Install Let's Encrypt Certificates on a Conductor

How to install a Let's Encrypt Conductor SSL certificate.

The Conductor uses a certificate for its web server issued by a Tempered Certificate Authority. As this certificate authority is not installed in browser trust stores, some web browsers may report that the Conductor is insecure. You can prevent this message by replacing the web server certificate with a publicly-trusted certificate. The following instructions outline how to install a Let's Encrypt Conductor SSL certificate.
Note: If you want to use a different certificate authority, see Adding or Replacing a Signed Certificate for the Conductor UI.

To install a Let's Encrypt certificate, you need to:

  • Prepare the Let's Encrypt chain
  • Upload the chain to the Conductor and get a certificate signing request (CSR)
  • Use the CSR to get a signed certificate from Let's Encrypt
  • Upload the signed certificate to the Conductor

Before you begin

Install the Let's Encrypt's certbot to get a certificate from Let's Encrypt. Their instructions on how install for your platform can be found on the Certbot site.

Prepare the Let's Encrypt chain

  1. Collect the Let's Encrypt chain from https://letsencrypt.org/certificates/.
  2. Download root and intermediate certificates. Use the ISRG Root X1 certificate and chain.
  3. Concatenate the downloaded root and intermediate certificates into one file: 
    cat letsencryptauthorityx3.pem.txt isrgrootx1.pem.txt > letsencrypt_chain.pem

Upload the chain to the Conductor and get a certificate signing request (CSR)

  1. Upload the prepared chain to the Conductor. For instructions, see Installing a Custom CA Certificate Chain.
  2. In Conductor Settings, under Airwall Conductor Identity, click Actions, and then select Create certificate.
  3. Generate a new identity for the Conductor.
    For example:
    /C=US/O=ixh.io/OU=Example/CN=one.ixh.io
  4. Under Distinguished Name, enter the new Conductor identity, and select Request new CSR.
    Create Airwall Conductor certificate - request a new CSR
  5. Under CSR, select either Copy or Download, and copy the generated CSR to a machine with Let's Encrypt's certbot utility.
  6. Select Save.

Use the CSR to get a signed certificate from Let's Encrypt

Certbot is Let's Encrypt's automated certificate command line tool. You need to use the manual option for certificate signing. More details from Let's Encrypt are here.

Typically, Let's Encrypt uses web server validation to verify you own the domain name for the certificate you're requesting. However, for a Conductor, you have to use their DNS verification steps.

  1. Run the follow certbot command to process a CSR: 
    sudo certbot certonly --manual --preferred-challenges dns --csr <cert.csr>
  2. The DNS validation for certbot typically relies on setting a TXT record for the domain you are issuing the certificate for. Follow the instructions certbot provides to validate this.

Upload the signed certificate to the Conductor

Once you have a signed certificate from Let's Encrypt, install the certificate into the Conductor. As the certificate is used in more places than just the web server, the Conductor may restart to activate the new certificate.
For additional help, see Installing a Custom CA Certificate Chain.