /home/USER/temp/.well-known/
Install the certificate
Create an ssl certificate in the webfaction control panel, and add it to your site. See the webfaction ssl documentation for more information. You'll need to copy and paste the certificate details from the output of step 1
Install the certificate using the acme.sh --install-cert
, where
WF_SERVER
is your webfaction server name, i.e. Web486 (note, it must be title cased)WF_USER
andWF_PASSWORD
is your webfaction control panel loginWF_CERT_NAME
is the name of the certificate you created in step 2
acme.sh --install-cert -d example.com -d www.example.com \
--reloadcmd "WF_SERVER=WebXX WF_USER=user WF_PASSWORD=pass WF_CERT_NAME=certname acme_webfaction.py"
Testing it out
At this point you should have an acme.sh crontab entry which will renew the certificates automatically, and on renewal, trigger acme_webfaction.py
to update the cert via the webfaction api.
You can test it's working by forcing a renewal - run the command from the crontab with --force
appended, i.e. something like:
"/home/USER/.acme.sh"/acme.sh --cron --home "/home/USER/.acme.sh" --force
If everything is working correctly, you should see the certificates renewed and the message "Reload success".