How To: Enable Let’s Encrypt and AutoSSL

Let’s Encrypt is a free, automated, and open, certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). Let’s Encrypt integrates with InterWorx via a plugin, which allows users to generate free, secure, SSL certificates.

The Let’s Encrypt plugin for InterWorx also has the ability to attempt to automatically generate Let’s Encrypt SSL certificates for domains that resolve to the server. AutoSSL will create SSL certificates for the following:

• Domains that resolve to the server and are currently using self-signed certificates

• Domains that resolve to the server, but do not have an associated SSL certificate

• Let’s Encrypt certificates that were imported from another control panel. For example, cPanel AutoSSL certificates

Note

In order for AutoSSL to create an SSL certificate for the domains associated with an SiteWorx account, the SSL option must be enabled for the account in the SiteWorx account settings form

Contents

• How To: Enable Let’s Encrypt and AutoSSL

  • To Enable the Let’s Encrypt Plugin and AutoSSL

  • To Create AutoSSL Certificates On Demand

  • To Exclude a Domain from AutoSSL

To Enable the Let’s Encrypt Plugin and AutoSSL

1. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)

2. In NodeWorx, navigate to NodeWorx > Plugins

3. Under SSL, click the Pencil next to Let’s Encrypt. This opens the Edit Plugin form

   

4. Select Enabled from the Status dropdown

   

5. If Enabling AutoSSL is also desired, select Yes next to AutoSSL

6. Select the mode that AutoSSL certificates will use to initially create the SSL certificate

   • Let’s Encrypt only allows a certain amount of certificate generation attempts per server, per week. This includes failed attempts. Once that cap is hit, Let’s Encrypt does not allow any more attempts until that counter resets. To better manage the potential for rate limiting, there are two potential modes that can be used to generate a certificate. More information on Let’s Encrypt rate limiting can be found here.

     • Live: Generates a real LetsEncrypt signed certificate

     • Staging: Generates a fake certificate that should only be used for testing purposes. It is always recommended to attempt to generate a certificate in Staging mode, first, to test for any potential errors that may appear. If the staged test certificate generates successfully, it should then be safe to generate one in Live mode

7. Update the Expiration Warning Email field with the email address where expiration warning messages should be sent

8. Click Save

To Create AutoSSL Certificates On Demand

When AutoSSL is enabled, each time the InterWorx daily cron runs, it will:

• Check to see which domains on the server do not have an associated SSL Certificate

• Check to which of those domains are live and resolve to the server

• Generate an SSL certificate using Let’s Encrypt for the domains that fit the above criteria

This task can also be run manually from the CLI if waiting until the next daily cron runs is undesirable.

1. Log in to the server at the CLI as root, either via SSH or from the terminal

2. At the CLI, run the AutoSSL script

   ~iworx/cron/iworx.pex --run-one=Autossl
   

To Exclude a Domain from AutoSSL

1. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)

2. In NodeWorx, navigate to Server > Settings

3. Under the Apache section, update the Restricted AutoSSL Domains field with any domains that that AutoSSL should not attempt to create an SSL certificate for

   

4. At the bottom of the page, click Save