Setting Up Let’s Encrypt SSL Certificates

Beginning in version 6.50, we’ve added the ability to use free SSL certificates from Let’s Encrypt. This enables any customer with a registered domain and fixed IP address to have a secure web store. Once Let’s Encrypt has been configured, it will automatically renew the certificates.

Instructions

Domain Setup

*If the customer already has a webstore, then the Domain Setup has been done.

1. The customer must register their own domain (e.g. myscrubs.com).

2. Their server must be accessible via a fixed (unchanging) IP address.

3. In their domain registrar’s DNS settings, their main A @ entry must point to the the fixed IP address. (Note that after changing this, it could take anywhere from a minute to a couple of hours to propagate throughout the international network of DNS servers. Typically it’s just a few minutes, though.)

Inbound Setup

*If the customer already has their own Web Store, then port 80 is already open.
**If they have their own SSL certificate, then port 443 is open as well.

1. If the machine is behind a router, that router must forward all traffic on ports 443 and 80 through to the server’s internal IP address.
2. The server’s firewall must accept inbound traffic on both ports 443 (secure) and 80 (insecure).
3. Access the Web Store Monitor, click on Ports and SSL Certificate, and make sure that ports 80 and 443 are specified. (Occasionally these ports may be different.)

Let’s Encrypt Setup

In the Web Store Monitor, click on Ports and SSL Certificate, and then press the Set SSL Certificate Options button.

Choose Let’s Encrypt from the SSL Option drop menu to access the rest of the settings. In this case, the domain name is jillmabey.com.

• Testing – This mode instructs the Let’s Encrypt servers that you’re checking your configuration, and not to overreact to mistakes.
  *When first setting up Let’s Encrypt, it’s safest to use the Testing mode first. If there was a regular certificate in place before, then you should be able to skip this phase.
• SSL Domains – Specify the domains separated by commas, in the two standard forms (with and without www).

  • If you specify just one (with or without www), then it will automatically add the other.

  • If the web store uses a subdomain (e.g. shop.myscrubs.com), then this is all you need. www and the raw domain are not required.

  • If you have additional domains (e.g. myscrubs.com and my-scrubs.com), then you can add as many as you need. The above rules still apply.

• CA Account – This can be any unique account name. Typically you could use the domain name, with CA on the end.

Once you’ve entered the settings, press the Save button, and restart the server.

*When you first change from another method to Let’s Encrypt, you must restart the server before you can test the certificates. Once the server has been restarted to use Let’s Encrypt, you will see a button to check the certificates.

When you check certificates, you may see the screen flash a number of times, and the log will be filled with the newest log entries at the top. The whole operation may take up to a minute. Look for successful certificate dates in the upper lines:

If the log doesn’t seem to look right, then you may have to resolve one or more technical issues with server access, etc. When you’re finished reading the log, press the Close Testing Log button.

If you try to browse to the store with Testing mode ON, you’ll get an invalid certificate message:

If you click on the [Not Secure] button beside the address, you’ll see the test certificate details:

This is perfectly normal, and shows that everything should be fine when you turn Testing mode OFF.
*If you started with the Testing mode ON, remember to turn it OFF then fetch the official certificates.

To change from test to official certificates, edit the SSL options again, turn the Testing checkbox OFF, then press the Check Let’s Encrypt Certificates button again.

Just as before, you’ll be looking for successful entries in the log.

As a final test, use a browser on another machine (not on the web server machine) to access the store. Ensure that you see the lock by the domain name in the browser header. Click on the lock to see the certificate details: