Certificates

Overview of the Bunnyshell certificate management features

SSL encryption and certificates are essential for secure client-server communication. Bunnyshell provides a strait-forward interface to manage either your own certificates or certificates generated with Let's Encrypt.

Add Shared Certificates

The first step is to add the certificate as a shared resource by going to Resources->Certificates.

There are two ways to add a certificate: adding your own or using Let's Encrypt or other certificate authority.

Hit Add new certificate to add your own (generated on a separate machine with various tools like openssl). The dialog will request the name, the private key and the content of the .crt certificate file generated in advance. Hit Verify certificate and Add certificate if validation is successful.

Generating a manual certificate using specific tools is outside the scope of this tutorial, but there are various on-line sources detailing multiple ways to achieve this.

Eg: https://www.akadia.com/services/ssh_test_certificate.html‚Äč

To Add Manual Let's Encrypt certificate, only the domain name is required. The Create certificate command will provide a new domain name and a random string. These values will have to be manually copied in your DNS service for validation (each DNS service has its own method to do this). Once this is done, go back to the Bunnyshell interface and hit Validate Certificate and you're done. The domain name that you provided initially is now certified with Let's Encrypt.

Certificates generated via these two methods are Shared Resources, meaning that they are not attached to a specific environment (server) when they are created and can be added to or removed from environments as needed.

To add a certificate to an environment, go to the main page of that environment and hit Resources -> Certificates (on the horizontal bar) and tick on the one you need from the list, then hit Deploy.

Note that certificates generated with Let's Encrypt expire after 3 months and need to be renewed. This means that the steps above must be repeated.

There is also an automatic way to do this renewal with Bunnyshell using a different method that does not make use of the certificates generated as shared resources. This method is documented below.

Automate Let's Encrypt certificate renewal with CertBot

Certbot is an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server, emitted by Let's Encrypt and other Certificate Authorities (CA) that support the ACME protocol.

You can easily install this client on your environment through the Bunnyshell interface:

Go to <your environment> -> Provisioning -> Go to Package Bundle -> Packages & Services -> Add Package enter certbot in the search-box or find it in the list. After you select it, you can provide an email address to receive emails when certificates expire or are renewed.

To add a new certificate hit the "+" button. Specify the name of the domain and the webroot (the path to the website content on the environment - usually is /var/www/<content>).

Next you will need to specify what webserver (Apache, Nginx, etc) is used on the environment. This is necessary because the certificate can only be applied after the webserver is restarted.

Next, hit Add Package which will take you back to the Installed Packages section. Hit the Deployment tab next to Packages & Services, make sure the Certbot package is ticked then hit Deploy.

Note that the deployment action will restart the webserver in order to apply the new certificate.

This will install Certbot on your environment along with a certificate that will be automatically renewed upon its expiration, while at the same time keeping you informed via email.