"Let's Encrypt!" support for 5207R, 5208R and 5209R

Posted by: mstauber Category: General

Support for free SSL certificates via "Let's Encrypt!" has been added to BlueOnyx 5207R, 5208R and 5209R.

BlueOnyx 5207R, 5208R and 5209R now supports generation and auto-renewal of the free "Let's Encrypt!" SSL certificates through the GUI.

In order to get a free "Let's Encrypt!" SSL certificate for a Vsite (orAdmServ) go to the "SSL" menu entry of a Vsite (or of the GUI itself under "Security" / "SSL") and click on the button labled 'Let's Encrypt!'.

Caveats:

Certificate expiry:

Certificates are only valid for 90 days. But can be auto-renewed by a cronjob. The GUI is currently offering to do auto-renewal after 60 days, but you can choose to untick that box or to change the frequency.

Rate Limits:

'Let's Encrypt!' is still in Beta and is enforcing rate limits that affect how often you can request certs (10 times in 3 hours). And it also affects how many certs you can get for the same domain. This sadly *includes* subdomains. So if you get a certificate for www.site.com and then another for sub.domain.com, this counts as three certs (at least) for the same domain. Because the cert for www.domain.com already included one for "domain.com", too. You can only request 5 certiciates for the same domain in seven days.

Online verification:

During the certificate request a temporary file is placed in the web directory of a Vsite (or the GUI) and Let's Encrypt!' checks every iteration of the domain (FQDN and all web server aliases) if that file is reachable. So you need working DNS and the Vsite needs to be rechable from the outside world. Or the request will fail (detailed error message will be shown in the GUI).

PHP-FPM:

The online verification (and the renewal!) *will* fail if PHP-FPM is enabled for that Vsite. I'm currently looking into this. It's the same issue as with .htaccess files, which also currently don't work with our PHP-FPM implementation on 5209R.

Update: The previous version of this article statet that this feature was only available for 5209R. By now we released versions for 5207R and 5208R as well.


Return
General
Dec 6, 2015 Category: General Posted by: mstauber
Previous page: API Documentation Next page: Downloads