Integrating Let's Encrypt Certificate Authority with Avi Vantage System

Overview

SSL/TLS protocol helps keep an internet connection secure and safeguard any sensitive data sent between two machines, systems or devices, preventing intruders from reading, and modifying any information transferred between two machines/systems/devices. SSL/TLS Certificate facilitates the secure, encrypted connections between the two machines, systems or devices. However, there are some challenges around SSL/TLS Certificate:

  • Manually getting a certificate
  • The cost associated with a certificate signed by CA

Let’s Encrypt resolves all the above challenges, Let’s Encrypt is a free, automated (automates both issuing and renewing the certificate), and open certificate authority, for more information please refer to Let’s Encrypt.

Working with Let’s Encrypt

Before issuing a certificate, Let’s Encrypt servers validate that the requester controls the domain names in that certificate using “challenges,” as defined by the ACME standard. Let’s Encrypt uses the ACME protocol to verify that you control a given domain name and to issue you a certificate. There are different ways that the agent/client can prove control of the domain:

  • Provisioning a DNS record under the domain (as per CSR’s common name)
  • Provisioning an HTTP resource under a well-known URI

Note: Avi Vantage supports HTTP-01 challenge for domain validation.

HTTP-01 Challenge:

  • Let’s Encrypt gives a token to ACME client, and the ACME client puts a file on the web server at http://<YOUR_DOMAIN>/well-known/acme-challenge/<TOKEN>. That file contains the token, plus a thumbprint of account key.
  • Once the ACME client tells Let’s Encrypt that the file is ready, Let’s Encrypt tries retrieving it (potentially multiple times from multiple vantage points).
  • If validation checks get the right responses from the web server, the validation is considered successful, and certificate will be issued.

Notes:

  • As Let’s Encrypt CA communicates on port 80 for HTTP-01 challenge, hence port 80 should be opened on the firewall and Let’s Encrypt CA should be able to reach to user’s network (network where Avi Vantage System is deployed, Let’s Encrypt CA connects through public network to user’s Avi Vantage System on port 80).
  • If there is a virtual service listening on port 80 at Avi, script does not create a virtual service else script would automatically create a virtual service listening on port 80 for the respective virtual service listening on port 443/custom SSL Port.

For more information regarding domain validation please refer the below URLs:

Configuring Let’s Encrypt

Below is the configuration summary for the Let’s Encrypt integration with the Avi Vantage:

  1. Get the script which would assist in getting and renewing the certificate.
  2. Add the script as ControllerScript on Avi Vantage System.
  3. Add user account with customer (limited access only).
  4. Create certificate management profile on Avi Vantage System.
  5. Add virtual service on Avi Vantage System.
  6. Make sure that FQDN resolves to public IP, port 80 is open at Firewall.
  7. Create CSR and select the configured certificate management profile.
  8. Review the list of certificates, Let’s Encrypt CA would push signed certificate.
  9. Associate the certificate to the configured virtual service.

For the Let’s Encrypt ControlScript to work, FQDN has to be configured for vsvip. If the option is not available through the UI, use the CLI to configure an FQDN in the vsvip:


[admin:alert-ctlr]: > configure vsvip <vsvip name>
[admin:alert-ctlr]: vsvip> dns_info
[admin:alert-ctlr]: vsvip:dns_info>
[admin:alert-ctlr]: vsvip:dns_info> fqdn <fqdn>
[admin:alert-ctlr]: vsvip:dns_info> save
[admin:alert-ctlr]: vsvip> save

Configuring Avi Vantage System

Follow the steps below to configure Let’s Encrypt for the Avi Vantage

  1. Download the script available at letsencrypt_mgmt_profile. To download the file, click at the Raw option.

    create

  2. You would get the code as below, copy the code.

    raw

  3. Access the Avi Controller and navigate to Templates > Scripts > ControlCripts and click create.

    create

  4. Add meaningful name and paste the script here, save the configuration.

    save

  5. Configure a user account, first configure custom role (Make sure that read & write access enabled for Virtual Service, Application Profile, SSL/TLS Certificates and Certificate Management Profile. Now add a user, add/select all relevant details and call the custom role here.

    custom-role

  6. Add a user, enter all the required details and select the configured custom role.

    configure-custom-role

    tenant-role

  7. Navigate to Templates > Security > Certificate Management and click create.

    create-cert

  8. Enter a meaningful name, select the configured control script and enable custom parameters, add custom parameters as shown below.

    save-cert

    Note: It is recommended not to use admin account, always add a user account which has custom role (with limited access).

  9. Navigate to Templates > Security > SSL/TLS Certificates, click create and select Application Certificate.

    application-cert

  10. Enter meaningful name, common name, select the configured certificate management profile and add all relevant details and save the configuration.

    application-cert-save

Note: Make sure that a virtual service is configured with the Application Domain Name as Common Name (CN) of certificate, CN of certificate must match with the Application Domain Name of virtual service. FQDN (CN of certificate/ Application Domain Name of virtual service should resolve to IP address and reachability also should be there).
After few minutes, review the list of the certificate, you can see the certificate pushed by Let’s Encrypt CA.
Please associate the certificate to the configured virtual service.

Logs

To view the logs, please enable non-significant logs at the configured virtual service and attempt to generate the certificate. Below is an example of the log:

logs

Automation of certificate renewal

Controllerproperties has the configuration for the ssl_certificate_expiry_warning_days. As per the default configuration, it is 30, 7, and 1 days, and it can be modified if required. As soon as certificate renewal is required as per the configuration, the script gets activated, and the script itself would take care of certificate renewal (it is completely automatic).

Note: There is a rate limit imposed by Let’s Encrypt CA, and hence please make sure that the renewal of the certificate does not hit the rate limit.

Additional Information

  • For more details regarding the rate limit, refer to the below article: Rate Limits

  • Refer to the below URL for SSL/TLS Certificate details: SSL Certificates