Let's Encrypt, is a Certificate Authority that provides free certificates, and has a mission of enabling SSL everywhere.
This article is intended as a guide to assist with the installation of the LetsEncrypt SSL certificate on to the Acquia Cloud platform.
Note that this guide assumes you are using OSX/Linux.
Overall Steps
1. Install certbot locally (see https://certbot.eff.org/docs/install.html)
2. Update .htaccess file in your codebase
- Just above '
RewriteRule "(^|/)." - [F]', add the following snippet : - '
RewriteRule "^.well-known/acme-challenge" - [L]'
3. Run the command :
-
'
certbot --manual certonly’
4. Create files in docroot/.well-known/acme-challenge as per instructions
5. Commit your changes using :
-
git add -
git commit -
git push
(Optional) If you are using Pipelines, then perform a build, if you need to.
6. Go to /etc/letsencrypt/live/ on your local machine for the certificate files.
7. Install the certificate, private key, chain in the Acquia Cloud SSL Self Service UI.
Detailed Steps
1. Note that this guide assumes you are using OSX/Linux.
Download certbot a command line tool from the EFF for managing SSL certificates with Let's Encrypt. Select Apache and then your appropriate OS from the dropdown.
2. Run sudo certbot certonly --manual --no-eff-email --agree-tos -m [EMAIL] -d [DOMAIN_1] -d [DOMAIN_N] replacing [DOMAIN] and [EMAIL] with your email and the domains you want the certificate to cover. You will be presented with:
-------------------------------------------------------------------------------
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
... select Y in order to continue.
You will be presented with:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:
[LONG-STRING-DATA]
And make it available on your web server at this URL:
http://[DOMAIN]/.well-known/acme-challenge/[LONG-STRING]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Pause the process at this point.
3. For Drupal 7 you can just use the module letsencrypt_challenge which allows you to set some output for an http://[DOMAIN]/.well-known/acme-challenge/[LONG-STRING] url easily.
4. Manual method for Drupal 8 or 7
4.1. Without pressing the Enter, clone your repository(see here).
4.2. Create the challenge directory and place the file in it. In your repository docroot create a file inside a newly created directory replacing [LONG-STRING] with the one from prompt when you paused the process (see above):
$ mkdir -p .well-known/acme-challenge
$ touch .well-known/acme-challenge/[LONG-STRING]
4.3. In a text editor open the file and paste the [LONG-STRING-DATA] provided by the certbot prompt in the file and save it.
4.4. Add and commit to git all the changes (see Sending updates to your code repository) and deploy the branches/tags containing the changes to the Acquia environment you wish (see Code workflows with Acquia Cloud).
5. Resuming certbot, you can now press enter in the terminal. You should see:
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[domain]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[domain]/privkey.pem
Your cert will expire on [date]. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
6. Copy the contents of the certificate you just generated on your local machine to the Acquia Cloud interface SSL page.
6.1. On your local machine you can view the content of the pem files using the following commands (the default location is /etc/letsencrypt/live/[domain]/) :
$ sudo cat /etc/letsencrypt/live/[domain]/fullchain.pem
$ sudo cat /etc/letsencrypt/live/[domain]/privkey.pem
6.2. Following Managing SSL certificates once you reach step 4, you should populate the fields with the contents of the fullchain.pem and privkey.pem. Note that the first entry of fullchain.pem goes in the SSL certificate field.
7. You can now proceed to the next steps of Managing SSL certificates to Activate the certificate.