Foldr v4 provides built-in support for the Let’s Encrypt Certificate Authority. This service provides signed SSL certificates at no charge with ongoing automatic renewal. This is a great option for sites that do not already own a wildcard or UCC/SAN certificate that can be used with Foldr.
Let’s Encrypt intermediate certificates are cross signed by IdentTrust Certificate Authority and as such are trusted by most modern web browsers and mobile devices. The built-in integration within Foldr Settings >> Certificates provides a quick, automated and convenient mechanism of requesting and installing the signed certificate which are ready to use immediately.
To get started with Let’s Encrypt, enable the ‘Use Let’s Encrypt’ switch and enter the external URL of the Foldr appliance. Note – this service requires the Foldr appliance to be available externally over both HTTP and HTTPS (TCP ports 80 and 443) due to automatic certificate request and domain validation process used by Let’s Encrypt.
Once the certificate domain has been entered and you click Save, there will be a short delay (5-10 seconds) while the certificate request is made and the signed certificate installed.
IMPORTANT – Let’s Encrypt issue certificates with a 90 day expiry, however Foldr will request a new certificate automatically every 60 days. As such it is important to ensure TCP port 80 remains open to the Foldr appliance at all times so that subsequent certificate renewals are installed correctly.
Geo-location blocking (US)
Let’s Encrypt is based in the US and as such if your organisation employs geo-location blocking which prevents USibased IP addresses from accessing your Foldr server, it will not be able to obtain or renew SSL certificates. Where a paid-for (non-Let’s Encrypt) SSL certificate is being used, Geo-location blocking of US IP addresses is not relevant and may be used.
Geo-location blocking may be enabled within Foldr itself or on a third party/external firewall. Within Foldr, the geo-loccation feature is available within Foldr Settings > Appliance > Network > Firewall – The checkbox labelled United States must be unchecked for Let’s Encrypt to work as expected.
Troubleshooting Let’s Encrypt Certificate Installation
Due to the nature of the validation process, Let’s Encrypt will not successfully issue certificates where any form of HTTPS inspection / MITM web filtering or firewall product intercepts and re-signs the network traffic between Foldr and the Certificate Authority. If a product of this type is deployed at the site, then the Foldr appliance IP address should be white-listed. The external domain of ‘letsencrypt.org’ should also be marked for exclusion from the HTTPS web filtering policy.
The Foldr appliance must be accessible externally over both TCP port 80 (HTTP) and TCP port 443 (HTTPS) for Let’s Encrypt to successfully complete the certificate request, challenge handshake and installation.
When requesting or renewing a certificate, Let’s Encrypt provide a small file which is saved onto the appliance. Their servers will then attempt to retrieve this file (on port 80) to verify that you own the domain for which you are receiving a certificate. This challenge/response protocol is known as Automatic Certificate Management Environment (ACME). More information is available at https://github.com/ietf-wg-acme/acme
A certificate can be requested from the Foldr server console using the console command – this can provide a more detailed error message if you’re having issues installing a Let’s Encrypt certificate:
Finally, the Test Settings output in Foldr Settings > General > Test Settings has a specific Let’s Encrypt connectivity test.
Note that the certificate issuer is displayed as part of the test, and this should be shown as ‘R3’ – if anything other than R3 is shown here, the server is being subject to HTTPS/man in the middle inspection and this needs to be disabled on the relevant third party firewall/web filter.
More information on the Let’s Encrypt project is available here and on their official website
Configuring the External Hostname
Foldr server release v22.214.171.124 introduces a security feature where the server will reject client requests if the supplied HTTP header header is different than what is configured on the server. This feature is optional and to enable it the administrator should configure the ‘External Hostname’ in the Foldr Settings > Appliance > Network tab.
Where no External Hostname is configured, the server will respond to client requests as normal, regardless of the host header provided.
To use this feature, the External Hostname should be set to public/external fqdn of the Foldr server. If this is set to some other value, clients will see the following error (or similar depending on browser/app)