Let's Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security (TLS) encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.
You can check the list of supported browsers here.
Features
- Letsencrypt for main account domain and www. alias
- Letsencrypt for addon domains and www. alias
- Letsencrypt for subdomains and www. alias
- Letsencrypt custom, you can install
- Check exire date for certificate
- Automatic Renewal
- Force Renewal button
- Apache port 443 automatic detection
Renewal
By default Letsencrypt certificate are valid for 90 days.
Renewal is automatic and certificate are renewed 30 days before expiring.
Configuration Files
Apache configuration: /usr/local/apache/conf.d/vhosts-ssl-letsencrypt.conf
CWP configuration: /usr/local/cwp/.conf/letsencrypt.conf
Letsencrypt configuration: /etc/letsencrypt/
Letsencrypt source: /opt/cwp_letsencrypt/
How to enable Apache ssl/tls port 443
New CWP Letsencrypt has automatic detection if port 443 is listening and it should enable it by itself once you install letsencrypt for any domain.
If the port is by chance down try to check if your virtual host configuration file for apache exists
/usr/local/apache/conf.d/vhosts-ssl-letsencrypt.conf
How to install Letsencrypt FREE Certificate?
With CWP this is very simple, first install letsencrypt by clicking on the "Install Letsencrypt" button and then you can install it for any domain by selecting domain from dropdown menu.
Requirements
To install Letsencrypt for your domain there are a few most important requirements:
- Domain must be installed and pointed on the server
- Domain must be tested that its opening the valid content
- You need to disable "FileSystemLock" temporary only while you are installing the Letsencrypt
- Works only with CentOS 64bit (x86_64)
Known errors
Unable to register an account with ACME server
* You need to check that you have a valid email account set for the contact for that domain while registering for the ssl.
SSL Security Grade
By default the security grade of the SSL is F by the info provided from the site https://www.ssllabs.com/ssltest/ , we selected to have this as a standard to support the older systems.
How to get a B grade ?
Settings are defined in the file /usr/local/apache/conf.d/ssl.conf
Default settings for F grade:
SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Default settings for B grade:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Don't forget to reload your apache after doing any change in the configuration file.