# Configuring letsencrypt certificate ## Introduction Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG). This tutorial provides you how to configure letsencrypt certificate to use in Telcobridges equipment's. ### Prerequisites Make sure HTTPS is enabled for the HTTP default service at port 12358. ### Configuration Procedure Note that the below procedure will survive a toolpack upgrade without breaking HTTPS. 1\. Install certbot and python3 ``` # Install python3 with virtual environment. sudo yum -y install python3 sudo python3 -m venv /opt/pycertbot/ sudo /opt/pycertbot/bin/pip install --upgrade pip # Install required dependency sudo /opt/pycertbot/bin/pip install pyOpenSSL==23.1.1 # Install certbot from pip sudo /opt/pycertbot/bin/pip install certbot certbot sudo ln -s /opt/pycertbot/bin/certbot /usr/bin/certbot ``` \ 2\. Create certificate If unsure, you can temporarily generate a test certificate with --test-cert. Replace the two -d with proper FQDNs, then run: ``` sudo certbot certonly --standalone --agree-tos \ -d CUSTOMER1.saas.prosbc.com \ -d ec2-3-96-231-114.ca-central-1.prosbc.com \ --deploy-hook "cat \${RENEWED_LINEAGE}/privkey.pem \${RENEWED_LINEAGE}/fullchain.pem > \${RENEWED_LINEAGE}/fullchain_with_privkey.pem && ln --force -s \${RENEWED_LINEAGE}/fullchain_with_privkey.pem /lib/tb/toolpack/pkg/ssl_certificate/toolpack_cert.pem && killall -INT lighttpd" \ --email certificate_saas@telcobridges.com --no-eff-email ``` (the toolpack web server will automatically reload to use the new certificate, thanks to the --deploy-hook) \ 3\. Validation Validate that a symbolic link is present here: ``` ls -l /lib/tb/toolpack/pkg/ssl_certificate/toolpack_cert.pem ``` * It should point at /etc/letsencrypt/live/FQDN/fullchain\_with\_privkey.pem If successful, you can access in HTTPS without any warning from the browser! \ 4\. Setup automatic renewal The certificate is valid for 90 days, so we have to enable automatic renewal. Add the following lines in /etc/crontab: ``` # Run daily at 1 AM 0 1 * * * certbot renew --quiet --agree-tos ``` After a few days, validate there are log files created at 1 AM every day: * ``` sudo ls -lrt /var/log/letsencrypt/ ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://prosbcdocs.telcobridges.com/configuration-details/configuration-by-web-portal-category/system-settings/configuring-letsencrypt-certificate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.