How can I use the "Let's Encrypt" certificate authority with Centova Cast?

Question:

How can I use the "Let's Encrypt" certificate authority (letsencrypt.org) to install a free, trusted SSL certificate in Centova Cast?

Answer:

You must be using Centova Cast v3.2.6 or greater to use letsencrypt.org with Centova Cast.

letsencrypt.org is a certificate authority that provides completely free SSL certificates that are trusted by all major browsers. Unlike self-signed certificates, they do not generate security warnings when visitors access your web site.

Centova Cast fully supports the use of SSL certificates from letsencrypt.org, and can automatically generate and renew such certificates once configured to do so.

Quick Setup

If no other web server is running on the same server as Centova Cast, you can configure Centova Cast to listen on ports 80 and 443, enable SSL, configure your server for letsencrypt.org, and enable the SSL/TLS stream proxy all in a single step by running:

/usr/local/centovacast/sbin/set_secure --fqdn=yourdomain.com --email=you@example.com

Replace yourdomain.com with the fully-qualified domain name that you want to use with Centova Cast, and replace you@example.com with the email address that you want to use to register with letsencrypt.org.

In most cases, this is all you need to do; your server will now be available over SSL/TLS (https://) and your letsencrypt.org certificate will be renewed automatically by Centova Cast as needed.

More information about the set_secure command is available in this article.

Advanced Setup

For security reasons, letsencrypt.org's validation system requires that you configure a web server on port 80 to serve up a set of validation files to prove that you own the domain.

There are two ways to accomplish this:

  1. You may configure Centova Cast to use port 80 (instead of, or in addition to, port 2199.)
  2. You may configure another web server to run on port 80 and serve the necessary files.

The sections below describe these two options in detail.

Configuring Centova Cast for Port 80

This is by far the easiest method, but is only possible if no other web server is installed on the same server as Centova Cast.

Typically this can be accomplished simply by running:

/usr/local/centovacast/sbin/set_web_ports --fqdn=yourdomain.com
systemctl restart centovacast

Replace yourdomain.com with the fully-qualified domain name that you want to use with Centova Cast, and skip to the letsencrypt.org configuration section below.

If you are an advanced administrator and need to make this change manually instead, edit /usr/local/centovacast/etc/cc-panel.conf (or, for slave or "control daemon-only" servers, /usr/local/centovacast/etc/cc-content-local.conf) and locate the line that says:

listen 2199 default ssl;

Add the following below the above line (do NOT remove or replace the above line):

listen 80;
listen 443 ssl;

Save your changes, and run systemctl restart centovacast to restart Centova Cast. If all went well, Centova Cast should now be listening on port 80 and you should be able to proceed with configuring a letsencrypt.org certificate.

Configuring Another Web Server to Serve the Files

If another web server is using port 80 on the same server as Centova Cast, you will need to use this method.

This method depends upon your knowledge of the other web server you are using; you must be familiar enough with your web server of choice to configure it appropriately. Centova Technologies cannot provide support or assistance with any changes to your web server's configuration.

To allow letsencrypt.org to validate your domain ownership, you must configure your web server such that any requests for files under the following URI (replacing example.com with your own domain name):

http://example.com/.well-known/acme-challenge/

...are configured to serve files from the following directory:

/usr/local/centovacast/etc/ssl/acme-challenges/

So for example, if you create a file called /usr/local/centovacast/etc/ssl/acme-challenges/test.txt, you should be able to visit http://example.com/.well-known/acme-challenge/test.txt in your browser and see the contents of the test.txt file.

A few example configurations are provided below. Please note, however, that differences in your web server configuration may require additional settings not mentioned here.

Example: nginx

location /.well-known/acme-challenge {
    alias /usr/local/centovacast/etc/ssl/acme-challenges;
}

Example: Apache

Alias /.well-known/acme-challenge /usr/local/centovacast/etc/ssl/acme-challenges
<Directory /usr/local/centovacast/etc/ssl/acme-challenges>
Options None
AllowOverride None

# Apache 2.x
<IfModule !mod_authz_core.c>
Order allow,deny
Allow from all
</IfModule>

# Apache 2.4
<IfModule mod_authz_core.c>
Require all granted
</IfModule>
</Directory>

Generating a letsencrypt.org SSL certificate

After configuring a web server on port 80 (per the previous sections), simply run the following command to request and install an SSL certificate for your domain of choice:

/usr/local/centovacast/sbin/set_ssl_cert letsencrypt yourdomain.com you@example.com

Replace yourdomain.com with the fully-qualified domain name that you want to use with Centova Cast, and replace you@example.com with the email address that you want to use to register with letsencrypt.org.

If you receive an error message directing you back to this knowledge base article, then your web service has not been configured correctly on port 80 (see the previous section).

After the letsencrypt.org SSL certificate is installed, simply restart your web server to activate the new certificate as follows:

systemctl restart centovacast

Then verify that you are able to visit https://example.com in your web browser (replacing example.com with your actual domain name) to access your secure Centova Cast web interface.

letsencrypt.org SSL certificates are valid for 90 days. Centova Cast's cron job will automatically renew the SSL certificate as needed to keep it up-to-date.