cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6072
Views
5
Helpful
1
Comments
David Harper
Cisco Employee
Cisco Employee

Let’s Encrypt is a Certificate Authority that provides free, Domain Validation (DV) SSL certificates to the public using an automated process.  Let’s Encrypt provides an easily accessible mechanism for obtaining signed certificates for web servers, giving the end user confidence that they are accessing the correct service.  For more information on Let’s Encrypt, visit their website at https://letsencrypt.org/.

 

Using Let’s Encrypt certificates with FindIT Network Manager is reasonably straightforward.  Although it is not feasible to automate the issuing and installation of the certificate with FindIT Network Manager, a certificate can be easily obtained using a manual process and then installed through the Manager web UI.  This remainder of this document walks through the process of issuing a certificate and installing it in the Manager.

  1. The first step is to obtain software that uses the ACME protocol (https://tools.ietf.org/html/draft-ietf-acme-acme-16) to obtain a certificate. In this example we are using the certbot client (https://certbot.eff.org/), but there are many other options available.

    To obtain the certbot client, use the Manager or another host running a Unix-like OS (e.g. Linux, MacOS) and follow the instructions on https://certbot.eff.org/ to install the client.  In the dropdown menus on this page, select None of the Above for Software and your preferred OS for System.

    To install the certbot client on the FindIT Network Manager server, we use the following commands (bold text is entered by the user):
    cisco@findit-manager:~$ sudo apt-get update
    cisco@findit-manager:~$ sudo apt-get install software-properties-common
    cisco@findit-manager:~$ sudo add-apt-repository ppa:certbot/certbot
    cisco@findit-manager:~$ sudo apt-get update
    cisco@findit-manager:~$ sudo apt-get install certbot 
    

     

  2. Create a working directory to contain all the files associated with the certificate.  Note that these files include sensitive information such as the private key for the certificate and account details for the Let’s Encrypt service.  While the certbot client will create files with appropriately restrictive permissions, you should ensure that the host and the account being used are restricted for access to only authorized staff.

    To create the directory on the Manager, we use the following commands:
    cisco@findit-manager:~$ mkdir certbot
    cisco@findit-manager:~/certbot $ cd certbot

     

  3. Request a certificate using the following command:
    cisco@findit-manager:~/certbot$ certbot certonly --manual --preferred-challenges dns \
       -d findit-manager.example.com -d pnpserver.example.com --logs-dir . \
       --config-dir . --work-dir .
    
    Note:   The above example is a single command that wraps across multiple lines.  The backslashes have been inserted to allow the command to be copy and pasted as is.

    The parameters on the command are required for the following reasons:
    certonly Request a certificate and download the files.  Do not attempt to install them.  In the case of FindIT Network Manager, the certificate is not only used by the FindIT web server, but also by the PnP service and other functions.  As a result, the certbot client is not able to install the certificate automatically.
    --manual Do not attempt to automatically authenticate with the Let’s Encrypt service.  Work interactively with the user to authenticate.
    --preferred-challenges dns Authenticate by means of DNS TXT records.  Other challenges are not supported for use with FindIT Network Manager.

    -d findit-manager.example.com

    -d pnpserver.example.com

    The FQDNs that should be included in the certificate. The first name listed will be included in the Common Name field of the certificate, and all names will be listed in the Subject-Alt-Name field.

    The pnpserver.<domain> name is a special name used by the Network Plug and Play feature when performing DNS discovery. Consult the FindIT Network Manager Administration Guide for more details.

    --logs-dir .

    --config-dir .

    --work-dir .
    Use the current directory for all the working files created during the process.

     

  4. Go through the process of creating the certificate by following the instructions generated by the certbot client:
    cisco@findit-manager:~/certbot$ certbot certonly --manual --preferred-challenges dns \
       -d findit-manager.example.com -d pnpserver.example.com --logs-dir . \
       --config-dir . --work-dir .
    Saving debug log to /home/cisco/certbot/letsencrypt.log
    Plugins selected: Authenticator manual, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    dns-01 challenge for findit-manager.example.com
    dns-01 challenge for pnpserver.example.com
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    (Y)es/(N)o: Y
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.findit-manager.example.com with the following value:
    
    iZB9LVd6ocime3t9ntWsTA82rjQW7ml9fkoou8uaBh0
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue

    At this point, a DNS TXT record to validate the ownership of the findit-manager.example.com hostname must be created in the DNS infrastructure.  The steps required to do this are outside the scope of this document, and will depend on the DNS provider being used.  Once created, validate that the record is available using a DNS query tool such as dig (https://linux.die.net/man/1/dig).

     

    The DNS challenge process may be automated for certain DNS providers.  See https://certbot.eff.org/docs/using.html#dns-plugins for more details.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Please deploy a DNS TXT record under the name
    _acme-challenge.pnpserver.example.com with the following value:
    
    Txruc89x8dVaHmLHJII0oA2ILmIY83XYl13yYakjNuc
    
    Before continuing, verify the record is deployed.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    


    Create and verify additional TXT records for each name to be included in the certificate.

    Waiting for verification...
    Cleaning up challenges
    Non-standard path(s), might not work with crontab installed by your operating system package manager
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /home/cisco/certbot/live/findit-manager.example.com/fullchain.pem
       Your key file has been saved at:
       /home/cisco/certbot/live/findit-manager.example.com/privkey.pem
       Your cert will expire on 2019-02-04. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot
       again. To non-interactively renew *all* of your certificates, run
       "certbot renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le
    
    cisco@findit-manager:~/certbot$ 


    At this point, the certificate has been issued and may be found in the live subdirectory in the filesystem:

    cisco@findit-manager:~/certbot$ cd live/findit-manager.example.com/
    cisco@findit-manager:~/certbot/live/findit-manager.example.com$ ls
    cert.pem  chain.pem  fullchain.pem  privkey.pem  README
    cisco@findit-manager:~/certbot/live/findit-manager.example.com$

     

  5. Now that we have the certificate and associated private key, we need to package them ready for upload to the Manager. We do this using the openssl tool:
    cisco@findit-manager:~/certbot/live/findit-manager.example.com$ openssl pkcs12 \
       -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem 
    Enter Export Password: secret
    Verifying - Enter Export Password: secret
    cisco@findit-manager:~/certbot/live/findit-manager.example.com$ 

    This command takes the private key (privkey.pem), the certificate for the manager (cert.pem) and the chain of intermediate certificates between the manager certificate and the Let’s Encrypt root certificate (chain.pem) and packages them together into a single, password protected file in pkcs12 format (cert.pfx) suitable for uploading to the Manager.

     

    If the host where you are performing these steps does not have a web browser, you will need to copy the cert.pfx file to your PC using a tool such as secure copy (scp on Unix-like OSes or WinSCP for Microsoft Windows).  If you are performing these operations on the Manager, then the SSH server - required for secure copy to function - is disabled by default.  The server may be enabled using the following command:

    cisco@findit-manager:~/certbot$ sudo service ssh start

    Once you have finished, the SSH server may be disabled again with the command:

    cisco@findit-manager:~/certbot$ sudo service ssh stop

     

  6. Finally, we upload the certificate and associated data to the Manager using the Administration > Certificate page in the GUI:
    FindIT-Manager-Certificate.png

    The browser window may need to be refreshed after installing the new certificate.

     

 
At this point, the Manager should now be running with the new certificate. If you open the Manager GUI in a web browser by specifying the FQDN in the address bar, the web browser should indicate that the connection is trusted and secure.
 

Please note that certificates issued by Let’s Encrypt have relatively short lifetimes – currently 90 days.  In order to ensure the certificate remains valid, you will need to renew it before the 90 days are up.  To do this, you need to repeat steps 3 to 6 in the process above to receive an updated certificate and apply it to the Manager.

Comments
Jo Kern
Cisco Employee
Cisco Employee

Thanks Dave, very nice

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: