Automization for company used guest portal


#1

Hi,

I hope it is ok to put my questions here. I try to explain my wanted scenario and am pretty exited about your responses.

We sell a security product with a https-based guest portal solution. I happen to learn, that many customers have problems getting a certificate into the portal which is trusted by their guests.
I thought maybe we could implement the API for “Let’s encrypt” on our appliance and build a GUI part where they fill in the domain and click a button. The appliance itself should then register a certificate from let’s encrypt only for the guest portal.
Do you think that is possible? Is it allowed to integrate the API in our product or are there licensing fare (in the end it is optional for the customer)?

Maybe someone could explain to me how the process of registration would take place, as I didn’t understand all steps until now. I appreciate it.
My understanding right now is the following:

  1. API is started via GUI which runs the script in the backend and provides a cronjob which updates the certificat e.g. every 2 month. The external domain might be test.com, so we would provide something like guest.test.com.
  2. “Let’s encrypt” checks the ownership of test.com against the external public IP used. A little addition. Normally our Server communication and all guests as well use NAT at the next Firewall, so the IP let’s encrypt would see is the external public address of the customer. Still the IP, domain and host entry for our portal appliance needs to be of the portal IP of the appliance.
  3. The certificate is provided to our appliance via API.

Is it correct, that there are no firewall rules needed, or is it necessary that lets encrypt has access (can build up sessions) to the appliance? If so I would like to raise a feature request saying, that the API provides the possible lets encrypt IPs and Ports that need to have access and on which port. It would be possible to display a message for that then.

I hope that I explained everything and hope to have found a good solution for our customers, so that the configuration and a safe portal is kids play in the future.

Additional Information:
My domain is: depends on customer
My operating system is (include version): Debian 8
My web server is (include version): Apache 2.2.22
My hosting provider, if applicable, is: depends on customer
I can login to a root shell on my machine (yes or no, or I don’t know): Yes - but for the future I want to have a GUI component. So the rest is done by the system.

Thanks a lot at all
Jochen


#2

Hi @jfuellgraf, thanks for your interest in Let’s Encrypt.

I would like to suggest looking over

which is a discussion involving at least two other companies with potentially similar problems. (I have also had an e-mail exchange with some other folks about best practices in this area which I can dig up to try to see what recommendations I can offer, and I think there may be an additional thread on this forum that also relates to this topic.)

I didn’t understand whether you want all of the certificates to have the same name, or whether you want them to have different names.

There is no licensing required for use in commercial products in general, but there are likely significant limitations related to the rate limits

https://letsencrypt.org/docs/rate-limits/

because these would not by default permit obtaining thousands of certificates under the same domain name. If your customers somehow have or could acquire their own domain names instead of your company name, you would be in a much simpler position with regard to the rate limits.

I’m quite happy to discuss this further, but I suggest you read some prior forum posts from the thread I mentioned and see if they help answer any of your questions or suggest other questions.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.