[HOWTO] Let's Encrypt

Great!

Thanks for the quick reply. 

I will give it a try later!

Hi René

Thx a lot for your work. In the past I used StartSSL SAN Certificates which I wanted/had to replace with let's encrypt certificates. 

However when I first found your Script they didn't work out for me as I use the UTM with a Home License in a very small Lab environment with several vhosts with different hostnames which all point to one single linux server in my internal network. This made the verifying thing kind of complicated (at least for me) and using DNS Challenge was not really an option because my Hurricane Electrics DNS Setup was not capable to add and delete the needed DNS Entries (at least for me :)).

So I went on and moved all my DNS entries to an other DNS provider which supports API and I used your script again with DNS-01 challenge and DNS hook scripts which worked flawlessly from scratch. 

Thx a lot for sharing your script!

Regards,

Doemer

Please forgive my lack of knowledge. I'm not sure of the syntax to find the certificate I want to replace. I can't get the certificate Reference using cc.

Please can anyone help???

Hello,

What host/domain must I used when ?

utm-router hostname utm.Mydomain.de

virutal Webserver hostname mydomain.de

use the hostname of the firewall, with a SAN of the domain as you listed it.  Or the other way around.  As long as both are listed you are fine.

Doemer,

If you do not mind sharing can you please let me know what DNS provider you moved to. I am currently using HE for DNS and would like to move some of my SSL based sites back behind the WAF if I could get LetsEncrypt working on my UTM.

TIA

Ron

So the only part about those instructions that I'm confused about is the :

Set ACL; The directory where to copy acme challenge file to. This should be the server that is serving the yourdomain.com webpages. Also create the folder on the server and test if http://yourdomain.com/.well-known/acme-challenge/ is reachable and if you can ssh from the UTM to the server. Maybe you need to add a firewall rulle to allow traffic.

ACL=('ssh:<user>@<server>:/var/www/.well-known/acme-challenge')

How did you set this path for your firewall directly on the UTM?

I should clarify, I'm not hosting any other websites, I just want this to secure my firewall itself (gateway.mydomain.net)

Hi, I just had a quick noob question.

is the purpose of copying the ACME challenge to ./well-known/acme-challenge supposed to be used to make the cert renewal on my ubuntu server work?

I will need to update the cert on both the UTM and my webserver if I'm not mistaken and I'm ignorant to if running the renew on two separate hosts will create two different certs, which will make this not work if I'm not mistaken.

Please forgive any weird logic I'm having as I'm new to this and self-learning.

For some reason certbot does not wanna work for me so I'm just going to modify the script to scp the .key and .crt files directly to my ubuntu server's cert directory.

SoulDragon said:

For some reason certbot does not wanna work for me so I'm just going to modify the script to scp the .key and .crt files directly to my ubuntu server's cert directory.