Let’s Encrypt is a Certificate Authority that provides free, Domain Validation (DV) SSL certificates to the public using an automated process. Let’s Encrypt provides an easily accessible mechanism for obtaining signed certificates for web servers, giving the end user confidence that they are accessing the correct service. For more information on Let’s Encrypt, visit their website at https://letsencrypt.org/.
Using Let’s Encrypt certificates with FindIT Network Manager is reasonably straightforward. Although it is not feasible to automate the issuing and installation of the certificate with FindIT Network Manager, a certificate can be easily obtained using a manual process and then installed through the Manager web UI. This remainder of this document walks through the process of issuing a certificate and installing it in the Manager.
- The first step is to obtain software that uses the ACME protocol (https://tools.ietf.org/html/draft-ietf-acme-acme-16) to obtain a certificate. In this example we are using the certbot client (https://certbot.eff.org/), but there are many other options available.
To obtain the certbot client, use the Manager or another host running a Unix-like OS (e.g. Linux, MacOS) and follow the instructions on https://certbot.eff.org/ to install the client. In the dropdown menus on this page, select None of the Above for Software and your preferred OS for System.
To install the certbot client on the FindIT Network Manager server, we use the following commands (bold text is entered by the user):
cisco@findit-manager:~$ sudo apt-get update cisco@findit-manager:~$ sudo apt-get install software-properties-common cisco@findit-manager:~$ sudo add-apt-repository ppa:certbot/certbot cisco@findit-manager:~$ sudo apt-get update cisco@findit-manager:~$ sudo apt-get install certbot
- Create a working directory to contain all the files associated with the certificate. Note that these files include sensitive information such as the private key for the certificate and account details for the Let’s Encrypt service. While the certbot client will create files with appropriately restrictive permissions, you should ensure that the host and the account being used are restricted for access to only authorized staff.
To create the directory on the Manager, we use the following commands:
cisco@findit-manager:~$ mkdir certbot cisco@findit-manager:~/certbot $ cd certbot
- Request a certificate using the following command:
cisco@findit-manager:~/certbot$ certbot certonly --manual --preferred-challenges dns \ -d findit-manager.example.com -d pnpserver.example.com --logs-dir . \ --config-dir . --work-dir .
Note: The above example is a single command that wraps across multiple lines. The backslashes have been inserted to allow the command to be copy and pasted as is.
The parameters on the command are required for the following reasons:
certonly Request a certificate and download the files. Do not attempt to install them. In the case of FindIT Network Manager, the certificate is not only used by the FindIT web server, but also by the PnP service and other functions. As a result, the certbot client is not able to install the certificate automatically. --manual Do not attempt to automatically authenticate with the Let’s Encrypt service. Work interactively with the user to authenticate. --preferred-challenges dns Authenticate by means of DNS TXT records. Other challenges are not supported for use with FindIT Network Manager. -d findit-manager.example.com
-d pnpserver.example.comThe FQDNs that should be included in the certificate. The first name listed will be included in the Common Name field of the certificate, and all names will be listed in the Subject-Alt-Name field.
The pnpserver.<domain> name is a special name used by the Network Plug and Play feature when performing DNS discovery. Consult the FindIT Network Manager Administration Guide for more details.
--logs-dir .
--config-dir .
--work-dir .Use the current directory for all the working files created during the process. - Go through the process of creating the certificate by following the instructions generated by the certbot client:
cisco@findit-manager:~/certbot$ certbot certonly --manual --preferred-challenges dns \ -d findit-manager.example.com -d pnpserver.example.com --logs-dir . \ --config-dir . --work-dir . Saving debug log to /home/cisco/certbot/letsencrypt.log Plugins selected: Authenticator manual, Installer None Obtaining a new certificate Performing the following challenges: dns-01 challenge for findit-manager.example.com dns-01 challenge for pnpserver.example.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.findit-manager.example.com with the following value: iZB9LVd6ocime3t9ntWsTA82rjQW7ml9fkoou8uaBh0 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
At this point, a DNS TXT record to validate the ownership of the findit-manager.example.com hostname must be created in the DNS infrastructure. The steps required to do this are outside the scope of this document, and will depend on the DNS provider being used. Once created, validate that the record is available using a DNS query tool such as dig (https://linux.die.net/man/1/dig).
The DNS challenge process may be automated for certain DNS providers. See https://certbot.eff.org/docs/using.html#dns-plugins for more details.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.pnpserver.example.com with the following value: Txruc89x8dVaHmLHJII0oA2ILmIY83XYl13yYakjNuc Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue
Create and verify additional TXT records for each name to be included in the certificate.Waiting for verification... Cleaning up challenges Non-standard path(s), might not work with crontab installed by your operating system package manager IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /home/cisco/certbot/live/findit-manager.example.com/fullchain.pem Your key file has been saved at: /home/cisco/certbot/live/findit-manager.example.com/privkey.pem Your cert will expire on 2019-02-04. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le cisco@findit-manager:~/certbot$
At this point, the certificate has been issued and may be found in the live subdirectory in the filesystem:cisco@findit-manager:~/certbot$ cd live/findit-manager.example.com/ cisco@findit-manager:~/certbot/live/findit-manager.example.com$ ls cert.pem chain.pem fullchain.pem privkey.pem README cisco@findit-manager:~/certbot/live/findit-manager.example.com$
- Now that we have the certificate and associated private key, we need to package them ready for upload to the Manager. We do this using the openssl tool:
cisco@findit-manager:~/certbot/live/findit-manager.example.com$ openssl pkcs12 \ -export -out cert.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem Enter Export Password: secret Verifying - Enter Export Password: secret cisco@findit-manager:~/certbot/live/findit-manager.example.com$
This command takes the private key (privkey.pem), the certificate for the manager (cert.pem) and the chain of intermediate certificates between the manager certificate and the Let’s Encrypt root certificate (chain.pem) and packages them together into a single, password protected file in pkcs12 format (cert.pfx) suitable for uploading to the Manager.
If the host where you are performing these steps does not have a web browser, you will need to copy the cert.pfx file to your PC using a tool such as secure copy (scp on Unix-like OSes or WinSCP for Microsoft Windows). If you are performing these operations on the Manager, then the SSH server - required for secure copy to function - is disabled by default. The server may be enabled using the following command:
cisco@findit-manager:~/certbot$ sudo service ssh start
Once you have finished, the SSH server may be disabled again with the command:
cisco@findit-manager:~/certbot$ sudo service ssh stop
- Finally, we upload the certificate and associated data to the Manager using the Administration > Certificate page in the GUI:
The browser window may need to be refreshed after installing the new certificate.
