New Feature                                               Need help? Try our Zyxel Search AI feature Try Now!

Import a Lets Encrypt certificate to the USG ATP / USG FLEX Series icon

Avatar
Raphael

In this KB article, I'd like to show you how you can use a Raspberry Pi to have a Let’s Encrypt certificate installed on your USG.

 

Introduction
Requirements
Setup
Renew the certificate

 

Introduction

We will use an Apache server and the Let’s Encrypt add-on for Apache running on a Raspberry Pi to download a certificate for a specific domain name. We also will use the Pi to update this certificate.

We will export the certificate from the Pi and import it to the USG.

What is the use of a certificate?

With the certificate, you will get rid of the security warnings in your browser. Such as for HotSpot or SSL VPN.

 

Requirements

  1. You need a domain name (DN) (for instance hotspot.hotel-mayer.de)
  2. If you don't have a static IP, you also have to make sure that your DN is kept up to date,
    you could use the DDNS option from your USG: Configuration > Network > DDNS
  3. If you use your USG in a double NAT scenario, you need to make sure, that HTTP and HTTPS are forwarded to the USG
  4. You need to know how to use NAT in a proper way
  5. You need a Raspberry Pi and an SD card for the OS
  6. A PC with Tera Term or putty and WinSCP installed
  7. You need to know how to use the SSH terminal on the USG
  8. The USG has to be at least on FW version 4.30

 

Setup

  1. Setup the Pi and Apache
  2. Port forwarding
  3. Create and export the certificate
  4. Import the certificate to the USG
  5. Configure the HTTP to HTTPS redirect properly

1. Setup the Pi and Apache 

In this scenario, we only need a command line-based OS for the Pi (Raspbian Stretch Lite)
please download it from the Raspberry Pi website and install it like described in the documentation.

https://www.raspberrypi.org/downloads/raspbian/
https://www.raspberrypi.org/documentation/installation/installing-images/README.md

1.1 Enabling SSH and change the password

Now you need to enable SSH. Therefore put the SD card in your computer and put an empty file named “SSH” in the SD card's root folder.

Once the installation is completed, put the Pi in your network, start it and check, if you can reach it via SSH (for instance with Putty or Tera Term)

User: pi
Password: raspberry

Recommendation 1: change the password as described here:
https://www.raspberrypi.org/documentation/configuration/raspi-config.md

Recommendation 2: Make sure that the Pi will always get the same IP
USG Series - Reserve an IP for a device

1.2 Update the Pi and install Apache-Server

Now we can check for and install updates

sudo apt update && sudo apt upgrade --yes

Once this is done, we can install the Apache server

sudo apt install apache2 --yes

After the installation is finished, you should be able to see the Apache's default webpage by browsing to the Raspberry IP.

mceclip0.png

Now its time to reboot the Pi:

shutdown -r

In the meanwhile, we will set the (temporary) port forwarding to the Pi.

 

2. Port forwarding

To have the ports 80 and 443 open to the internet. Below you find how to do the necessary steps

2.1 Change HTTPS port of the USG to, e.g. 8443
Now you can access the USG like this: https://192.168.1.1:8443

2.2 Configure port forwarding for HTTP and HTTPS
Please check if you can access your Pi's test-page from the internet

 

3. Create and export a certificate

Before we can have a Let's Encrypt certificate, we have to install the Let’s encrypt add-on for the Apache. It will help to do the certification of your domain name.

sudo apt install certbot python-certbot-apache --yes

 

3.2 Generating the first certificate

Now we will generate the first certificate:

sudo certbot --apache

You need to go through the form and fill it out appropriately. You will be asked if you like to redirect it permanently.

mceclip1.png

 mceclip2.png

The certificate will be requested and automatically installed on the Apache server.

 

3.3 Exporting the certificate downloading the certificate

Now you can export the certificate with a time stamp.

sudo openssl pkcs12 -export -out /tmp/myusg_"$(date +"%Y-%m-%d")".p12 -inkey /etc/letsencrypt/live/[your_domain]/privkey.pem -in /etc/letsencrypt/live/[your_domain]/cert.pem

You need to enter a password. Please make sure that you remember the password, which you will also need it for the import to the USG.

mceclip3.png

To get the certificate from the Pi, we need to change the access rights for the myusg_[date].p12 file.

sudo chmod 777 myusg[date].p12

Now you can get the file with WinSCP from the /tmp folder.

 

4. Import the certificate to the USG

4.1 Download and import the Let's Encrypt root and intermediate certificates 

To get the USG to trust the certificate we exported earlier, we have to import the root and intermediate certificates from Let's Encrypt:

https://letsencrypt.org/certificates/

Make sure that the certificates are saved as pem-file (for example letsencryptauthorityx3.pem).

Now on the USG, go to Configuration > Objects > Certificates > Trusted certificates and import the root and intermediate certificates.

 

4.2 Import and activate your certificate

On the USG go to Configuration > Objects > Certificates > My Certificates and import the certificate (You have to enter the password as well)

Go to Configuration > System > WWW under Server Certificate you can now choose your imported certificate.

 

5. Configure the HTTP to HTTPS redirect properly

5.1 Deactivate the NAT for the Pi

To have the ports 80 and 443 free again for the USG, you need to deactivate the NAT for the Pi. Go to Configuration > Network > NAT and find and deactivate the rules that are responsible for the NAT.  Please don't delete the rules, because you will need them later again.

5.2 Set the USG's HTTPS port back to 443 and set up the HTTP to HTTPS redirect

Go to Configuration > System > WWW and set the HTTPS port back to 443. Make sure that the HTTP redirect is enabled.

5.3 Get rid of the IP-address

Now the USG will use the imported certificate. The "problem" left is that the USG will redirect the HTTP to HTTPS like this:

https://192.168.1.1/redirect.cgi?arip=[your_dyndns]&original_url=http://[your_dyndns]/

mceclip4.png

This will, of course, create a certificate issue. To get finally rid of this message, you need to open an SSH session to your USG and enter these commands:

Router> configure terminal
Router(config)# web-auth redirect-fqdn [your_domainname]
Router(config)# write
Router(config)# exit
Router> write

Now the redirect will look like this:

https://[your_domain]/redirect.cgi?arip=[your_domain]&original_url=http://[your_domain]/

mceclip5.png

 Congratulations, you now have a Let's Encrypt certificate running on your USG.

Renew the certificate

Let's Encrypt certificates are valid for 90 days. This means that you have to renew the certificate all three months. 

1. Open HTTP and HTTPS ports to the Pi again

a ) change the HTTPS ports from the USG again (Point 2.1)
b ) Reactivate the NAT for HTTP/HTTPS for the Pi (Point 2.2)

2. SSH to the Pi and renew the certificate

Open an SSH session to your Pi and enter this command

sudo certbot renew

This will renew the certificate for another 90 days

3. Export and import the certificate

Now you need to follow the steps in point 3.3

4. Update the certificate on the USG 

Now you proceed with step 4.2

5. Change the ports back

Follow the steps in 5.1 and 5.2

 

Congratulations, you now have renewed the Let's Encrypt certificate on your USG.

 

Disclaimer: Please understand that this is only a description of how to have a Let's Encrypt certificate on your USG. If something is wrong with the Raspberry Pi, please understand that we can not give you support regarding any problem with the Pi!

Related articles

Comments

0 comments

Please sign in to leave a comment.