Setup SolusVM with Let’s Encrypt

I first tried to use the svmstack-letsencrypt package like people mentioned in the forums and online, but it just wouldn’t work for me.  After some checking around there’s a acme.sh script that I saw other people using.  

I even contacted support and to quote them, the letsencrypt script isn’t for everyone and they also suggested that I use acme.sh, so these are the steps which i did to install a multi-domain certificate on our SolusVM master server. 

You can follow the steps in the ACME Deploy SolusVM instructions, but if you’re running CentOS 7.x like me then some of your steps will be a little different.

First download and install the script

$ curl https://get.acme.sh | sh

Now this installs the script in an .acme.sh/acme.sh on your user account and adds an alias.  After it’s complete you’ll want to logout and log back in so it recognizes the updated shell path. 

Next make sure this folder is available, if not you may need to upgrade your whole installation so that directory is present and Nginx has the configuration to pass ACME requests to the right directory.

$ ls -la /usr/local/solusvm/www/.verification

If you’re good, next we’ll get the certificate.  I’ve got multiple domains we use for different URLs to the master,

$ acme.sh --issue -d cloudadm1.example.com -d cloudadm.example.net -w /usr/local/solusvm/www/.verification

After that you need to install the certificate.

$ acme.sh --installcert -d cloudadm1.example.com -d cloudadm.example.net --keypath /usr/local/svmstack/nginx/ssl/ssl.key --fullchainpath /usr/local/svmstack/nginx/ssl/ssl.crt --reloadcmd "systemctl restart svmstack-nginx; cd /usr/local/svmstack/nginx/ssl && cat ssl.key ssl.crt > ssl.pem"

After doing those steps I can browse each of the URLs on the SolusVM master and see that it’s now using Let’s Encrypt certificate.

This certificate will automatically renew with Let’s Encrypt, however you’ll need a cron to update. This is what I’ve got

0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

I’ll let you know if this works after 90 days when the certificate expires and a new one needs to get install on the master.