Foldr v4 provides FREE signed SSL certificates via Let’s Encrypt that can be installed quickly and easily. Follow this link to find out more. However, there are some requirements for a Let’s Encrypt certificate installation, as opening HTTP (port 80) inbound to the server and ensuring no HTTPS inspection is running on the customer firewall/filter between Foldr at Let’s Encrypt.
Where local firewall policies/filtering make using Let’s Encrypt not viable, you can instead use a paid-for signed SSL certificate from a traditional Certificate Authority (such as Godaddy, Sectigo or Digicert etc). A standard domain-validated SSL certificate to cover a single site (common name) is all that is required, however any SAN/UCC or wildcard certificate may also be used.
The steps required
1) Generate your Certificate Signing Request (CSR) and Private Key pair.
This can be done several ways but a quick/easy route is to use the Easy CSR tool on the Digicert website which will produce a single command to run which will use a locally installed version of OpenSSL to generate your CSR and private key.
Digicert Easy CSR – click here
2) Complete the required fields and click Generate.
NOTE – The Common Name is the URL of the site that you are intending to protect with the certificate.
3) This will output the required OpenSSL command to generate a CSR and Private Key pair. Copy the command to the clipboard.
4) OpenSSL is available by default on macOS and most Linux installations. If using a Windows workstation, OpenSSL must be installed separately and can be obtained here – the smaller ‘Light’ version is fine for this purpose, selecting Win32 or Win64 as appropriate.
Run the OpenSSL command in Linux/macOS Terminal as given. For Windows systems, open an elevated command prompt (run as Administrator) and cd to \bin inside the OpenSSL directory (C:\OpenSSL-Win64\bin for x64)
The CSR and Private Key will be created in the working directory.
5) Save both the entire private key and CSR as separate text files to your computer.
You will need to send the CSR to your chosen certificate provider as part of the process of requesting your certificate. Do not sumbit your private key file to any third-party and keep this safe as it will be required later.
6) You may need to confirm your ownership of the domain, usually by way of an email to the registered contact of the domain held by the registrar. Other verification methods may be available depending on your certificate provider.
Once you have validated your certificate request & domain ownership, you will most likely receive another email to inform you that the signed certificate is ready for download.
There can be a slight delay between confirming your domain ownership and your signed certificate being created by your provider.
7) When ready and downloaded, open the signed certificate and Private Key created earlier in a text editor and paste into the relevant boxes on the Foldr Settings > Certificates screen. Untoggle the ‘Use Default’ switch if your server is still using the self-signed certificate. Once untoggled, the certificate, private key, chain and root certificate boxes will be visible.
You should also obtain your Certificate provider’s Root and Intermediate Chain certificates from their support portal and paste these in at the same time. Some certificate authorities issue a bundle certificate (which is the CA Root and one or more Intermediate chain certifications combined into a single file). If using a bundle certificate, you should paste this into the ‘Chain – optional‘ box (third down) and leave ‘Root -optional’ box blank.
8) Click SAVE CHANGES and your certificate will be installed after a few seconds.
Your SSL certificate installation should now be complete and you will no longer receive warnings in the browser or apps when accessing Foldr via the public URL (Common Name) protected in the certificate. Note that you will always receive certificate trust warnings when accessing Foldr via its public or private IP address, or via some other DNS name not covered by the certificate.
The SSL installation can be verified by using an online validation tool such as https://www.sslshopper.com/ssl-checker.html
Configuring the External Hostname
Foldr server release v184.108.40.206 introduces a security feature where the server will reject client requests if the supplied HTTP header header is different than what is configured on the server. This feature is optional and to enable it the administrator should configure the ‘External Hostname’ in the Foldr Settings > Appliance > Network tab.
Where no External Hostname is configured, the server will respond to client requests as normal, regardless of the host header provided.
To use this feature, the External Hostname should be set to public/external fqdn of the Foldr server. If this is set to some other value, clients will see the following error (or similar depending on browser/app)