Let's Encrypt as certificate provider

Let's Encrypt is a provider and certificate authority (CA) of free SSL/TLS server certificates. Installing and maintaining these certificates is fully automated. Under the current service agreement certificates are issued for a lifetime of 90 days and automatically renewed after 60 days.

Required information

To configure Let's Encrypt certificates, the virtual host must be configured with an FQDN that is listed in the global DNS and an email address must be provided. This email address is used by Let's Encrypt to communicate directly with the owner of the Let's Encrypt certificate. It is recommended to provide an email that is monitored by an operations group.

If a virtual host is configured with aliases, these aliases are automatically added to the Let's Encrypt certificate.

Routing

The IP of Let's Encrypt service host acme-v02.api.letsencrypt.org must be reachable. A destination route may be necessary.

Legal notice

Let's Encrypt provides their certificates under their own Let's Encrypt Subscriber Agreement. By using Let's Encrypt certificates you implicitly agree to the most recent version of their subscriber agreement.

Trust management

Since Let's Encrypt certificates change rather frequently, it is recommended to only use CA trust chain validation and to avoid solutions that rely on simple certificate trust. The trust chain can be downloaded from the Let's Encrypt web site.

To download the server certificate, it is recommended to use a normal browser to connect to the server and to retrieve the certificate including chain directly from there.

Limitations

The following functions have not been integrated or automated:

  • Currently there is no support for wildcard certificates.
  • Let's Encrypt is not supported in setups with multiple active gateway appliances (active-active setup).
  • Revocation of certificates must be accomplished manually. Documentation can be found on the Let's Encrypt web site.
  • When adding an alias to a running virtual host, care should be taken that both the FQDN of the virtual host and all the aliases are correctly configured in the global DNS. An incorrect configuration will result in a verification failure of the certificate request at Let's Encrypt and therefore take this virtual host offline. Other virtual hosts will continue to work as expected.

Operation

During the initial setup of a virtual host, it may take some time until the first certificate is successfully issued. The Kibana log will show all the details on the exchange with the Let's Encrypt services.

Once the certificate is issued, no further operational activities are required. The system will automatically request new certificates and activate them using a graceful Apache restart to avoid any impact on end users.

In case of a failover in an active-passive setup, the passive server has copies of the most recent certificates and will use these certificates should it be necessary to make this server the active node.

Further information and links