Foldr Zen Zone

Knowledge Base
, updated Posted in

Let’s Encrypt – Free signed SSL Certificates with Automatic Renewal

Introduction

Foldr Server provides built-in support for the popular Let’s Encrypt Certificate Authority.  This service provides signed and trusted SSL certificates at no charge with ongoing automatic renewal.  This is a great option for sites that do not already own a wildcard or UCC/SAN certificate that can be used with Foldr.

Requirements

  • Foldr server to be reachable publicly over the Internet
  • TCP ports 80 and 443 (HTTP & HTTPS) open INBOUND to the Foldr Server
  • Not Geo-location blocking access to the Foldr server from the United States (Where Let’s Encrypt are based)
  • Man-in-the-middle / HTTPS Inspection between Foldr Server and Let’s Encrypt API (https://acme-v02.api.letsencrypt.org) must not be in use

Let’s Encrypt intermediate certificates are cross signed by IdentTrust Certificate Authority and as such are trusted all modern web browsers and mobile devices.  The Let’s Encrypt integration provides a quick, automated and convenient mechanism of requesting and installing the signed certificate which are ready to use immediately.

Configuration

To get started with Let’s Encrypt, browse to Foldr Settings > Security > Certificates

Enable the ‘Use Let’s Encrypt’ switch and enter the external URL of the Foldr appliance into the Certificate Domains field and click Save Changes

Note – this service requires the Foldr appliance to be available externally over both HTTP and HTTPS (TCP ports 80 and 443) due to automatic certificate request and domain validation process (that takes place over HTTP) used by Let’s Encrypt.

Once the certificate domain has been entered and you click Save, there will be a short delay (5-10 seconds) while the certificate request is made and the signed certificate installed.

IMPORTANT  – Let’s Encrypt issue certificates with a 90 day expiry, however Foldr will request a new certificate automatically on a schedule every 60 days.  As such it is important to ensure TCP port 80 remains open inbound the Foldr appliance at all times so that subsequent certificate renewals are installed correctly.

Geo-location blocking (US)

Let’s Encrypt is based in the United States and as such if your organisation employs geo-location blocking which prevents US based IP addresses from accessing your Foldr server, it will not be able to obtain or renew SSL certificates. Where a paid-for (non-Let’s Encrypt) SSL certificate is being used, Geo-location blocking of US IP addresses is not relevant and may be used.

Geo-location blocking may be enabled within Foldr itself or on a third party/external firewall.  Within Foldr, the geo-loccation feature is available within Foldr Settings > Appliance > Network > Firewall – The checkbox labelled United States must be unchecked for Let’s Encrypt to work as expected.

Troubleshooting Let’s Encrypt Certificate Installation

Due to the nature of the validation process, Let’s Encrypt will not successfully issue certificates where any form of HTTPS inspection / MITM web filtering or firewall product intercepts and re-signs the network traffic between Foldr and the Certificate Authority.  If a product of this type is deployed at the site, then the Foldr server appliance should be white-listed.  The external domain of ‘letsencrypt.org’ (specifically https://acme-v02.api.letsencrypt.org) should also be marked for exclusion from the HTTPS inspection policy.

The Foldr appliance must be accessible externally over both TCP port 80 (HTTP) and TCP port 443 (HTTPS) for Let’s Encrypt to successfully complete the certificate request, challenge handshake and installation.

When requesting or renewing a certificate, Let’s Encrypt provide a small file which is saved onto the appliance. Their servers will then attempt to retrieve this file (on port 80) to verify that you own the domain for which you are receiving a certificate. This challenge/response protocol is known as Automatic Certificate Management Environment (ACME). More information is available at https://github.com/ietf-wg-acme/acme

A certificate can be requested from the Foldr server console using the console command – this can provide a more detailed error message if you’re having issues installing a Let’s Encrypt certificate:

letsencrypt external-address-of-foldr

For example:

letsencrypt files.foldr.cloud

Finally, the Test Settings output in Foldr Settings > General > Test Settings has a specific Let’s Encrypt connectivity test.

Note that the certificate issuer is displayed as part of the test, and this should be shown as ‘R3’ – if anything other than R3 is shown here, the server is being subject to HTTPS/man in the middle inspection and this needs to be disabled on the relevant third party firewall/web filter.

More information on the Let’s Encrypt project is available here and on their official website

 

Configuring the External Hostname

Foldr server release v4.22.1.2 introduces a security feature where the server will reject client requests if the supplied HTTP header header is different than what is configured on the server. This feature is optional and to enable it the administrator should configure the ‘External Hostname‘ in the Foldr Settings > Appliance > Network tab.

Where no External Hostname is configured, the server will respond to client requests as normal, regardless of the host header provided.

To use this feature, the External Hostname should be set to public/external fqdn of the Foldr server. If the External Hostname is set to some other value, clients will see the following HTTP2_PROTOCOL_ERROR message (or similar depending on browser/app)

Every journey begins with a single step

Declutter, Focus, Zone In. Repeat.

Begin your File Zen Journey