# SSL Setup

Althought not required for development purposes, it is highly recommended you bind your domains and servers with a SSL Certificate. You can get started with free SSL certificates provisioned through Lets Encrypt (opens new window). Below is one of the many ways you can provision and upload SSL certificates to your servers.

# Lets Encrypt Manual Mode

# Install Certbot using Homebrew

brew install certbot

# Provision a new certificate in manual mode.

In this example, we're provisioning certificates for our demo sites.

certbot certonly --manual --preferred-challenges dns -d admin-server.veniqa.com

certbot certonly --manual --preferred-challenges dns -d shop-server.veniqa.com

# Verify domain ownership

The process will ask you to plug in a TXT DNS record in your DNS Management Portal to verify your domain ownership.

When plugging in record name in domain providers like GoDaddy, just input _acme-challenge.subdomain_name (primary domain name like veniqa.com will be appended automatically by godaddy during queries)

# Copy certificates to accessible folders (optional)

By default, Lets Encrypt will generate certificates in secure /etc/ folders. If you need to move them to a more accessible location for external upload, use the following command - where the first path is the source dir and second path is the destination dir.

cp -RL /etc/letsencrypt/live/admin-server.veniqa.com /Users/Shared/Playground/CodeForLyf/ssl-certificates/

# Convert certificate to PFX (if necessary)

Some cloud providers like Azure ask for a PFX certificate, so for such needs you can convert the LetsEncrypt's PEM certificate to PFX format using the following command in the certificate directory.

openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem

A password might be asked, feel free to enter anything, just make sure you remember it because it will have to be provided later while using the .pfx file.

# Certificate ready for use

Go ahead and upload the SSL certificate using your hosting providers's control panel.

# For Renewal

Follow the same steps as aboves.

Since certbot seems to preserve the previous certificates in the folder as well, remember the new folders may be created with suffixes like -001 (i.e. admin-server.veniqa.com-0002)

# To check expiration

To check the expiration of a certificate within admin-server.veniqa.com, the command would be

sudo openssl x509 -dates -noout -in admin-server.veniqa.com/cert.pem