avatar  

Log out

Recently viewed tickets

Free Web-Server Certificate (Lets Encrypt)


Purpose


This article will provide information on how to gain a free web server certificate using the build-in Let's Encrypt service.


Information


From GateManager release 7.2 it is now possible to install a royalty-free Web- server Certificate. If your server already has a trusted Web certificate there is no reason to use this option.

Before:

After:

We have implemented the Let’s Encrypt service, and an install wizard that should be self-explained as far as possible.

Requirements:

  • Full Qualified Domain Name - the GateManager will need a public DNS name
  • There must be access from the internet to port 80 on the GateManager
  • GateManager must have full DNS service access to the internet (out- bound UDP port 53)
  • The DNS name and the public IP address of the GateManager must be the same

Some of the requirements are not mandatory and if the requirements are not fulfilled the installation wizard will prompt and guide with instructions.

Nice to know:

  • The Web Certificate will automatically be renewed every 30 days.
  • Do not manually try to renew the certificate too many times. There are a limit and exceeding this limit the GateManager will be rejected. Re- lease time will be 7 days (see appendix).
  • There is no guarantee that various web browser providers will NOT reject the Let’s Encrypt CA in the future, but when writing this, the certificate has full support with all major browser providers.


Installation
Log in as Server Administrator and select Server -> Certificates.

Press [Free Cert] to start the Let’s Encrypt process. If in case, there should be a configuration issue, it will be shown in red as shown in the figure below:


Pressing the [Register] button will start the Web-server Certificate process and the certificate will automatically be installed.

The browser address bar should now show:

You might need to close the browser to make a fresh update.



Error messages:

  • user.err ACME: Error: CHAIN - unknown issuer certificate format for
    • A router or other device is doing a https packet inspection.
Creation date: 11/12/2019 14:25 (skr@secomea.com)      Updated: 14/12/2019 23:19 (skr@secomea.com)