Hi everyone,
For those who have been able to setup SSL/TLS with letsencrypt on their Ignition servers running in windows, how did you go about the process. I have been stuck on this for some time now.
It's been a PIA to maintain and have had issues with it. We used Certbot for Windows. So, I will share my notes on how I go it working.
To use certbot, open a command line and run as administrator. Change directory to cd C:\ProgramFiles\Certbot\bin
certbot certonly --standalone - this will issue the DNS challenge following some prompts.
Running the above should place the required files in your certbot directory under \live\ folder
Then you have to acquire the isrgrootx1.pem from lets encrypt website.
The live chain1.pem file needs to be adjusted as it contains the old DST ROOT CA X3 certificate. With this
in the chain1 file Ignition cannot validate the certificates. First copy the chain1.pem file out of the live
folder and paste it near the root certificate and give it a
new name chain1updated.pem. Open the chain1updated.pem file in notepad and delete the bottom
certificate. The two certificates are divided by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Then you can install the certificates into Ignition. In the following order.
privkey1.pem
cert1.pem
chain1updated.pem
isrgrootx1.pem
Then we setup automatic renewal using windows task scheduler.
-NoProfile -WindowStyle Hidden -Command "certbot renew"
The above is how I got it working - I did not know much about the above until I dove into it. So, this may not be the best path forward, but it does work somewhat. Sometimes it will not auto renew, and I have to manually go through the whole process again.
I basically used the Ignition Lets-Encrypt guide which is built for Linux and made it work for windows.
With that said - In the next few months we are updating our Windows Servers to Linux to help with the above and other reasons. Hoping the guide below is easier to maintain on Linux.
My typical go-to when using LetsEncrypt is to use a reverse proxy in front of Ignition to handle the encryption, then pass on the connection to Ignition unencrypted on port 8088. This is typically called TLS Offloading, and I've done it on even Ignition Edge systems running on a small panel PC. On Linux I use HAProxy with Certbot, and while I haven't done one on Windows, I have tested Zoraxy and it seems to work well with a nice GUI interface as well.
1 Like