Setting up OCSP on a KEMP to use letsencrypt?


#1

Please fill out the fields below so we can help you better.

My domain is:webmail.atio.co.za or any *.atio.co.za domains like ess.atio.co.za or crm.atio.co.za etc…

I ran this command:

It produced this output:

My operating system is (include version):KEMP

My web server is (include version): Not really sure

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):I don’t think so.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):No


#2

Hi @connorh

I’m not familiar with KEMP (I presume it’s the load balancer I find in Google?). Could you clarify what you are trying to accomplish? Your post subject mentions OCSP but I don’t understand what your goal is.

Thanks!


#3

Hi Daniel. The Kemp is a kind of security gateway and load balancer and a couple of other things. I am looking to make it the front end for internal websites other than webmail.atio.co.za, such as ess.atio.co.za and crm.atio.co.za. I would also like all the comms to be secure for all these sites, making use of multiple certificates from letsencrypt.org as you don’t do wildcard certs. The Kemp has the ability to make use of an OCSP(See image below) and I just need to configure it for this(so it auto-renews) with the required values etc, once we have obtained a cert from you etc. I have no idea on how to do this and thought maybe someone could help me.
[cid:image001.png@01D1F89F.24863A00]


#4

Apologies if I’m reading your text incorrectly, but it sounds like you think configuring a OCSP server in this Kemp device will help auto-renew your certificates from Let’s Encrypt. That won’t be the case. OCSP is strictly for checking if a certificate has expired, it will not reissue. The device would need to support ACME and Let’s Encrypt directly.

If you are just trying to configure OCSP for this device to do look-ups (perhaps for stapling?) the Let’s Encrypt OCSP server for the X3 Intermediate (the one currently being used) is ocsp.int-x3.letsencrypt.org/. The port would be 80. We do not offer OCSP over TLS so leave “use SSL” unchecked.

Note 1: Again, I’m totally unfamiliar with Kemp :slight_smile: If the OCSP Server Settings are used to perform OCSP lookups for arbitrary TLS certificates as part of some kind of proxying feature then you will likely not want to use the Let’s Encrypt OCSP server for this purpose. That server will only have OCSP information for certificates we issue.

Note 2: You can extract the OCSP URL from a Let’s Encrypt certificate’s “Authority Information Access” (AIA) section using openssl. That’s where I obtained it. The command is: openssl x509 -in /path/to/a/letsencrypt/cert.pem -noout -text | grep "OCSP"


#5

Thanks Daniel

I am clueless on this stuff. You are right in your assumption ?

So then I will need to individually do each of the web servers. Do I need to do these certs for the names or/and the external IP’s? I ask because the external IP’s will be changing soon when we change service providers. We will own the new external IP’s at our new service providers.

Webmail.atio.co.za is an exchange cluster Outlook Web Access address, with four servers as nodes and the Kemp presenting the cluster web portal to the world while balancing the load of the incoming requests across the cluster nodes. Would I need one cert for each server, or the same cert for the name on all four servers?

Connor Herman
Systems Administrator
ATIO
Interactive Division
Mobile: +27 83 3800790
Email: connorh@atio.co.zamailto:connorh@atio.co.za
www.atio.co.zahttp://www.atio.co.za


#6

You will issue certificates for the domain names. The external IPs that those domain names point to can change freely afterwards without issue.

I’d have to guess here (perhaps someone with more hands-on knowledge of Kemp could clarify) but if Kemp is terminating the TLS connection in order to make load-balancing decisions it would probably be the only one that needs a publicly issued Let’s Encrypt certificate. If Kemp makes subsequent TLS connections to the individual nodes they may additionally need TLS certificates but it would perhaps be a better fit to use your own self-signed CA for these.


#7

Cool, thanks man.

Connor Herman
Systems Administrator
ATIO
Interactive Division
Mobile: +27 83 3800790
Email: connorh@atio.co.zamailto:connorh@atio.co.za
www.atio.co.zahttp://www.atio.co.za


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.