Keys and certificates

LetsEncrypt certificates

WebHare can use free and automated certificates from LetsEncrypt. These certificate requests are verified using the HTTP-01 challenge which has the following requirements before you can request a certificate:

You should verify you can reach the website over port 80 before requesting a certificate - trying to request a certificate if the DNS isn't working yet may slow down later requests (as you need to wait for LetsEncrypt's cached DNS entries to expire)

The initial request of a LetsEncrypt certificate can only be done on the WebHare command line:

wh ssl certbot <primary domain name> [altname] [altname...]

The certificates will be renewed when it has less than 30 days of validity left. If this fails, WebHare will retry daily and start warning when the certificate has less than 21 days of validity left.

Migrating certificates

If you need to migrate an existing HTTPS website not currently hosted on your server, you may not be able to use LetsEncrypt for the initial certificate as you can't yet have WebHare respond to the challenge. In this case it's often best to ask the current site owner for their private key and certificate and upload these to WebHare. If that's not an option you could consider buying a certficate from a certificate provider that does a different type of validation.

We recommended against disabling HTTPS or use self signed certificates during migration as that may make the site temporarily unavailable during the migration, especially if the site to migrate is using Strict Transport Security.