Stratus3D

Software Engineering, Web Development and 3D Design

Let's Encrypt on WebFaction

I have finally gotten around to installing Let’s Encrypt SSL certificates on all the websites I run. I use WebFaction (affiliate link) for my web hosting and that meant I had use their API for installing certificates. Rather than just placing the certificate files directly on the server I had to use their XML-RPC API to install the certificate. I quickly discovered the letsencrypt-webfaction gem which makes the process of obtaining and installing certificates on WebFaction easy. In this blog post I’ll explain what I did to get everything installed and configured.

Install letsencrypt-webfaction

First install the gem:

$ GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib gem2.4 install letsencrypt_webfaction

For ease of use you’ll want to install it in a specific directory under your home directory. On WebFaction you only have permission to write to your home directory, so that rules out most places. I chose to use version 2.4 of the gem executable for installing the letsencrypt-webfaction gem, but you can use older version of Ruby as well. You can check your server for available Ruby versions by typing ruby and then hitting tab in Bash session on your server. Bash should give you autocomplete suggestions for all the executables with that prefix. WebFaction has helpfully suffixed executables with the version numbers.

Remembering the details of your gem installation can be a pain, so add a function to your .bashrc to store all these details and make it easier to use:

function letsencrypt_webfaction {
    PATH=$PATH:$GEM_HOME/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.4 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction $*
}

After sourcing your .bashrc and you should be able to use the letsencrypt_webfaction function in the shell. Next create config files for each website with the details of the domain and the web server.

Configure letsencrypt-webfaction

There are two ways to run the letsencrypt_webfaction function. You can specify everything the gem needs to know about your website and your WebFaction account with command line arguments, or you can put everything in a config file. I’ve found the config file approach to be much more manageable. It’s easier to make changes to a config file than it is to edit an existing cron job with a long command.

I created a directory called le_webfaction in my home directory to hold my config files. Then I created yaml files in this directory for each website I wanted to create an SSL certificate for. I created files with the domain name as the filename, like this: <domain>.yml. So for stratus3d.com I created a file named stratus3d.com.yml. See the letsencrypt-webfaction README for details on the config file. Mine ended up looking like this:

key_size: 4096
# We need an ACME server to talk to, see github.com/letsencrypt/boulder
endpoint: 'https://acme-v01.api.letsencrypt.org/'
domains: ['stratus3d.com']
public: ['/home/<home dir>/webapps/<app dir>/']
output_dir: '~/certificates/'
letsencrypt_account_email: '<email>'
api_url: 'https://api.webfaction.com/'
username: '<webfaction account username>'
password: '<webfaction account password>'

You’ll need to have all these fields populated, but several can be left with their default values. Now that everything is in a config file, obtaining a certificate is easy. Run the function we defined earlier to issue and install the certificate:

$ letsencrypt_webfaction --config ~/le_webfaction/stratus3d.com.yml

The gem should go through the process of obtaining a certificate and installing it on your WebFaction. I won’t go over how that process works, but you can read more about it here. Once the command has succeeded you may get a message like this:

You will need to change your application to use the stratus3d.com certificate.
Add the `--quiet` parameter in your cron task to remove this message.

This means you haven’t setup a WebFaction “website” that uses the new SSL certificate. You’ll need to do once when creating the certificate initially, but when renewing certificates this will not be necessary. Login to your webfaction account and go to https://my.webfaction.com/websites. Edit an existing website, or create a new one if you need. Click on the “Encrypted website (https)” button, and then choose the certificate letsencrypt-webfaction just obtained.

encrypted website option

After saving the website you should be able to access it over HTTPS! You’ll need to repeat this process with a different config file for every domain that you want to add an SSL certificate to.

Setup Cron Jobs

Running the command again will obtain a new certificate from Let’s Encrypt, but you are limited to 10 per week per domain. Certificates only last 90 days, so it’s best to setup a cron job to automatically renew them every month or two. To edit your cron jobs on WebFaction run crontab -e as you normally would, then add the following:

MAILTO=<your email>
MAILFROM=<your email>

0 7 15 * * PATH=$PATH:$GEM_HOME/bin:/usr/local/bin GEM_HOME=$HOME/.letsencrypt_webfaction/gems RUBYLIB=$GEM_HOME/lib ruby2.4 $HOME/.letsencrypt_webfaction/gems/bin/letsencrypt_webfaction --config $HOME/le_webfaction/stratus3d.com.yml >> $HOME/my_logs/stratus3d_letsencrypt.log

I set mine to renew on the 15th of every month, but I’m not sure what the best renewal strategy is. It’s probably best to refer to the official Let’s Encrypt documentation when deciding when to run your renewal cron jobs. As you can see here the way we invoke the gem in the cron job is different. Since the cron job runs in a different environment the letsencrypt_webfaction function we defined earlier isn’t available, so we have to set some environment variables manually. I also chose to pipe the output of this command to a log file, so I could go back and look at the logs if a certificate failed to renew. And that’s it. You should have a cron job that automatically obtains new certificates and installs them for you automatically.

Conclusion

letsencrypt-webfaction saved me a lot of time on this task. I would have had to written a lot of code to interact with the WebFaction API had it not been for the gem. And as my first experience with Let’s Encrypt I found it easy to understand and work with. The ability to automate renewal like this is also a big time saver. I don’t have to worry about remembering to pay for new certificates every year.

References