Manually Set Up Let's Encrypt with Polarity Server v5

This process will allow the Polarity Server v5 to use Let’s Encrypt to automatically manage certificates.

Requirements:

• An operational Polarity Server v5

• A Public FQDN

• A DNS A/AAAA record(s) for public FQDN

• External access via port 443 and (optionally) port 80.

Process:

1. Bring down the Polarity Server containers.

   1. cd /app
      ./down.sh

2. Copy Let’s Encrypt RSA CA certificate chain (PEM format) to /app/certs/ca.

   1. 3 certificates at the time of this writing (1x root cert, 2x intermediate certs).

   2. isrgrootx1.pem, r10.pem, and r11.pem.

   3. Downloadable from here:  Chains of Trust

3. Add the ACME_ENABLED environment variable to the /app/.env file.

   1. echo "ACME_ENABLED=true" >> /app/.env

4. Open the /app/caddy/config/Caddyfile for editing.

   1. In the global block:

      1. Remove the auto_https off declaration.

      2. Add the following:

         1.   storage file_system {
                root /app/certs
              }

      3. Resulting global block should look like this:

         1. {
              storage file_system {
                root /app/certs
              }
            }

   2. In the main server block (starts with :8443):

      1. Prepend the :8443 with {$POLARITY_HOSTNAME}, making it {$POLARITY_HOSTNAME}:8443.

      2. After the tls declaration:

         1. Remove the text /config/server.crt /config/server.key

         2. Replace with the following block:

            1. {
                 key_type rsa2048
               }

         3. Result will look like this:

            1. tls {
                 key_type rsa2048
               }

   3. Save the changes to the Caddyfile and close it.

5. Open the /app/docker-compose.yml file for editing.

   1. Under the services:web:volumes block, find the line:

      1. - ./certs/ca:/app/certs/ca:z

   2. Change this line to this:

      1. - ./certs:/app/certs:z

   3. Save the changes to the docker-compose.yml file and close it.

6. Back up the Platform certifcates.

   1. cd /app/certs
      mv polarity.pem polarity.pem.bak
      mv polarity_key.pem polarity_key.pem.bak

7. Reset the standard permissions.

   1. cd /app
      bin/polarity docker-set-permissions

8. Start the Polarity Server containers.

   1. cd /app
      ./up.sh

9. Create a symbolic link from the new LetsEncrypt certificates to the Platform certificates.

   1. cd /app/certs
      ln -s ./certificates/acme-v02.api.letsencrypt.org-directory/<<your.polarity.fqdn>>/<<your.polarity.fqdn>>.crt ./polarity.pem
      ln -s ./certificates/acme-v02.api.letsencrypt.org-directory/<<your.polarity.fqdn>>/<<your.polarity.fqdn>>.key ./polarity_key.pem

   2. NOTE:  Be sure to replace the <<your.polarity.fqdn>>  placeholders with your Polarity Server’s FQDN.

      1. This should be the POLARITY_HOSTNAME value from the /app/.env file.

The certs could be in a slightly different directory, but they will be in a child directory of /app/certs/certificates/.

Your Polarity Server is now configured to use Let’s Encrypt for automated certificate management!