The Snapt Aria Lets Encrypt v2 plugin allows you to issue and manage Let’s Encrypt certificates directly from the Snapt Aria UI.
Install the plugin
Navigate to Setup > Modules & Plugins > Add Plugins > Misc > Lets Encrypt v2 and click the install button.
Accept the Terms and Conditions
Once installed navigate to Setup > Let’s Encrypt v2 > Config.
If a previous version of the plugin is currently installed, there will be a banner at the top of the config page with the option to migrate the domain list from the older version of the plugin. It is highly advisable to review the Snapt Aria Lets Encrypt plugin migration guide for further instructions and important information relating to the migration process.
In the case that the Lets Encrypt 2 plugin is the first version installed, you will simply need to accept the terms and conditions, fill in your email address, then click “Save“. This only needs to be filled in once.
Adding your domain
Navigate to Setup > Lets Encrypt 2 > Certificates and Click on the “Add Domain” tab.
Fill in the fully qualified domain name (FQDN) for the certificate you want to create and the type of verification. The following options are available:
- Provisioning a DNS subdomain TXT record
- Provisioning an HTTP resource under a well-known URI on http://example.com/
The verification will require the addition of either a TXT record to your domain management or a file on your web server with a verification code that can be accessed by LetsEncrypt to verify domain ownership.
SAN and Wildcard domain support
The Snapt Aria Lets Encrypt 2 plugin supports obtaining SAN and wildcard certificates in addition to single domain certificates. Please note that DNS verification is mandatory for certificate requests including wildcard domains.
Once you save you will be able to access details of the verification needed to activate the certificate on the Snapt Aria Lets Encrypt 2 “View Domains” page.
DNS TXT Verification
This verification method can be used for FQDN as well as wildcard hostnames.
Click to download a file with the verification code that needs to be added as a DNS TXT entry.
For instance, you can go to your domain management and add a TXT entry with the name _acme-challenge.*.unicorn-startup.nova-destinations.com and the verification code in the value field.
Once saved and propagated you can use dig from the terminal to see if you receive an answer. For instance:
dig -t txt _acme-challenge.*.unicorn-startup.nova-destinations.com
You should receive a response similar to this:
;; ANSWER SECTION:
_acme-challenge.*.unicorn-startup.nova-destinations.com. 600 IN TXT “oYUahZTmiI51nOE4gNgZA5CMSVOiUavMEvuxw6i0-7c”
This will indicate that the verification code can be seen by the Lets Encrypt ACME infrastructure for verification.
Click on the download button to obtain the verification file that has to be added to the document root folder of your website. From the document root, create folders .well-known/acme-challenge and place the verification file downloaded there.
To confirm that the file resource is accessible, try to navigate to that location from a browser, e.g. http://test.unicorn-startup.nova-destinations.com/.well-known/acme-challenge/L1t9d2xoVHd3CGK-Zh5sZdW_GeaCXoYB2I3653hREEE
Load Balancer or Web Accelerator Verification
If you already have a load balancer frontend/group or web accelerator frontend configured on Snapt Aria you can also opt for the load balancer or web accelerator verification method. Snapt Aria will make a slight change to your config, but no service disruptions will occur.
We’ll simply place the verification file on the Snapt Aria box, and intercept the Let’s Encrypt inbound traffic to the verification file on Snapt Aria. Using this method, you don’t need to manually create and place the file on your backend server.
Load Balancer Method
Select the group that is able to accept HTTP traffic on port 80 or 443, in the case of HTTPS verification, from the Internet by clicking on the “Click to enable”
Web Accelerator Method
The same process is followed on the web accelerator side as with the load balancer verification. This is an alternative to the load balancer verification method.
Before verification, it is possible to test access to the verification code by clicking on the play button next to the download button. If the test fails, please ensure that the verification requirements are set up accordingly as per step 4 above. Once successful, click on Verify to initiate the LetsEncrypt domain ownership/control verification process and certificate generation.
Once the request has been verified, the certificate, key and other intermediate certificates are obtained.
These can then be synced, in the appropriate formats required by the balancer and accelerator, to the Snapt One certificate storage location by clicking on the Resync button.
The certificate, key and intermediate certificates can also be downloaded for use on other systems or for backup purposes by clicking on the Backup button.
Lets Encrypt Certificate Auto-Renewal
The Snapt One LetsEncrypt 2 plugin also provides an auto-renewal functionality which takes care of obtaining and periodically testing and auto-renewing certificates for added domains for which verification methods, DNS or HTTP(S), have been properly provisioned.
The Snapt One balancer or acceleration verification method can be used to enable the auto-renewal process for HTTP/HTTPS verification.
For DNS verification, it is important to ensure that relevant TXT entries are kept in place and remain accessible to ensure that the LetsEncrypt ACME is able to perform domain ownership verification whenever a certificate is coming up for renewal.
Additional configuration options include enabling HTTPS verification and timeout for certificate generation. These are located at Setup > Let’s Encrypt 2 > Config under the Auto-Renewal tab.