Foldr v4 provides built-in support for the Let’s Encrypt Certificate Authority. This service provides signed SSL certificates at no charge with ongoing automatic renewal. This is a great option for sites that do not already own a wildcard or UCC/SAN certificate that can be used with Foldr.
Let’s Encrypt intermediate certificates are cross signed by IdentTrust Certificate Authority and as such are trusted by most modern web browsers and mobile devices. The built-in integration within Foldr Settings >> Certificates provides a quick, automated and convenient mechanism of requesting and installing the signed certificate which are ready to use immediately.
To get started with Let’s Encrypt, enable the ‘Use Let’s Encrypt’ switch and enter the external URL of the Foldr appliance. Note – this service requires the Foldr appliance to be available externally over both HTTP and HTTPS (TCP ports 80 and 443) due to automatic certificate request and domain validation process used by Let’s Encrypt.
Once the certificate domain has been entered and you click Save, there will be a short delay (5-10 seconds) while the certificate request is made and the signed certificate installed.
IMPORTANT – Let’s Encrypt issue certificates with a 90 day expiry, however Foldr will request a new certificate automatically every 60 days. As such it is important to ensure TCP port 80 remains open to the Foldr appliance at all times so that subsequent certificate renewals are installed correctly.
Let’s Encrypt is based in the US and as such if your organisation employs geo-location blocking on your firewall which prevents US based IP addresses from accessing your Foldr server, it will not be able to obtain or renew SSL certificates. Where a paid-for (non-Let’s Encrypt) SSL certificate is being used, Geo-location blocking of US IP addresses is not relevant and may be used.
Troubleshooting Let’s Encrypt Certificate Installation
Due to the nature of the validation process, Let’s Encrypt will not successfully issue certificates where any form of HTTPS inspection / MITM web filtering or firewall product intercepts and re-signs the network traffic between Foldr and the Certificate Authority. If a product of this type is deployed at the site, then the Foldr appliance IP address should be white-listed. The external domain of ‘letsencrypt.org’ should also be marked for exclusion from the HTTPS web filtering policy.
The Foldr appliance must be accessible externally over both TCP port 80 (HTTP) and TCP port 443 (HTTPS) for Let’s Encrypt to successfully complete the certificate request, challenge handshake and installation.
When requesting or renewing a certificate, Let’s Encrypt provide a small file which is saved onto the appliance. Their servers will then attempt to retrieve this file (on port 80) to verify that you own the domain for which you are receiving a certificate. This challenge/response protocol is known as Automatic Certificate Management Environment (ACME). More information is available at https://github.com/ietf-wg-acme/acme
More information on the Let’s Encrypt project is available here and on their official website