It provides a cleaner, more sustainable and more extensible implementation that what's currently offered in Aegir SSL within Aegir core, and doesn't require workarounds such as hosting_le.
- Aegir 3.9+ or the patch from Remove 'node_access' check from default hosting_get_servers() calls. See hosting_certificate_prevent_orphaned_services() causing recursive/loop cache rebuild for details.
- Cleanup old SSL usage.
- Check that the hostmaster site is not set to Encryption: Required. (e.g. on /hosting/c/hostmaster) to avoid locking yourself out.
- Edit the server nodes(e.g. /hosting/c/server_master) to not use an SSL service.
- Disable any of the SSL modules (including hosting_le) you may have already enabled.
- Switch to the directory where you wish to install the module.
- cd /var/aegir/hostmaster-7.x-3.x/sites/aegir.example.com/modules/contrib
- Download this module. This command will include the required PHP library.
- Surf to Administration » Hosting » Experimental » Aegir HTTPS.
- Enable at least one certificate service (e.g. Let's Encrypt or Self-signed).
- Enable at least one Web serrver service (e.g. Apache HTTPS or Nginx HTTPS).
- Save the configuration.
- Surf to the Servers tab.
- Click on the Web server where you'd like HTTPS enabled.
- Click on the Edit tab.
- Under Certificate, choose your desired certificate service (and set any of its additional configuration).
- Under Web, choose the HTTPS option for your Web server (and set any of its additional configuration).
- Hit the Save button.
- Ensure that there's a DNS entry for the site that you'd like HTTPS enabled (unless already handled by a wildcard entry pointing to your Aegir server).
- Verify the site if this hasn't been done since the server was set up with the above steps. This ensures that the site can respond to the certificate authority's challenge.
- Edit the site.
- In the HTTPS Settings section, choose either Enabled or Required.
- Save the form.
- Repeat these steps for any other sites for which you'd like to enable HTTPS.
For the Let's Encrypt certificate service, this should get done automatically via the Let's Encrypt queue. It will run a Verify task on each site every week as site verification is where certificates get renewed if needed. The seven-day default was chosen to match the CA's rate limits.
See the issue queue.
If you notice that the certificate generation fails you can check the Aegir 'Verify' task logs for details.
Test the challenge directory
Create a file e.g. called
/var/aegir/config/letsencrypt.d/well-known/acme-challenge/ and test if you can access it over http via http://www.example.com/.well-known/acme-challenge/index.html
If your request is redirected to a https url then that could pose a problem when the certificate there is either invalid or expired. Try to remove the redirects.