WebFaction and Let's Encrypt

This article is no longer relevant. Not only is WebFaction no longer in business, but management of Let’s Encrypt certificates is usually automated these days.

Opalstack is a web hosting company built on the same principles as WebFaction, and supports automatically managing your Let’s Encrypt certificates.

These days it’s recommended that you run all your sites with SSL, from your tiny blogs to big production systems. Let’s Encrypt is a great way to do this, without the huge cost associated with purchasing an SSL certificate for each website you run. And you can automate it! From their site:

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.

If you’re running on WebFaction, then it takes some setup to get it running.

Thankfully we can use the gem letsencrypt-webfaction: LetsEncrypt utility client for WebFaction hosts to generate a new SSL certificate and install it using the WebFaction api.

The following shows how I do it – your mileage may vary…

Installation

Following the installation instructions for the gem, ssh into your WebFaction account and issue this from the command line:

GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib gem2.2 install letsencrypt_webfaction

then add the following to the ~/.bash_profile

function letsencrypt_webfaction {
    PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction $*
}

Configuration

Create the ~/ssl directory to hold the configuration files. Then create the file ~/ssl/yourdomain.com.config.yml with the following:

key_size: 4096

# We need an ACME server to talk to, see github.com/letsencrypt/boulder
endpoint: 'https://acme-v01.api.letsencrypt.org/'
letsencrypt_account_email: '<[email protected]>'

domains:
  - '<yourdomain.com>'
  - '<www.yourdomain.com>'

# The webroot of the application.
public: '<path_to_site_public_root>'
api_url: 'https://api.webfaction.com/'
username: '<username>'
password: '<account_password>'
servername: ''
cert_name: ''

You’ll need to change <yourdomain.com>, <www.yourdomain.com>, <username>, <account_password>, and <path_to_site_public_root> to their proper values.

The last deserves special notice. <path_to_site_public_root> should be the path to the public root of your website. That might be /home/<usernname>/webapps/<appname> for a regular website, or /home/<usernname>/webapps/<appname>/_site for a Jekyll site. The ACME verification files will be placed there, so that the site can be verified.

Make sure the permissions are restrictive since we have a password in there

chmod 600 ~/ssl/yourdomain.com.config.yml

Testing

Now you can test that the certificate is created and installed into WebFaction’s SSL Certificate section. Issue the following command:

GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config "$HOME/ssl/yourdomain.com.config.yml"

Go to the “Domains / Websites -> SSL Certificate” menu in your WebFaction account. You should see the new certificate listed there, with the “Valid Until” date being 3 months from now. However, chances are it created a newly named certificate (as opposed to replacing one that you already have installed for your domain). You can verify this by looking at the “Used On” column to see if any websites are using the new certificate.

If not, jump to the “Websites” tab, click on the website, and in the “Security” section change the dropdown to the newly installed certificate, and Save.

Give the server a minute or two to refresh with the new certificate. You can then verify that the certificate has been installed correctly by going to: https://www.digicert.com/help

Once you’re satisfied that the new certificate is up and running, you can delete the old certificate for the domain in the “SSL Certificates” section, if it exists.

Automatic Re-generation – Cron

Since the certificate is only valid for 3 months, you will want to have it re-generated automatically. Add this to your cronfile (crontab -e)

#------------------------------------------------------------
# Let's Encrypt SSL certs
#------------------------------------------------------------
0 4 1 */2 *  GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.2 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config "$HOME/ssl/yourdomain.com.config.yml"

This will re-generate the certificate at the beginning of January, March, May, July, September, and November at 4am – every two months. Adjust the timing as necessary, and you can stagger the timing for multiple sites.

Conclusion

For me, Let’s Encrypt is not just about saving money (at anywhere from $10 to $30 a pop for a regular certificate, it adds up quickly). It’s the fact that all your websites should be running with SSL, and with Let’s Encrypt you can automate the time consuming process of creating and installing. When you have 5 or more sites, it becomes a real time saver.

Affiliates

If you feel like supporting the site, consider using one of the affiliate links below:

Opalstack: Managed Hosting developers, entrepreneurs, and businesses like yours