Letsencrypt Enabler for Big Sur

Let’s Encrypt is a movement. According to its website, it is a nonprofit Certificate Authority providing TLS certificates to over 225 million websites. These are first class digital certs, that can be used for any number of domains and sub-domains, for free

So, imagine being able to immediately “issue” these certificates, with just one click, and use them with your websites (using WebMon) or mail servers (using MailServe) — again, with just one click. Now you can. Letsencrypt Enabler will also help you automatically renew these certificates at the end of their validity period (90 days), and reboot your web and mail servers, to boot (if you’re using WebMon and MailServe).

Introduction

This is the Letsencrypt Enabler window.

When you start up, you will have no certificates, of course. Letsencrypt Enabler installs all the stuff you need to generate Let’s Encrypt certificates into /opt/homebrew-cutedge. The certifcates that are generated are saved into /etc/letsencrypt/live, where MailServe and WebMon can find them.

NOTE : unlike earlier versions of Letsencrypt Enabler, which requires you to install Xcode Command Line Tools, Homebrew and Let’s Encrypt’s Certbot manually (and very slowly, thorugh clicking three buttons, and the final result is spread out all over /usr/local), version 2.0.2 for Big Sur onwards installs a pre-built (ARM or Intel) version of Certbot into the single folder /opt/homebrew-cutedge, which makes it very easy to un-install.

Creating your first certificate

Look for the + button near the top left of the window, amd click on it. Enter your domain name. Then click OK. That’s it.

You can create any number of certs. Or include any number of domains and sub-domains in one cert (use the ADDITIONAL DOMAIN NAMES field). 

Once these are created, you can use them with your mail and web servers. Both MailServe and WebMon have a radio button for selectiing turning on SSL using Let’s Encrypt certificates. The only requirement being that the Domain Name must “line up”, remain consistent, across all three applications.

When you see an error in the Console field while creating a cert

If you can’t create a Let’s Encrypt certificate, you may have a problem with two things, one of which is the Domain Name System.

Let’s Encrypt’s Certbot communicates with its parent servers using port 80. So, if you have a web server running, you need to shut it down temprarily for Certbot to do its job. Letsencrypt Enabler shuts down the Apache server enabled by WebMon automatically. Then brings it up when it’s done.

Secondly, the Let’s Encrypt servers need to respond to your server, and ascertain that you actually own them, and the way they do that is by communicating with a mini-web-server that Certbot sets up on your machine’s port 80. You can’t operate this mini-web-server if you didn’t have physical control over the machine, and Let’s Encrypt accepts that as proof that you have the authority to request a digital cert for that domain and machine.

So, Let’s Encrypt's servers must be able to reach your server machine purely via its domain name. So, for that to happen, you need to make sure that your domain name, say monsoonbrew.com, does point to the public IP address occupied by your domain. Also, just as important, you must make sure that, if your server machine sits behind a router, the port mapping must work correctly to bring all incoming data to your server machine at the local IP address.

The easiest way to do all these is to place your server at your router’s DMZ and enter your server’s local private IP address as the DMZ’s IP address. Look for the DMZ function in your router’s setup panel.

Also, the easiest way to test that your DNS is set up correctly is to turn on your machine’s web server, and try to access it via a browser over the open Internet. If you can find your server via its publicly known Domain Name, Let’s Encrypt's servers would, too.

If all these line up, you’ll have the pleasure of seeing your first free, first class, digital cert being created.

Automated Cert Renewals

There is a pain to using Let’s Encrypt certificates — they have very short validity periods. Most users renew them at the 60 day mark.

Letsencrypt Enabler makes the renewal process painless. You can set a renewal interval in Letsencrypt Enabler. Choose a smaller one, say two hours, or one day, to test that the automated cert renewal works. 

You can choose an Interval setting and then quit the app. Letsencrypt Enabler installs a job that will talk to Let’s Encrypt’s servers at the specifed date. Just set and forget.

NOTE : but do note that Let’s Encrypt has a hard limit of 5 updates allowed each week. Don’t cross that or your domain will be temporarily banned from making renewals. 

Use the website https://crt.sh to check if your cert has been successfully renewed.

NOTE : Letsencrypt Enabler’s periodic job will also tell WebMon and MailServe to automatically reboot your web and mail servers to make use of the renewed certs.

FINAL NOTE : If you set a Renewal Interval, it doesn’t mean that the renewal job will run exactly at the time stated in the Renewal Date field. For Renewal Intervals of less than a day, the periodic job is set to run every hour. For Renewal Intervals of a day or more, the periodic job is set to run only twice a day. Each time it runs, it checks to see if the current time is greater than the stated Renewal Date & Time. If it is, it does the renewal job of refreshing the current cert and rebooting the web and mail servers (if they’re set up by my other Enabler apps) to use the new cert. This process will, of course, extend the new Renewal Date to the next Renewal Interval. Once you’re sure everything is working correctly, set the Renewal Interval to 60 days and quit the app. The peridoc job will keep on running, until you delete the cert (the - sign button) or un-install Letsencrypt Enabler.

De-Installing Letsencrypt Enabler

You can un-install Letsencrypt Enabler by using the last menu item in the Help menu. It will shut down the Letsencrypt Enabler daemon, if it is running, and remove all files installed by Letsencrypt Enabler (in /opt/homebrew-cutedge). It will also revoke and remove all the certificates, if any, in /etc/letsencrypt/live.

Enjoy!

Release Log

2.0.2 November 20th 2020. This is the first version to include a pre-built /opt/homebrew-cutedge folder (in ARM or Intel versions), as appropriate to the running machine. There are symlinks to brew and certbot in /opt/homebrew-cutedge from /usr/local/bin, to keep compatibility with earlier versions of Letsencrypt Enabler, but the symlinks are not used by version 2.0.2 of Letsencrypt Enabler, at all, so that Letsencrypt Enabler’s use of Homebrew will have no impact on existing usage.

Note : to uninstall the version of Homebrew installed by earlier versions of Letsencrypt Enabler in /usr/local, do this in Terminal :

sudo /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/uninstall.sh)"

Note : finally, earlier versions of Letsencrypt Enabler before 2.0.2 don’t uninstall well. I have a bug that will hang the De-Install process. Just force-quit the app. The app had done the de-install correctly. It just hung on quit. This has been solved in 2.0.2

2.0.3 November 21st 2020. Updated to work in Dark Mode.

Download

Letsencrypt Enabler for Big Sur

The latest version is 2.0.3

This is a Universal "fat binary”, which will install HomeBrew and Letsencrypt Certbot in /opt/homebrew-cutedge in either ARM or Intel versions.

Please check out the Release Log


Contact
Bernard Teo