How to apply let's encrypt certificate inside ruckus controller


#1

Hello, I’m trying to install let’s encrypt certs into ruckus virtual smartzone, but I’m lost. Is it possible? For those who don’t know the ruckus controller virtual smart zone, they allow us to send the server certificate from a webpage form (I can upload the server certificate, an intermediary certificate, and the key).

The Wi-Fi service is primarily an internal service, so, the controller has an IP address class C (192.168.X.X), the domain (ruckus.ifce.edu.br) points to this IP. Is this a problem?

I take a look into certbot and getssl tool, but they verify if I own the domain (ruckus.ifce.edu.br) through the Internet, and the site is not accessible outside my network.

My domain is: ruckus.ifce.edu.br
I can login to a root shell on my machine (yes or no, or I don’t know): Yes


#2

Not directly. Let’s Encrypt validates the domain and it isn’t 100 % necessary to have a public IP address. What is necessary, is a publically validating Fully Qualified Domain Name (FQDN).

That will always be the case for Let’s Encrypt, as validation/verification is only possible through the internet with the ACME protocol.

The fact your hostname resolves to a private IP address limits you in your way to validate the hostname, but it doesn’t make it impossible. The http challenge isn’t possible, as this requires a TCP connection to the IP address (which is private). BUT, as your hostname is public, you might be able to use the dns challenge: it requires you to put a certain token as TXT record for the hostname _acme-challenge.ruckus.ifce.edu.br. And that is, technically, possible.

The only actual challenge is: how is your DNS system hosted? Do you have access to it? If so, you can use certbot with the manual plugin with --preferred-challenges dns option.

Seeing as your ruckus controller probably doesn’t have an automated way to update/renew/install (et cetera) the certificate, you’re unfortunately bound to renew and install the certificate manually every 90 days (although I would recommend renewing earlier, i.e. after 60 days).


#3

Thanks, Osiris. Your explanation was very helpful. I do have access to my DNS, so, add a new TXT record was easy.

I was able to apply the new certificate to the ruckus controller.

Can I renew the certificate with certbot tool?

Thanks once again!


#4

If you used --manual, you would need to write a script that performs the TXT record change and then specify that script to Certbot with the --manual-auth-hook option in order to be able to perform unattended renewals.


#5

The new certificate would need to be installed on to the controller after renewal by certbot. It sounds like that’s a manual process? Can that be automated too?

Unfortunately, there’s currently no way to run certbot renew just to invoke the previous command. It will shut down refusing to run because renewal is an automated feature only. Or something like that.

IMHO the renew command should NOT be shunned from the --force-interactive, as the current using guide says:

–force-interactive Force Certbot to be interactive even if it detects
it’s not being run in a terminal. This flag cannot be
used with the renew subcommand.
(default: False)

You could make a workaround by adding the command you used to a certbot-renew.sh script or something… But that workaround shouldn’t be necessary IMHO.

Although I also know Let’s Encrypt goes to extreme lengths to force people to automate everything, even when the situation doesn’t let it be automated anyway.


#6

I look around and they have an API with some methods dealing with certificates, but I need to test if it’s possible to renew the certificate through the API.

Also, I need to study the renew process itself, because is the first time I’m using let’s encrypt for real.

I guess the TXT record will change in every renew, right? The renew command will be something like this?

certbot certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh -d secure.example.com

Thanks once again!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.