Let's Encrypt ################## You can find the Let's Encrypt Settings at **General → Certificates → Let's Encrypt**. .. image:: img/Certificates-Lets.png :width: 100% :align: center :alt: Let's Encrypt **Let's Encrypt** is a non-profit certificate authority that provides free certificates for domain owners. Create Let's Encrypt Account ******************************* First you need to create a new *Let's Encrypt* account entry. The account is used to create certificates and the certificates are registered under this account. An account is free and only used to organize your certificates with *Let's Encrypt*. Be aware that you need the account to revoke an issued certificate. **Name** so you can identify it. **ACME Server** can be either *Staging (ACME v2)* for testing purposes or *Production (ACME v2)*. **Private Key** will be generated automatically if none is provided. **E-Mail Address** for contact purposes. **Auto Firewall Rule** will create a temporary firewall rule to allow for the signing of the certificate. Otherwise port 80 has to opened manually on the current WAN interface. DNS Acme Handle ********************** If you plan on using the DNS Authentication instead of web authentication you can create a DNS Acme Handle here. The handle will create a DNS entry that can be set dynamically by VT AIR and be used as CNAME entry for the actual domain that is being validate. For example the DNS Handle looks like this: 177c0dc6-4d2e-486b-932e-db248b2dd123.auth.acme-dns.io and can be added to the actual domain like this: _acme-challenge.your-domain CNAME 177c0dc6-4d2e-486b-932e-db248b2dd123.auth.acme-dns.io. VT AIR can not update the acme handle on certificate signing requests. Sign Let's Encrypt Certificate *********************************** To sign a certificate you need to create a **CSR** and save it. When you edit it, you can select an existing *Let's Encrypt Account* as well as the authentication method. You can choose between *Web Authentication*, *DNS Authentication* and *Custom Script*. On *Web Authentication* the Let's Encrypt Server will look for a file that is served by the domains webserver. VT AIR will take care of that part as long as the domains DNS entry is pointing to VT AIR. .. warning:: Web Authentication requires the Web Interface of VT AIR to be listening on Port 80/443 on All Interfaces. If that is not the case, please use the DNS Authentication. On *DNS Authentication* the Let's Encrypt Server will look for a DNS entry in the domains DNS Entry. You need to choose an Acme Handle and create a CNAME entry for validation on the domain in question. VT AIR will take care of the authentication of the certificate. On *Custom Script* there will be a textfield for you to save your own script. On the *CSR* overview page there will be a *Sign* action button on the right side where you can sign the certificate. The new certificate will be created and can be found on the *Certificate* overview page. In order for the signing process to work Port 80 on WAN must be open. The DNS entry for the certificate entry must also point to VT AIR so it is reachable during signing. The *Let's Encrypt* server will contact the VT AIR in order to check the validity of the DNS entry. Renew Let's Encrypt Certificate *********************************** When a signed *Let's Encrypt* certificate is about to expire, you can renew it. If the certificate will be only 30 days or less valid, there is a *Renew* action button on the right side of the *Certificate* overview page for each signed certificate. Also once per week a cron job will automatically renew all *Let's Encrypt* certificates which are about to expire. Revoke Let's Encrypt Certificate *********************************** On the *Certificate* overview page there is a *Revoke* action button for each signed certificate. *Revoke* will revoke the certificate with letsencrypt. You can sign a new certificate for this domain afterwards.