Automatically Requesting and Managing SSL Certificates with Let's Encrypt in ServBay

For modern web development, simulating the production environment locally is essential, including the use of HTTPS. ServBay integrates support for the ACME (Automated Certificate Management Environment) protocol, allowing you to effortlessly obtain, install, and manage free SSL/TLS certificates from Certificate Authorities (CA) like Let's Encrypt. This guide provides a step-by-step walkthrough on how to request and use Let's Encrypt certificates for your local development websites in ServBay.

The advantages of using Let's Encrypt certificates include: they’re free, automated, widely trusted, and let you locally test HTTPS website behavior, Service Workers, HSTS, and more.

Prerequisites

Before requesting a Let's Encrypt certificate, please make sure you meet the following requirements:

1. Own a Public Domain: You must possess a real, registered, and valid domain name (e.g., servbay.demo or yourdomain.com). Let's Encrypt cannot issue certificates for local IPs or non-public domains like .local.
2. Ability to Manage the Domain’s DNS Records: ServBay uses DNS API validation to verify domain ownership. This requires that you have access to your domain registrar or DNS provider’s control panel (e.g., Cloudflare, GoDaddy, AWS Route 53, etc.) and can create API keys for automated operations.
3. Obtain DNS API Keys: Generate the corresponding API token or key according to your DNS provider's requirements. Methods vary by provider, but generally, you need an API key with DNS management permissions. See the DNS API WIKI of acme.sh for instructions specific to your provider and to learn about needed environment variable names.

Application Steps

Follow these steps in ServBay to obtain an SSL certificate via Let's Encrypt:

1. Open the ServBay Manager Panel: Launch the ServBay app, click the menu bar icon, and select "Manager Panel" to open the web management interface.

2. Navigate to SSL Certificate Management: In the ServBay Manager Panel sidebar, locate and click SSL Certificates.

3. Start a New Certificate Request: On the SSL certificates list page, click the round "+" button at the top right. This opens a configuration window for your certificate request.

4. Fill in Certificate Information: In the “Request Certificate” popup window, complete each field as follows:

   • Common Name: Enter a name that uniquely identifies this certificate, for easy recognition—like servbay-demo-cert or mydomain-wildcard-cert.
   • Usage Purpose: Select TLS/SSL.
   • Request Method: Choose ACME.
   • Issuer: Select Let's Encrypt.
   • DNS API Provider: Select your DNS provider from the dropdown (e.g., cloudflare for Cloudflare, godaddy for GoDaddy).
   • Algorithm: It is recommended to select the ECC (Elliptic Curve Cryptography) algorithm with a key length of 384. Compared to traditional RSA certificates, ECC certificates have smaller keys and tend to provide better performance and security.
   • E-Mail Address: Enter your valid email address. Let's Encrypt will send important notices about certificate expiration and renewal failures here.
   • DNS API Tokens: Enter the API keys or tokens required by your DNS provider in this field. These are usually provided to the underlying ACME client as environment variables. Check your DNS provider documentation or the acme.sh DNS API WIKI for the correct variable names and values. Important: Do not add export before any API information. For example, with Cloudflare you may need to enter CF_Key=sdfsdfsdffgfdg\[email protected] (use \n to separate different variables).
   • Domain: Enter the domain(s) you want the certificate for. For multiple domains or wildcard certificates (such as *.servbay.demo), separate them with commas (e.g., servbay.demo, www.servbay.demo, *.servbay.demo). Note that wildcard certificates must use DNS API validation.

   Note: The Common Name in the screenshot is "Test". In practice, use a more descriptive name for clarity.

5. Submit the Request: Once all information is complete, click the “Request” button at the bottom of the window.

6. Wait for Completion: ServBay will launch the ACME client in the background, using your DNS API details to verify domain ownership and apply for the certificate from Let’s Encrypt. The process might take several minutes depending on DNS propagation times and Let’s Encrypt server response. Once completed, the new certificate will appear in your SSL certificate list.

Using the Certificate

After successfully obtaining the certificate, you can assign it to your local website:

1. Go to Website Configuration: In the ServBay Manager Panel sidebar, click on Websites.
2. Edit the Site Configuration: Find the website you want, then click the edit icon (typically a pencil) on the right.
3. Configure HTTPS/SSL: In the configuration page, find SSL/HTTPS settings. There will typically be an option for selecting the SSL certificate source.
4. Select ACME Certificate: In the certificate source dropdown, choose ACME. Then select your newly requested certificate by its Common Name in the right-hand dropdown.
5. Save Changes: Save your website settings. ServBay will reload your website configuration, applying the new SSL certificate. You should now be able to access your local website via HTTPS.

Screenshot shows the interface for selecting an ACME certificate in the site configuration.

Certificate Renewal

Let’s Encrypt certificates are valid for 90 days. ServBay has built-in automatic renewal. Once an ACME certificate is near expiry (typically within 30 days), ServBay will automatically attempt to renew it using the same configuration. No manual intervention is needed. Make sure your DNS API keys remain valid to ensure successful auto-renewal. If any issues occur during the process, Let’s Encrypt will send an email notification to the address you provided.

About ACME Protocol & DNS API Validation

• ACME Protocol: ACME is an open standard for automating domain validation and certificate issuance. CAs like Let’s Encrypt use this protocol to interact with client software (such as the ACME client integrated in ServBay), enabling automated certificate requests and management.
• DNS API Validation: This is one method ACME supports for proving domain ownership. The client uses the DNS API to add a specific TXT record to your domain’s DNS. The CA queries this record to confirm your control. DNS API validation is ideal in scenarios such as:
  • Requesting wildcard certificates (e.g., *.servbay.demo)
  • Your local ServBay instance isn’t publicly accessible (e.g., running on an internal network or when your ISP blocks ports 80/443)

Choosing a Certificate Algorithm: ECC vs RSA

When applying for a certificate, ServBay lets you choose between ECC and RSA algorithms.

• RSA: A traditional public-key algorithm—offering maximum compatibility as nearly all browsers and clients support it. Common key lengths are 2048 and 4096 bits.
• ECC: An elliptic curve cryptography algorithm. ECC keys are shorter for the same security level (e.g., ECC 256-bit equals RSA 3072-bit), resulting in faster TLS handshakes and lower resource usage on servers and clients. Modern browsers and OSs widely support ECC.

Recommendation: For new requests, it’s recommended to use ECC with a 384-bit key for better performance and security. If you require maximum compatibility (such as for very old clients), consider RSA.

Notes & Recommendations

• DNS Propagation Time: After submission, DNS TXT record changes may take some time to propagate worldwide (from minutes to hours). If your request fails immediately, try again later.
• API Key Security: Your DNS API key has permission to manage DNS records—store it securely and do not share it.
• Let’s Encrypt Rate Limits: Let's Encrypt imposes rate limits per domain. If you repeatedly request or renew certificates for the same domain too often, you may hit these limits. Under normal use with ServBay's auto-renewal, rate limits are rarely a concern.

FAQ

• Q: My domain resolves to a local IP address. Can I use Let’s Encrypt certificates?
  • A: Yes, as long as you use DNS API validation. Let’s Encrypt checks that you control the DNS, not where it resolves.
• Q: What should I do if the certificate request fails?
  • A: First, check the correctness and permissions of your DNS API keys, and that you chose the correct DNS API provider. Sometimes, the problem is simply DNS propagation—wait a few minutes and retry. Checking ServBay logs may also give more detail.
• Q: How long before expiration does ServBay renew certificates automatically?
  • A: Usually, ServBay renews certificates automatically within 30 days of expiry.
• Q: Can I request certificates for local development .local domains?
  • A: No, Let’s Encrypt only issues certificates for publicly registered domains. For .local or IP-based domains, you can use the ServBay User CA or ServBay Public CA features to generate self-signed or locally trusted certificates for testing.
• Q: My DNS provider isn’t listed in ServBay—what should I do?
  • A: The integrated ACME client in ServBay supports most mainstream DNS providers. For rare providers, you may need manual configuration. Check the acme.sh DNS API WIKI to see if your provider is supported and for setup instructions. If a provider is missing from the ServBay UI, contact ServBay support.

Conclusion

By integrating the ACME protocol, ServBay greatly simplifies the process of obtaining and managing Let’s Encrypt SSL certificates in your local development environment. Using DNS API validation, you can easily request free, auto-renewing certificates for your public domains (including wildcards) and closely simulate your production HTTPS setup in local dev, enhancing both efficiency and testing accuracy. Simply follow the steps above to enable secure HTTPS connections for your ServBay websites.