Foldr Zen Zone

Knowledge Base

Let’s Encrypt – Free signed SSL Certificates with Automatic Renewal

Introduction

Foldr Server provides built-in support for the popular Let’s Encrypt Certificate Authority.  This service provides signed and trusted SSL certificates at no charge with ongoing automatic renewal.  This is a great option for sites that do not already own a wildcard or UCC/SAN certificate that can be used with Foldr.

Requirements

  • Foldr server to be reachable over the Internet using HTTP (Let’s Encrypt validation and provides user redirect to 443) and HTTPS (user/client access)
  • Geo-location blocking for port 80 (HTTP) must not be enabled from the United States, Sweden and Singapore INBOUND to the Foldr server
  • Man-in-the-middle / HTTPS Inspection between Foldr Server and Let’s Encrypt API (https://acme-v02.api.letsencrypt.org) must not be in use

Let’s Encrypt intermediate certificates are cross signed by IdentTrust Certificate Authority and as such are trusted all modern web browsers and mobile devices.  The Let’s Encrypt integration provides a quick, automated and convenient mechanism of requesting and installing the signed certificate which are ready to use immediately.

Configuration

To get started with Let’s Encrypt, browse to Foldr Settings > Security > Certificates

Enable the ‘Use Let’s Encrypt’ switch and enter the external URL of the Foldr appliance into the Certificate Domains field and click Save Changes

Once the certificate domain has been entered and you click Save, there will be a short delay (5-10 seconds) while the certificate request is made and the signed certificate installed.

IMPORTANT  – Let’s Encrypt issue certificates with a 90 day expiry, however Foldr will request a new certificate automatically on a schedule every 60 days.  As such it is important to ensure TCP port 80 remains open inbound the Foldr appliance at all times so that subsequent certificate renewals are installed correctly.

Geo-location blocking TCP port 80 (US, Sweden & Singapore)

This service requires the Foldr server to be available externally at all times over HTTP (TCP port 80) from USA, Singapore and Sweden to perform domain validation with Let’s Encrypt. Please note that port 80 is only used for domain validation, all other traffic is redirected to port 443 (HTTPS) which can be restricted via firewall geo-blocking as needed.

Where a paid-for certificate SSL certificate is being used, such as one purchased from a provider such as Sectigo, Go Daddy and so on, Geo-location blocking is not relevant and may be used without restriction.

Foldr v4 – v9 Geolocation settings

Geo-location blocking may be enabled within Foldr itself (on legacy server releases v4.x through to v9.x) or on a third party/external firewall.  Within Foldr Settings, the geo-location feature is available within Foldr Settings > Appliance > Network > Firewall – The checkboxes labelled United States, Sweden and Singapore must be unchecked for Let’s Encrypt to work as expected.

Troubleshooting Let’s Encrypt Certificate Installation

Due to the nature of the validation process, Let’s Encrypt will not successfully issue certificates where HTTPS inspection / MITM web filtering or firewall product intercepts and re-signs the network traffic between Foldr and Let’s Encrypt.  If a product of this type is deployed at the site, then the Foldr server appliance should be white-listed.  The external domain of ‘letsencrypt.org’ (specifically https://acme-v02.api.letsencrypt.org) should also be marked for exclusion from the HTTPS inspection policy.

The Foldr appliance must be accessible externally over TCP port 80 (HTTP) for Let’s Encrypt to successfully complete the certificate request, challenge handshake and installation.

When requesting or renewing a certificate, Let’s Encrypt provide a small file which is saved onto the appliance. Their servers will then attempt to retrieve this file (on port 80) to verify that you own the domain for which you are receiving a certificate. This challenge/response protocol is known as Automatic Certificate Management Environment (ACME). More information is available at https://github.com/ietf-wg-acme/acme

The ACME protocol should not be blocked on your firewall.

Installing a certificate from the server console

A certificate can be requested from the Foldr server console using the console command – this can provide a more detailed error message if you’re having issues installing a Let’s Encrypt certificate:

letsencrypt external-address-of-foldr

For example:

letsencrypt files.foldr.cloud

Finally, the Test Settings output in Foldr Settings > General > Test Settings has a specific Let’s Encrypt connectivity test.

Note that the certificate issuer is displayed as part of the test, and this should be shown as ‘R3’ – if anything other than R3 is shown here, the server is being subject to HTTPS/man in the middle inspection and this needs to be disabled on the relevant third party firewall/web filter.

More information on the Let’s Encrypt project is available here and on their official website

 

Configuring the External Hostname

Foldr server release v4.22.1.2 introduces a security feature where the server will reject client requests if the supplied HTTP header header is different than what is configured on the server. This feature is optional and to enable it the administrator should configure the ‘External Hostname‘ in the Foldr Settings > Appliance > Network tab.

Where no External Hostname is configured, the server will respond to client requests as normal, regardless of the host header provided.

To use this feature, the External Hostname should be set to public/external fqdn of the Foldr server. If the External Hostname is set to some other value, clients will see the following HTTP2_PROTOCOL_ERROR message (or similar depending on browser/app)

Every journey begins with a single step

There can be many paths to a desired document. Let Foldr be your guide, wherever the destination...

Find File Zen