1

I am using SSL certificate signed by Verisign for my VPN Server which is hosted on the public network and my company employees use to connect to company network through this server.
The system use to be online 24*7 and it will be a tough to take a downtime.

In my VPN server, i don't have permission to create or modify the web files (or in simple words, i only have GUI of that machine and from GUI, i can only uploads the certificate file like .pem or certificate chain over the server).

Now, i am thinking to go for the certificate from Let's Encrypt server (for the obvious reason of saving some dollars).

I have some doubts in my mind like -

  1. Should i go for Let's Encrypt or not ?
  2. Is it secure to have a certificate from Let's Encrypt ?
  3. Most important question, I had gone through the procedure for getting a certificate from Let's Encrypt; What i understand was that i have to install ACME tool or some scripts which will do the jobs automatically for me.
    Now, i have a limitation that my VPN box doesn't allow me to install anything apart from some specific codes (generally patches) provided by OEM.
    Also, in procedure, it was mentioned that ACME (or similar other scripts) will create a temporary file with some garbage text for checking the domain ownership by Let's Encrypt program. My Server doesn't have this capabilities.

What should i do to get the SSL certificate from Let's Encrypt.

Anders
  • 64,406
  • 24
  • 178
  • 215
Gaurav Kansal
  • 637
  • 6
  • 22
  • Is there no scope to just implement some kind of kludge/hacky script to update the certs on the server. That would stop it from being a manual process. – James Snell Oct 25 '16 at 10:05
  • No. Server is completely a closed box and doesn't allow even access to shell. Only a modified cli mode is there and only limited commands are allowed in that cli mode. – Gaurav Kansal Oct 25 '16 at 10:48
  • 1
    Who said anything about shell, just mimic the user actions to upload the cert. – James Snell Oct 25 '16 at 12:13
  • @JamesSnell, That is a complex solution, but it could work. The secret token file still has to be served though. Not worth $10/year savings IMO. – 700 Software Oct 27 '16 at 15:48

2 Answers2

3

Should i go for Let's Encrypt or not ?

You may, if you are willing to change it manually every 3 months. But then, its free then why not? You will save a lot of money.

Is it secure to have a certificate from Let's Encrypt ?

Well they have a pretty clean record, uptill now. You can refer to the link for that. I would suggest they are pretty secure.

What should i do to get the SSL certificate from Let's Encrypt.

Since you cannot get a downtime and you want to use Let's Encrypt issued certificated. You can do the following to get the certificate:

  • You would need access to the zone file of your domain, Presuming you would have that.
  • Download the ACME script give the CSR info to the script, Use link
  • Use the Use DNS mode of the script, It will ask you to make a txt DNS record.
  • You will have the PEM files with you, Upload them to the VPN server and thats it you are done.

Update:

OR Alternatively you can do it in two more ways:

  • Instead of "Use DNS mode" you can use "Use Standalone server to issue cert"
  • In this mode Let's encrypt would try to reach your server on port 80.
  • Whenever anything would try to reach the VPN server on port 80, you can DNAT it to another IP which has the requirements fulfilled. OR you can look out for source of lets encrypt and DNAT whenever the source is lets encrypt.(ofcourse you would need a firewall in between to achieve this)

Hope this helps!

2

Let's Encrypt is optimized for automated usage. There are web interfaces and command line tools you can use in a manual fashion to validate and obtain the certificate .pem files. However, this is inconvenient, and Let's Encrypt certificates expire after 3 months.

However, many registrars (i.e. NameCheap just to name one) offer DV certificates for $10 (USD) per year. This is optimized for manual certificate installation, and will allow you to renew once every 3 years instead of every 12 weeks.

At worst you are spending $10 to save 1-2 hours of work and tracking each year. At best you are saving yourself from accidental down time.

Is it secure to have a certificate from Let's Encrypt ?

Yes. Quoting @Simone Carletti: "Let's Encrypt is a Certificate Authority, and they have more or less the same privileges and power of any other existing (and larger) certificate authority in the market."

Hypothetically, if a CA is compromised, then the attacker can sign certificates for any domain.

  • Your visitors could be subject to MiTM from this particular attacker. This is partially mitigated if you used Public Key Pinning. In either case, it doesn't matter whether you used the compromised CA or not. The browsers trust all CAs equally.

  • After the breach is discovered, then many browsers will stop trusting the compromised CA. For those browsers — only if you were using the compromised CA — your site would go down, nothing more. You would switch to another CA to restore service.

The Private Key and the DV process can be fully secured from even this most sophisticated cyberattacks. (excepting DoS which is not relevant here) It would be rare for a CA to accidentally expose a vulnerability allowing such an attack to be successful. The most likely point of failure becomes the humans working in the company, so a good organizational structure at the CA is important as well.

I had gone through the procedure for getting a certificate from Let's Encrypt; What i understand was that i have to install ACME tool or some scripts which will do the jobs automatically for me.

That's what it is optimized for, but there are manual workarounds.

ACME (or similar other scripts) will create a temporary file with some garbage text for checking the domain ownership by Let's Encrypt program. My Server doesn't have this capabilities.

I'd wouldn't call it garbage lol! But yes this random token is called HTTP validation of a certificate request, and that is how the ACME system works.

Let's Encrypt might offer a way to use DNS validation, in which case the random token is placed in a TXT record.

However, traditional CAs (re-sold for $10/year) offer email validation. This is what I usually use and is the easiest to tackle. The random token is included in a link on the email so it's pretty easy to use.

700 Software
  • 13,807
  • 3
  • 52
  • 82