Letsencrypt Enabler for Monterey

Let’s Encrypt is a movement. It is a nonprofit Certificate Authority providing TLS certificates to over 225 million websites. These are first-class, standards-compliant digital certs that can be used for any number of domains (and sub-domains), for free

So, imagine being able to immediately “issue” these certificates, with just one click, and use them with your websites (using WebMon) or mail servers (using MailServe) — again, with just one click. Now you can

Introduction

This is the Letsencrypt Enabler window.

When you start up, you will have no certificates, of course. Letsencrypt Enabler installs all the stuff you need to generate Let’s Encrypt certificates into /opt/homebrew-cutedge. The certifcates that are generated are saved into /etc/letsencrypt/live, where MailServe and WebMon can find them.

Letsencrypt Enabler for Monterey installs a pre-built (ARM or Intel) version of Certbot into the single folder /opt/homebrew-cutedge, which makes it very easy to un-install.

Creating your first certificate

Look for the + button near the top left of the window, amd click on it. Enter your domain name. Then click OK. That’s it.

Option-click on the OK button to do a dry-run without actually creating the cert. The Console log will show if the cert could be created or, if not, what the errors are.

You can create any number of certs. 

Or, include any number of domains and sub-domains in one cert (use the ADDITIONAL DOMAIN NAMES field). 

WebMon and MailServe Note : What this means, in the latter case, is that all the Additional Domains you have in WebMon and MailServe, beside just the primary domain, can now also get the benefit of SSL — so long as all these additional domain names are listed in the ADDITIONAL DOMAIN NAMES field, above, and saved in the cert named after the primary domain. This is something you can’t do or can do only at much added expense, before Letsencrypt.

Once these are created, you can use them with your mail and web servers. Both MailServe and WebMon have a radio button for turning on SSL using Let’s Encrypt certificates. The only requirement being that the Domain Name must “line up”, remain consistent, across all three applications.

When you see an error in the Console field while creating a cert

If you can’t create a Let’s Encrypt certificate, you may have a problem with the Domain Name System.

Let’s Encrypt’s Certbot communicates with its parent servers by running a builtin standalone server on port 80. So, if you have a web server running, you need to shut it down temporarily for Certbot to do its job. 

Let’s Encrypt’s server will try to communicate with Certbot’s builtin web server, using the domain names you supplied in your cert request. If it can do that, it will accept that as proof that you own those domain names and have the right to control the services on the machine associated with them. 

(WebMon user note : Letsencrypt Enabler shuts down the Apache server enabled by WebMon automatically. Then brings it up when it’s done.)

If all these line up, you’ll have the pleasure of seeing your first free, first class, digital cert being created.

Automated Cert Renewals

There is a pain to using Let’s Encrypt certificates — they have very short validity periods. Most users renew them at the 60 day mark.

Letsencrypt Enabler makes the renewal process painless. Under the Auto-Renewal column, you can click the Start Job button to start a periodic job that will talk to Let’s Encrypt’s servers at the specifed time intervals. The default renewal interval is 60 days.

You can set the Renewal Interval in Letsencrypt Enabler. Choose a smaller one, say two hours, or one day, to test that the automated cert renewal works. Choose the Interval setting and then quit the app. Just set and forget.

NOTE : but do note that Let’s Encrypt has a hard limit of 5 updates allowed each week. Don’t cross that or your domain will be temporarily banned from making renewals. 

Use the website https://crt.sh to check if your cert has been successfully renewed.

Letsencrypt Enabler’s periodic job will also tell WebMon and MailServe to automatically restart your web and mail servers to make use of the renewed certs.

NOTE : If you set a Renewal Interval, it doesn’t mean that the renewal job will run exactly at the time stated in the Renewal Date field. For Renewal Intervals of less than a day, the periodic job is set to run every hour. For Renewal Intervals of a day or more, the periodic job is set to run only twice a day. Each time it runs, it checks to see if the current time is greater than the stated Renewal Date & Time. If it is, it does the renewal job of refreshing the current cert and rebooting the web and mail servers (if they’re set up by my other Enabler apps) to use the new cert. 

This process will, of course, extend the new cert Expiry Date to the next 90 days and the Renewal Date to the next Renewal Interval. Once you’re sure everything is working correctly, set the Renewal Interval to 60 days and quit the app. The peridoc job will keep on running, until you revoke and delete the cert or un-install Letsencrypt Enabler.

Updating the Letsencrypt Cert with a new set of domains

If you double-click on a cert record in the Managed Certificates table view, it will open up a dialog box where you can change the additional doman names included with this cert. Remember, you can use this cert wherever these domain names are used (with the proviso that ALL these domain names must point to the server you are running Letsencrypt Enabler on).

Option-click on the OK button to do a dry-run.

Revoking the Letsencrypt  Cert

To Revoke a Cert, click the Revoke button (the - sign button under the Managed Certificates table view). Note the alert in the dialog box. There is no dry-run for this action. Clicking OK will completely delete this cert from your system (as well as Letsencrypt’s).

De-Installing Letsencrypt Enabler

You can un-install Letsencrypt Enabler by using the last menu item in the Help menu. It will shut down the Letsencrypt Enabler daemon, if it is running, and remove all files installed by Letsencrypt Enabler (in /opt/homebrew-cutedge). It will also revoke and remove all the certificates, if any, in /etc/letsencrypt/live.

Enjoy!

Release Log

3.0 November 3rd 2021. Letsencrypt Enabler for Monterey released. For version history prior to Monterey, check out the web pages for earlier versions of Letsencrypt Enabler. 

3.0.1 November 8th 2021. The Homebrew folder that Letsencrypt Enabler places in /opt/homebrew-cutedge now also includes PHP, for use with MacOS Apache and WebMon

3.0.2 November 15th 2021. There was a problem with the PHP build in /opt/homebrew-cutedge. WebMon users who need PHP should use this 3.0.2 version of Letsencrypt Enabler as it contains the corrected PHP module. It requires a de-install from the Help menu.

3.0.3 May 31st 2022. Added a Scripts button (below, new button, far right) for the user to add or edit shell scripts that will be run before or after a Letsencrypt cert renewal session.


3.0.4 June 15th 2022. There’s a bug - the before and after scripts will run for a cert renewal job but not for the actual cert creation process. This version fixed the bug. The before and after scripts are guaranteed to run, for the initial cert creation process, for any “forced" cert re-creation process, as well as for all the auto-renewal jobs.

Download

Letsencrypt Enabler for 
Monterey

The latest version is 3.0.4

It contains separate Letsencrypt binaries — one for Intel and one for ARM Macs.

Please check out the Release Log


Contact
Bernard Teo