Centova Technologies Inc.

Products and Services

Centova Cast
Customer Support
Centova Technologies
 

Knowledge Base | Centova Cast v3 | Information

How can I use the "Let's Encrypt" certificate authority with Centova Cast?

Question:

How can I use the "Let's Encrypt" certificate authority to install a free, trusted SSL certificate in Centova Cast?

Answer:

You must be using Centova Cast v3.2.6 or greater to use "Let's Encrypt" with Centova Cast.

"Let's Encrypt" is a certificate authority that provides completely free SSL certificates that are trusted by all major browsers. Unlike self-signed certificates, they do not generate security warnings when visitors access your web site.

Centova Cast fully supports the use of SSL certificates from "Let's Encrypt", and can automatically generate and renew such certificates once configured to do so.

"Let's Encrypt" does have one frustrating limitation that may cause problems for some Centova Cast administrators -- for security reasons, its validation system requires that you configure a web server on port 80 to serve up a set of validation files to prove that you own the domain.

There are two ways to accomplish this:

  1. You may configure Centova Cast to use port 80 (instead of, or in addition to, port 2199.)
  2. You may configure another web server to run on port 80 and serve the necessary files.

The sections below describe these two options in detail.

Configuring Centova Cast for Port 80

This is by far the easiest method.

By default, Centova Cast listens on port 2199, but you can add or change port numbers at any time. If you have no other web server installed on the same server as Centova Cast, simply edit /usr/local/centovacast/etc/cc-panel.conf (or, for slave or "control daemon-only" servers, /usr/local/centovacast/etc/web.d/cc-content.conf) and locate the line that says:

listen 2199 default ssl;

Add the following below the above line (do NOT remove or replace the above line):

listen 80;

Save your changes, and run service centovacast restart to restart Centova Cast. If all went well, Centova Cast should now be listening on port 80 and you should be able to proceed with using the "Let's Encrypt" certificate authority.

Configuring Another Web Server to Serve the Files

If another web server is using port 80 on the same server as Centova Cast, you will need to use this method.

This method depends upon your knowledge of the other web server you are using; you must be familiar enough with your web server of choice to configure it appropriately. Centova Technologies cannot provide support or assistance with any changes to your web server's configuration.

To allow "Let's Encrypt" to validate your domain ownership, you must configure your web server such that any requests for files under the following URI (replacing example.com with your own domain name):

http://example.com/.well-known/acme-challenge/

...are configured to serve files from the following directory:

/usr/local/centovacast/etc/ssl/acme-challenges/

So for example, if you create a file called /usr/local/centovacast/etc/ssl/acme-challenges/test.txt, you should be able to visit http://example.com/.well-known/acme-challenge/test.txt in your browser and see the contents of the test.txt file.

A few example configurations are provided below. Please note, however, that differences in your web server configuration may require additional settings not mentioned here.

Example: nginx
location /.well-known/acme-challenge {
    alias /usr/local/centovacast/etc/ssl/acme-challenges;
}
Example: Apache
Alias /.well-known/acme-challenge /usr/local/centovacast/etc/ssl/acme-challenges
<Directory /usr/local/centovacast/etc/ssl/acme-challenges>
Options None
AllowOverride None

# Apache 2.x
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>

# Apache 2.4
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>

Generating a "Let's Encrypt" SSL certificate

After configuring a web server on port 80 (per the previous sections), simply run the following command to request and install an SSL certificate for your domain of choice:

/usr/local/centovacast/sbin/setssl letsencrypt example.com

Replace example.com with an actual domain name that points to your Centova Cast server. If your server is configured correctly, the remainder of the SSL issuance process will be completely automatic. If you receive an error message directing you back to this knowledge base article, then your web service has not been configured correctly on port 80.

After the "Let's Encrypt" SSL certificate is installed, simply restart your web server to activate the new certificate as follows:

service centovacast restart

Then verify that you are able to visit https://example.com:2199 in your web browser (replacing example.com with your actual domain name) to access your secure Centova Cast web interface.

"Let's Encrypt" SSL certificates are valid for 90 days. Centova Cast's cron job will automatically renew the SSL certificate as needed to keep it up-to-date.