Using Let's Encrypt to secure company connections


#1

So, I’m very new to creating and issuing SSL certificates. In the past I’ve simply purchased SSL certificates from our domain hosting service, but I’d like to move away from that for cost savings and, hopefully, to educate myself on the certification process.

Our company uses a Mac Pro, primarily as a file server, which I’d like to update the server certificate on. Is that something I could do with Let’s Encrypt? If so, how? I attempted following this guide, but I noticed it’s designed to generate a certificate for a website hosted on an OS X server, not the server certificate and I ran into a problem where I was unable to run the get_cert.sh command once it was created.

This is the first certificate I’d like to create and issue. There’s several other connections I’d like to create certificates for as well, such as WatchGuard Security Appliances used at all our offices, the VoIP controller, the company Wi-Fi unified controller, etc. Baby steps, though.


#2

What exactly do you mean with “server certificate”?

Let’s Encrypt only issues DV (Domain Validated) end-leaf certificates which commonly are used for webservers (primarily) or mailservers (other uses are possible of course). The restraint here is: domain validated. Every certificate contains 1 (at minimum, obviously) to 100 (at most) (sub)domain names (FQDN), which all need to be validated (automatically) by Let’s Encrypt. At minimum, the domain name needs to be publically available through DNS (for either using the dns-01 challenge or to resolve to a publically available IP address for the http-01 or tls-sni-01 challenge).

So I’m not sure what kind of certificate you need in your situation. Could you elaborate on that? Does the above sound like it’s sufficient or do you need something else?


#3

Those are great questions! Perhaps you can help me figure out what I need?

Currently our domain is hosted by godaddy.com. I have a wildcard certificate from them, which will expire in May. Our company website, however, is not hosted by godaddy.com, but rather the third party company that created and maintains the site. Our company website and domain name are are the same (ourcompanyname.com). I’m not sure if I should list specific names to make the example easier to understand.

What I want is for the HTTPS connections to the Wiki on the Mac Pro server and the web consoles for network equipment to be secured and verified using Let’s Encrypt certificates.

Does this make more sense?


#4

If your only goal is to secure HTTPS connections on a webserver, then Let’s Encrypt should work. I’m not familiar with Mac Pro servers to give you solid advice though.

Do note though: Let’s Encrypt doesn’t issue wildcard certificates (yet). So you’ve got the option to generate one certificate with all the required subdomains (max. 100) or spread the subdomains among a few certificates. In the latter case, you should be keeping an eye on the rate limits though.


#5

That is what I’m trying to do, I’m just trying to figure out how to go about doing that.


#6

I’ll set aside the Wiki on the OS X server for the time being, as it’s currently secured with the wildcard cert from GoDaddy. I could use some help with the WatchGuard firewalls. I connect to this via the static public IP address of each firewall. They do not have DNS names. The appliances have the capability to create CSRs, but I’m not seeing how I can incorporate that into LE. I did find a post about converting PEM to DER so that LE can use the CSR, but the WatchGuard appliance doesn’t allow me to export the CSR, only copy the text. I attempted to then create a .csr file using that text, but the attempted conversion to DER failed.


#7

I just reread what you said. The site must be publicly available with an FDQN. The sites I’m connecting to don’t have FQDNs. That’s why it won’t work. Learned something new, thanks.


#8

Just with regard to this: certbot, the official but kinda bloated (no offence to the tremendous work to all the devvers of the client!) Python client, can handle PEM encoded CSRs a long time now. :slight_smile:

But the fact Let’s Encrypt only issues DV certificates to publicly available (sub)domain names stands.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.