2018-01-14 16:43:23 +01:00
# Certificate
2014-06-18 15:30:47 +02:00
2018-12-07 15:47:58 +01:00
Certificates are used to guarantee the confidentiality and authenticity of the communication between a web browser and your server. In particular, they protect against attackers trying to impersonate your server.
2014-06-18 15:30:47 +02:00
2018-01-14 16:43:23 +01:00
YunoHost provides a **self-signed** certificate, it means that your server guaranties the certificate validity. It's enough **for personal usage** , because you trust your own server. But this could be a problem if you want to open access to anonymous like web user for a website.
2014-06-18 15:30:47 +02:00
2018-01-14 16:43:23 +01:00
In practice, visitors will see a screen list this:
2014-06-18 15:30:47 +02:00
2018-01-14 16:43:23 +01:00
< img src = "/images/postinstall_error.png" style = "max-width:100%;border-radius: 5px;border: 1px solid rgba(0,0,0,0.15);box-shadow: 0 5px 15px rgba(0,0,0,0.35);" >
2015-02-04 11:32:19 +01:00
2018-01-14 16:43:23 +01:00
Which basically asks the visitor : ** "Do you trust the server hosting this website?"**. This can rightfully frighten a lot of people.
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
To avoid this confusion, it's possible to get a certificate signed a known
authority named **Let's Encrypt** which provide free certificates directly
recognized by browsers. YunoHost allows to directly install this certificate
from the web administration interface or from the command line.
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
### Install a Let's Encrypt certificate
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
Before attempting to install a Let's Encrypt certificate, you should make sure
2019-12-22 13:22:59 +01:00
that your DNS is correctly configured (your.domain.tld should point to
your server's IP) and that your domain is accessible through HTTP from outside
2017-07-30 01:13:28 +02:00
your local network (i.e. at least port 80 should be forwarded to your server).
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
#### From the web administration interface
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
Go to the 'Domain' part of the admin interface, then in the section dedicated to
your.domain.tld. You should find a 'SSL certificate' button :
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
![](./images/domain-certificate-button.png)
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
In the 'SSL certificate' section, you can see the status of the current
certificate. If you just added the domain, it should be a self-signed
certificate.
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
![](./images/certificate-before-LE.png)
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
If your domain is correctly configured, it is then possible to install the
Let's Encrypt certificate via the green button.
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
![](./images/certificate-after-LE.png)
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
Once the install is made, you can check that the certificate is live via your
browser by going to your domain in HTTPS. The certificate will automatically
be renewed every three months.
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
![](./images/certificate-signed-by-LE.png)
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
#### From the command line interface
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
Connect to your server through SSH.
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
You can check the status of your current certificate with :
2015-02-04 11:32:19 +01:00
2017-08-17 23:38:28 +02:00
```bash
2017-07-30 01:13:28 +02:00
yunohost domain cert-status your.domain.tld
```
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
Install a Let's Encrypt certificate with
2015-02-04 11:32:19 +01:00
2017-08-17 23:38:28 +02:00
```bash
2017-07-30 01:13:28 +02:00
yunohost domain cert-install your.domain.tld
```
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
This should return :
2015-02-04 11:32:19 +01:00
2017-08-17 23:38:28 +02:00
```bash
2017-07-30 01:13:28 +02:00
Success! The SSOwat configuration has been generated
Success! Successfully installed Let's Encrypt certificate for domain DOMAIN.TLD!
```
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
Once this is done, you can check that the certificate is live via your
browser by going to your domain in HTTPS. The certificate will automatically
be renewed every three months.
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
##### Troubleshooting
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
If due to some bad tweaking, your certificate ends up in a bad state (e.g.
lost the certificate or unable to read the files), you should be able to clean
the situation by regenerating a self-signed certificate :
2015-02-04 11:32:19 +01:00
2017-08-17 23:38:28 +02:00
```bash
2017-07-30 01:13:28 +02:00
yunohost domain cert-install your.domain.tld --self-signed --force
```
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
If YunoHost thinks that your domain is badly configured despite the fact that
you checked the DNS configuration and you have access in HTTP to your server
from outside your local network, then you can :
2015-02-04 11:32:19 +01:00
2017-07-30 01:13:28 +02:00
- add a line `127.0.0.1 your.domain.tld` to the file `/etc/hosts` on your server ;
- if the certificate installation still doesn't work, you can disable the checks with `--no-checks` after the `cert-install` command.
2014-10-01 04:17:33 +02:00