13.5. Let’s Encrypt

You can find the Let’s Encrypt Settings at General → Certificates → Let’s Encrypt.

Let’s Encrypt is a non-profit certificate authority that provides free certificates for domain owners.

13.5.1. Create Let’s Encrypt

First you need to create a new Let’s Encrypt account entry. The account is used to create certificates and the certificates are registered under this account. An account is free and only used to organize your certificates with Let’s Encrypt. Be aware that you need the account to revoke an issued certificate.

Name so you can identify it

ACME Server can be either Staging (ACME v2) for testing purposes or Production (ACME v2).

Private Key will be generated automatically if none is provided.

E-Mail Address for contact purposes.

Auto Firewall Rule will create a temporary firewall rule to allow for the signing of the certificate. Otherwise port 80 has to opened manually on the current WAN interface.

13.5.2. Sign Let’s Encrypt Certificate

To sign a certificate you need to create a CSR and save it. When you edit it, you can select an existing Let’s Encrypt Account. On the CSR overview page there will be a Sign action button on the right side where you can sign the certificate. The new certificate will be created and can be found on the Certificate overview page.

In order for the signing process to work Port 80 on WAN must be open. The DNS entry for the certificate entry must also point to VT AIR so it is reachable during signing. The Let’s Encrypt server will contact the VT AIR in order to check the validity of the DNS entry.

13.5.3. Renew Let’s Encrypt Certificate

When a signed Let’s Encrypt certificate is about to expire, you can renew it. If the certificate will be only 30 days or less valid, there is a Renew action button on the right side of the Certificate overview page for each signed certificate.

Also once per week a cron job will automatically renew all Let’s Encrypt certificates which are about to expire.

13.5.4. Revoke Let’s Encrypt Certificate

On the Certificate overview page there is a Revoke action button for each signed certificate. Revoke will revoke the certificate with letsencrypt. You can sign a new certificate for this domain afterwards.