ACME certificates

Creation and managment of certificates

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Resellerpreview

12.5.1 12.4

ACME certificates (Let's Encrypt)

Authentication Certificates Area ACME

Caption	Value	Description	Certificates UTMuser@firewall.name.fqdnAuthentifizierung
Activated:	Yes	Enables the use of ACME certificates. For more information see below Activate ACME service.
Use system-wide nameservers for ACME challenges:	Yes	If the addresses for the servers for the extension of the ACME challenges cannot be resolved via the system-wide nameserver (e.g. due to configured relay or foreward zones), alternative nameservers can be entered by deactivating No.
Nameserver for ACME challenges: Can be used for ACME challenges when system-wide nameserver is disabled	»85.209.185.50»85.209.185.51»2a09:9c40:1:53::1»2a09:9c40:1:53::2	Here you can enter the nameservers for the ACME-Challenges.

Activate ACME service

Um ACME Zertifikate nutzen zu können, muss dies unter Authentication Certificate Area ACME Aktiviert: Ja aktiviert werden.

Sobald der Dienst aktiviert wurde und dies mit

gespeichert wurde, wird der Link zu den Nutzungsbedingungen geladen und es lassen sich die Einstellungen aufrufen.
With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with
A dialog will appear with a link to the Terms of Use, which must be accepted Yes.

UTM v12.6 Zertifikate ACME Default-en.png

ACME service On Enable service

UTM v12.6 Zertifikate ACME Nutzungsbedingungen geladen-en.png

Sobald der Dienst aktiviert wurde und dies mit

gespeichert wurde, wird der Link zu den Nutzungsbedingungen geladen und es lassen sich die Einstellungen aufrufen.

UTM v12.6 Zertifikate ACME aktivieren-en.png

With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with

UTM v12.6 Zertifikate ACME Nutzungsbedingungen bestätigen-en.png

A dialog will appear with a link to the Terms of Use, which must be accepted Yes.

UTM v12.6 Zertifikate ACME Regestrierung-en.png

A registration with the ACME service provider is then performed

UTM v12.6 Zertifikate ACME registriert-en.png

Successful registration is indicated with the status OK.

Generate token

spDYN To generate the certificates, the ACME token must first be generated in the spDYN portal.
Within the spDYN portal, the corresponding host must be opened.

Call up spDyn Host
Select the ACME Challenge Token from the Token drop-down menu.
Generate token
notempty
The token is displayed once during generation and cannot be displayed again.

The token should be noted and stored safely.

Call up spDyn Host

Zertifikate ACME SpDYN Token waehlen-en.png

Select the ACME Challenge Token from the Token drop-down menu.

Zertifikate ACME SpDYN ACME Token-en.png

Generate token
The token is displayed once during generation and cannot be displayed again.
The token should be noted and stored safely.

Renewal of ACME certificates

notempty

New as of 12.4

The renewal of the ACME/Let's Encrypt certificates takes place via the nameservers used, which are configured under Area ACME (see above)

ACME Certificates

After completing the previous steps, the actual certificate can now be generated. A click on Add ACME certificate in the Certificates tab opens the corresponding dialog.

Status	Description	Note
Caption	Value	Description	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates Add ACME certificate
Add ACME certificate UTM Dialog Authentication Certificates Area Certificates Button Add ACME certificate
Name	acme_ttt-Point	Name to identify the certificate
Key length:	2048	Key length of the certificate. Possible values:
ACME Account	Let's Encrypt	ACME account which should be used

Subject Alternative Name configure with Add SAN Add Subject Alternative Name
Subject Alternative Name	»ttt-point.spdns.org	The Subject Alternative Name ('SAN) is stored in the certificate and corresponds to the called URL	Add SAN UTMuser@firewall.name.fqdnAuthentifizierungCertificates Add Subject Alternative Name
Subject Alternative Name	»*.ttt-point.spdns.org	Wildcard SANs can also be used. Wildcard certificates are strongly recommended for use with a captive portal If a forward zone is required for the captive portal in the nameserver and an A record is then entered for it, this is no longer resolved in the public DNS. Verification and renewal of an ACME certificate with this name will then fail.
Alias	ttt-point.spdns.org	If the SAN is a spDYN hostname it is automatically taken on as alias. (Also for wildcard domains without * )
Token	•••••••••••••	The token from the spDYN portal (see above) proves to the ACME service that you are allowed to dispose of the hostname. displays the token. When inserting the token from the clipboard it can happen that there are blanks before or after the actual token. These must be removed

Check configuration Check configuration
Status	Not yet checked	Before the actual generation of the certificate, the configuration must first be checked. This is done by clicking on the Check configuration button.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	initialize Initializes	The check can take several minutes. During this process, the dialog is updated regularly.
	Valid	If the check is successful, the status Valid is displayed.
	DNS error	Possible causes: wrong token DNS resolution disturbed zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:

Configure Subject Alternative Name for an external DNS zone with Add SAN Add SAN for external DNS zone
Subject Alternative Name	ttt-point.anyideas.org	The Subject Alternative Name (SAN) from the external DNS zone.	Add SAN UTMuser@firewall.name.fqdnAuthentifizierungCertificates
Alias	ttt-point.spdns.org	The alias must also be the spDYN name for the external DNS.
DNS-Provider	Basically, an additional CNAME record with the prefix _acme-challenge and the subsequent host name must be created at the DNS provider hosting the external zone (here: ttt-point.anyideas.org). _acme-challenge.ttt-point.spdns.org. (With "." at the end!) An example excerpt from a Zonefile for the configuration of the two hostnames mx.ttt-point.de and exchange.ttt-point.de looks like this: _acme-challenge.mx.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. _acme-challenge.exchange.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. The hostname must be resolvable in the public DNS. Certificate creation for .local, .lan, etc. zones is not possible. The UTM must be able to resolve the host name correctly via external nameservers. notempty If the internal and the external/public domain are identical, the zone must also be delegated to the internal DNS.

Check configuration	Additional SANs can be added and checked as long as the Save button has not been pressed.		Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates

Status	Valid	Once all the required SANs have been successfully checked, the certificate can be saved.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	notempty Once the certificate has been saved, no more changes can be made. Only the alias and the token can be changed for existing SANs. If additional or different SANs are required, a new certificate must be created and the existing one has to be revoked.

Creation of the ACME certificate Creation of the ACME certificate
	If the previous steps have been completed successfully, the actual process for validating and generating the certificate is triggered by clicking Save. This process may take some time. To update the status, the dialog must be reloaded manually.		Certificates UTMuser@firewall.name.fqdnAuthentifizierungCertificates

Status values Status values
The following status values can occur
Valid	The ACME certificate is valid
Not yet verified	The ACME certificate still needs to be verified
Internal error	An internal error has occurred	Possible causes: Broken hardware Software error Configuration error
Connection error	No connection possible / present	Check the connection settings
Invalid	The ACME certificate is invalid and cannot be used
DNS error	A DNS error has occurred	Possible causes: wrong token DNS resolution disrupted zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:
Banned	The ACME certificate has been revoked	Either it has been manually revoked, or it has lost its validity. For example, the ACME certificate expired and was not renewed.
Initializing	The verification of the ACME certificate is initiated	This can take several minutes. The status is updated regularly.
Deferred	The verification of the ACME certificate is postponed	Refreshing the status will take some time, since the limit of requests was already reached
Initialized	The ACME certificate is being verified	The verification of the ACME certificate is initiated