Setting Up Let’s Encrypt with VestaCP on Digital Ocean

Ok, I’ll be totally honest here. I’m writing this post mostly for myself: I need an easy place to keep these instructions for setting up new SSL certificates. If they help you, that’s awesome. If not, hopefully there’s another post here that you can learn from.

Installing Let’s Encrypt

First step: install the Let’s Encrypt tool on your server. SSH into your server, cd to the root dir (where you probably landed as soon as you SSHed in), and run the these commands:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

This will take time to install a bunch of packages, then give you a success message. You should only does these steps once. Every time you want to secure another domain on your VestaCP account, follow the next section.

Adding Let’s Encrypt Certificates

In all of these commands, replace DOMAIN_GOES_HERE with the domain you want to secure and YOUR_VESTA_USERNAME with your VestaCP username.

Installing the Certificate

The following command will create the necessary certificates. You should still be in the /letsencrypt/ directory where you ran the last command above. When you run this command, the UI will ask you for an email address to use for this certificate and to agree to the Terms of Service.

./letsencrypt-auto certonly -a webroot --renew-by-default --webroot-path /home/YOUR_VESTA_USERNAME/web/DOMAIN_GOES_HERE/public_html -d DOMAIN_GOES_HERE

That command created several files in on your server. You’ll need to copy the contents of those files to your VestaCP admin page for that domain. In Vesta, edit the domain, check the button for “SSL Support” – you’ll then see three new fields.

Copying Cert Files to VestaCP

To view those files’ contents, run the following commands, then copy the file contents to the appropriate field:

cat /etc/letsencrypt/live/DOMAIN_GOES_HERE/cert.pem

^ Copy contents into “SSL Certificate” field.

cat /etc/letsencrypt/live/DOMAIN_GOES_HERE/privkey.pem

^ Copy contents into “SSL Key” field.

cat /etc/letsencrypt/live/DOMAIN_GOES_HERE/chain.pem

^ Copy contents into “SSL Certificate Authority” field.

The previous steps saved those details to a series of files in /home/USERNAME/conf/web/ you’ll actually remove all those files next:

rm /home/YOUR_VESTA_USERNAME/conf/web/ssl.DOMAIN_GOES_HERE.*

In place of those files you just deleted, you’ll now create a series of symlinks to the originals created by Let’s Encrypt:

ln -s /etc/letsencrypt/live/DOMAIN_GOES_HERE/fullchain.pem /home/YOUR_VESTA_USERNAME/conf/web/ssl.DOMAIN_GOES_HERE.pem
ln -s /etc/letsencrypt/live/DOMAIN_GOES_HERE/privkey.pem /home/YOUR_VESTA_USERNAME/conf/web/ssl.DOMAIN_GOES_HERE.key
ln -s /etc/letsencrypt/live/DOMAIN_GOES_HERE/cert.pem /home/YOUR_VESTA_USERNAME/conf/web/ssl.DOMAIN_GOES_HERE.crt
ln -s /etc/letsencrypt/live/DOMAIN_GOES_HERE/chain.pem /home/YOUR_VESTA_USERNAME/conf/web/ssl.DOMAIN_GOES_HERE.ca

Once this is done, restart your nginx and Apache servers:

service nginx restart
service apache2 restart

Check out your domain now, and it should be secure!