Hi everyone,
For those who have been able to setup SSL/TLS with letsencrypt on their Ignition servers running in windows, how did you go about the process. I have been stuck on this for some time now.
It's been a PIA to maintain and have had issues with it. We used Certbot for Windows. So, I will share my notes on how I go it working.
To use certbot, open a command line and run as administrator. Change directory to cd C:\ProgramFiles\Certbot\bin
certbot certonly --standalone - this will issue the DNS challenge following some prompts.
Running the above should place the required files in your certbot directory under \live\ folder
Then you have to acquire the isrgrootx1.pem from lets encrypt website.
The live chain1.pem file needs to be adjusted as it contains the old DST ROOT CA X3 certificate. With this
in the chain1 file Ignition cannot validate the certificates. First copy the chain1.pem file out of the live
folder and paste it near the root certificate and give it a
new name chain1updated.pem. Open the chain1updated.pem file in notepad and delete the bottom
certificate. The two certificates are divided by -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
Then you can install the certificates into Ignition. In the following order.
privkey1.pem
cert1.pem
chain1updated.pem
isrgrootx1.pem
Then we setup automatic renewal using windows task scheduler.
-NoProfile -WindowStyle Hidden -Command "certbot renew"
The above is how I got it working - I did not know much about the above until I dove into it. So, this may not be the best path forward, but it does work somewhat. Sometimes it will not auto renew, and I have to manually go through the whole process again.
I basically used the Ignition Lets-Encrypt guide which is built for Linux and made it work for windows.
With that said - In the next few months we are updating our Windows Servers to Linux to help with the above and other reasons. Hoping the guide below is easier to maintain on Linux.
My typical go-to when using LetsEncrypt is to use a reverse proxy in front of Ignition to handle the encryption, then pass on the connection to Ignition unencrypted on port 8088. This is typically called TLS Offloading, and I've done it on even Ignition Edge systems running on a small panel PC. On Linux I use HAProxy with Certbot, and while I haven't done one on Windows, I have tested Zoraxy and it seems to work well with a nice GUI interface as well.
2 Likes
I'm glad people who have gone through these problems share their knowledge, very much appreciated.
Now, I'm at a stage where the team has an ignition application that we want to deploy to replace our legacy product but we want to make sure that its security is up to a reasonable standard.
I also had a look into the document related to using certbot but it looks like Certbot no longer supports Windows.
How is everyone dealing with this? I've heard someone mentioning using a docker to get around this issue but automating the renewal in this case, at least in my mind, could be complicated and I'm not sure is worth the effort if the system is never going to have access to the outside world.
Doesn't this mean you aren't a candidate for a certificate from a public CA anyway?
If you want to enable TLS you'll need to use a self-signed certificate or an internal/corporate CA.
1 Like
Hi Kevin,
Thank you for a very prompt reply! Yes, that's what I'm doing at the moment but I was wondering if a self signed certificate is not deemed 'production ready'. This is our first time deploying a SCADA application and wanted to know what the consensus is regarding the use of a self signed cert if the system is completely shut off from the outside.
Do you have an IT department that already manages a CA?
1 Like
Hi Kevin,
We do, but shouldn't the IT on customer site be issuing the certificate instead of our own?
Well now that you mention it, I wonder how a renewal will work for a self signed cert (edit: i can make it expire in million years..) or cert issued by the CA (either us or customer IT).
I've seen the script using Certbot but I need to come up with something else if we're not going down the Certbot path.. gosh I need to do some research on these topics 
Yes, it would be the customer IT that should manage this if you're an integrator and not the end user.
When IT has it together enough to manage a CA everything is nicer. All browsers will automatically trust the CA-signed Ignition cert because they will have seeded that CA to all the workstations/servers they manage.
1 Like
Just for posterity, for Windows ACME/LetsEncrypt certificates a few alternatives to CertBot are:
And if you prefer a GUI (but this is a subscription software licensed on a yearly basis):
Edit: Maybe a better link might be to this list of clients:
1 Like