1.2.3 Let's encrypt https ui without Nginx or Apache2

I couldn’t find any laid out instructions for this and it’s missing from the install instructions so I thought I’d share.
This is without using Nginx or Apache2 so it was harder to find info on setting it up and I want the certs to renew automatically.
If you have nothing else running on port 80 you can run certbot in “standalone” mode. In standalone mode certbot will listen itself on port 80 for the authourization.
Make sure you have your domain name pointing at your servers IP

sudo apt update
sudo apt install certbot

Change MyDomainExample.com everywhere below to your domain name

sudo certbot certonly --standalone --preferred-challenges http -d MyDomainExample.com

Enter your email address when prompted and answer the questions.

Edit the /opt/genieacs/genieacs.env and add these 2 lines

GENIEACS_UI_SSL_CERT=/etc/letsencrypt/live/MyDomainExample.com/fullchain.pem
GENIEACS_UI_SSL_KEY=/etc/letsencrypt/live/MyDomainExample.com/privkey.pem

These permissions need to be changed to allow Genieacs to access the certificate and key. Hopefully these stay set on renewal or I’ll have to script it to reset them each renewal.

sudo chmod 710 /etc/letsencrypt/live/
sudo chmod 710 /etc/letsencrypt/archive/
sudo chgrp genieacs /etc/letsencrypt/live
sudo chgrp genieacs /etc/letsencrypt/archive
sudo chown genieacs /etc/letsencrypt/live/MyDomainExample.com/privkey.pem
sudo chown genieacs /etc/letsencrypt/live/MyDomainExample.com/fullchain.pem

Get the renewal to auto restart the genieacs.ui you need to edit the /etc/letsencrypt/renewal/MyDomainExample.com.conf and add this as the last line

renew_hook = systemctl restart genieacs-ui

Test the renewal

sudo certbot renew --dry-run

Test gui with

https://MyDomainExample.com:3000

You will also need this
#add a script containing the following and make it executable to the /etc/letsencrypt/renewal-hooks/post/ folder to auto change permissions on new certificates after renewal

#!/bin/bash
chmod 710 /etc/letsencrypt/live/
chmod 710 /etc/letsencrypt/archive/
chgrp genieacs /etc/letsencrypt/live
chgrp genieacs /etc/letsencrypt/archive
chown genieacs /etc/letsencrypt/live/MyDomainExample.com/privkey.pem
chown genieacs /etc/letsencrypt/live/MyDomainExample.com/fullchain.pem
echo “CertRenew $(date)” >> /var/log/certrenew

This was great info, thanks a lot @webtron just missing the UI restart after applying changes:

systemctl restart genieacs-ui

By any chance, were you able to run CWMP with httpS? I’ve added the enviroment variables:

GENIEACS_CWMP_SSL_CERT=/etc/letsencrypt/live/acs.mydomain.mx/fullchain.pem
GENIEACS_CWMP_SSL_KEY=/etc/letsencrypt/live/acs.mydomain.mx/privkey.pem
systemctl restart genieacs-cwmp

But the CPEs doesn’t connect to ACS, as soon as I disable the SSL certificate for the CWMP and set the CPEs for http they are able to connect.

Thank you in advance.

No most CPEs don’t have the required certificates to connect over ssl. Some of the newer ones allow you to add a certificate if that’s any help.

Yes, that helps a lot, thank you, I’ll be changing the default config of my cpes to work without SSL.