12.5. Let’s Encrypt

You can find the Let’s Encrypt Settings at General → Certificates → Let’s Encrypt.

Let's Encrypt

Let’s Encrypt is a non-profit certificate authority that provides free certificates for domain owners.

12.5.1. Create Let’s Encrypt Account

First you need to create a new Let’s Encrypt account entry. The account is used to create certificates and the certificates are registered under this account. An account is free and only used to organize your certificates with Let’s Encrypt. Be aware that you need the account to revoke an issued certificate.

Name so you can identify it.

ACME Server can be either Staging (ACME v2) for testing purposes or Production (ACME v2).

Private Key will be generated automatically if none is provided.

E-Mail Address for contact purposes.

Auto Firewall Rule will create a temporary firewall rule to allow for the signing of the certificate. Otherwise port 80 has to opened manually on the current WAN interface.

12.5.2. DNS Acme Handle

If you plan on using the DNS Authentication instead of web authentication you can create a DNS Acme Handle here. The handle will create a DNS entry that can be set dynamically by VT AIR and be used as CNAME entry for the actual domain that is being validate.

For example the DNS Handle looks like this:

177c0dc6-4d2e-486b-932e-db248b2dd123.auth.acme-dns.io

and can be added to the actual domain like this:

_acme-challenge.your-domain CNAME 177c0dc6-4d2e-486b-932e-db248b2dd123.auth.acme-dns.io.

VT AIR can not update the acme handle on certificate signing requests.

12.5.3. Sign Let’s Encrypt Certificate

To sign a certificate you need to create a CSR and save it. When you edit it, you can select an existing Let’s Encrypt Account as well as the authentication method. You can choose between Web Authentication, DNS Authentication and Custom Script.

On Web Authentication the Let’s Encrypt Server will look for a file that is served by the domains webserver. VT AIR will take care of that part as long as the domains DNS entry is pointing to VT AIR.

Warning

Web Authentication requires the Web Interface of VT AIR to be listening on Port 80/443 on All Interfaces. If that is not the case, please use the DNS Authentication.

On DNS Authentication the Let’s Encrypt Server will look for a DNS entry in the domains DNS Entry. You need to choose an Acme Handle and create a CNAME entry for validation on the domain in question. VT AIR will take care of the authentication of the certificate.

On Custom Script there will be a textfield for you to save your own script.

On the CSR overview page there will be a Sign action button on the right side where you can sign the certificate. The new certificate will be created and can be found on the Certificate overview page.

In order for the signing process to work Port 80 on WAN must be open. The DNS entry for the certificate entry must also point to VT AIR so it is reachable during signing. The Let’s Encrypt server will contact the VT AIR in order to check the validity of the DNS entry.

12.5.4. Renew Let’s Encrypt Certificate

When a signed Let’s Encrypt certificate is about to expire, you can renew it. If the certificate will be only 30 days or less valid, there is a Renew action button on the right side of the Certificate overview page for each signed certificate.

Also once per week a cron job will automatically renew all Let’s Encrypt certificates which are about to expire.

12.5.5. Revoke Let’s Encrypt Certificate

On the Certificate overview page there is a Revoke action button for each signed certificate. Revoke will revoke the certificate with letsencrypt. You can sign a new certificate for this domain afterwards.