ACME certificates

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

Last adaptation to the version: 12.6.0

New:

Updated to Redesign of the webinterface

notempty

This article refers to a Beta version

12.5.1 12.4

ACME certificates (Let's Encrypt)

Authentication Certificates Area ACME

Caption	Value	Description	Certificates UTMuser@firewall.name.fqdnAuthentifizierung
Activated:	Yes	Enables the use of ACME certificates. For more information see below Activate ACME service.
Use system-wide nameservers for ACME challenges:	Yes	If the addresses for the servers for the extension of the ACME challenges cannot be resolved via the system-wide nameserver (e.g. due to configured relay or foreward zones), alternative nameservers can be entered by deactivating No.
Nameserver for ACME challenges: Can be used for ACME challenges when system-wide nameserver is disabled	»85.209.185.50»85.209.185.51»2a09:9c40:1:53::1»2a09:9c40:1:53::2	Here you can enter the nameservers for the ACME-Challenges.

Activate ACME service

To be able to use ACME certificates, this must be activated under Authentication Certificates Area ACME Enabled: Yes.

As soon as the service has been activated and this has been saved with Vorlage:Button-dialogue, the link to the terms of use is loaded and the settings can be called up.
With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with
A dialog will appear with a link to the Terms of Use, which must be accepted Yes.

ACME service On Enable service

As soon as the service has been activated and this has been saved with Vorlage:Button-dialogue, the link to the terms of use is loaded and the settings can be called up.

With the button Activate Yes and the storage of an Email address for notifications by the ACME service provider (here: Let's Encrypt), the information can be saved with

A registration with the ACME service provider is then performed

Successful registration is indicated with the status OK.

Generate token

spDYN To generate the certificates, the ACME token must first be generated in the spDYN portal.
Within the spDYN portal, the corresponding host must be opened.

Call up spDyn Host
Select the ACME Challenge Token from the Token drop-down menu.
Generate token
notempty
The token is displayed once during generation and cannot be displayed again.

The token should be noted and stored safely.

Call up spDyn Host

Select the ACME Challenge Token from the Token drop-down menu.

Generate token
The token is displayed once during generation and cannot be displayed again.
The token should be noted and stored safely.

Renewal of ACME certificates

The renewal of the ACME/Let's Encrypt certificates takes place via the nameservers used, which are configured under Authentication Certificates Area ACME (see above)

ACME Certificates

After completing the previous steps, the actual certificate can now be generated. A click on Add ACME certificate in the Certificates tab opens the corresponding dialog.

Status	Description	Note
Caption	Value	Description	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates Add ACME certificate
Add ACME certificate UTM Dialog Authentication Certificates Area Certificates button Add ACME certificate
Name:	acme_ttt-Point	Name to identify the certificate
Key length:	2048	Key length of the certificate. Possible values:
ACME Account:	Let's Encrypt	ACME account which should be used

Subject Alternative Name configure with Add SAN Add Subject Alternative Name
Subject Alternative Name:	»ttt-point.spdns.org	The Subject Alternative Name ('SAN) is stored in the certificate and corresponds to the called URL	Add SAN UTMuser@firewall.name.fqdnAuthentifizierungCertificates Add Subject Alternative Name
Subject Alternative Name:	»*.ttt-point.spdns.org	Wildcard SANs can also be used. Wildcard certificates are strongly recommended for use with a captive portal If a forward zone is required for the captive portal in the nameserver and an A record is then entered for it, this is no longer resolved in the public DNS. Verification and renewal of an ACME certificate with this name will then fail.
Alias:	ttt-point.spdns.org	If the SAN is a spDYN hostname it is automatically taken on as alias. (Also for wildcard domains without * )
Token:	•••••••••••••	The token from the spDYN portal (see above) proves to the ACME service that you are allowed to dispose of the hostname. displays the token. When inserting the token from the clipboard it can happen that there are blanks before or after the actual token. These must be removed.

Check configuration Check configuration
Status:	Not yet checked	Before the actual generation of the certificate, the configuration must first be checked. This is done by clicking on the Check configuration button.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	initialize Initializes	The check can take several minutes. During this process, the dialog is updated regularly.
	Valid	If the check is successful, the status Valid is displayed.
	DNS error	Possible causes: Wrong token DNS resolution disturbed zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:

Configure subject alternative name for an external DNS zone with Add SAN Add SAN for external DNS zone
Subject Alternative Name:	ttt-point.anyideas.org	The Subject Alternative Name (SAN) from the external DNS zone.	Add SAN UTMuser@firewall.name.fqdnAuthentifizierungCertificates
Alias:	ttt-point.spdns.org	The alias must also be the spDYN name for the external DNS.
DNS Provider	Basically, an additional CNAME record with the prefix _acme-challenge and the subsequent host name must be created at the DNS provider hosting the external zone (here: ttt-point.anyideas.org). _acme-challenge.ttt-point.spdns.org. (With "." at the end!) An example excerpt from a Zonefile for the configuration of the two hostnames mx.ttt-point.de and exchange.ttt-point.de looks like this: _acme-challenge.mx.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. _acme-challenge.exchange.ttt-point.anyideas.org. IN CNAME _acme-challenge.ttt-point.spdns.org. The hostname must be resolvable in the public DNS. Certificate creation for .local, .lan, etc. zones is not possible. The UTM must be able to resolve the host name correctly via external nameservers. notempty If the internal and the external/public domain are identical, the zone must also be delegated to the internal DNS.

Check configuration	Additional SANs can be added and checked as long as the Save button has not been pressed.		Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates

Status:	Valid	Once all the required SANs have been successfully checked, the certificate can be saved.	Add ACME certificate UTMuser@firewall.name.fqdnAuthentifizierungCertificates
	notempty Once the certificate has been saved, no more changes can be made. Only the alias and the token can be changed for existing SANs. If additional or different SANs are required, a new certificate must be created and the existing one has to be revoked.

Creation of the ACME certificate Creation of the ACME certificate
	If the previous steps have been completed successfully, the actual process for validating and generating the certificate is triggered by clicking Save. This process may take some time. To update the status, the dialog must be reloaded manually.		Certificates UTMuser@firewall.name.fqdnAuthentifizierungCertificates

Status values Status values
The following status values can occur
Valid	The ACME certificate is valid
Not yet verified	The ACME certificate still needs to be verified
Internal error	An internal error has occurred	Possible causes: Broken hardware Software error Configuration error
Connection error	No connection possible / present	Check the connection settings
Invalid	The ACME certificate is invalid and cannot be used
DNS error	A DNS error has occurred	Possible causes: wrong token DNS resolution disrupted zone forwarding configured in DNS local DNS zone configured in DNS If there is a zone in the nameserver of the UTM for a domain that also uses the ACME certificate, the DNS resolution fails. Solution: Create a CNAME record for this domain. • Search for the zone under Menu/Applications/Nameserver/Zones • click on Edit • Click on +Add Entry in the window • enter a suitable name under Name:' • select CNAME under Type: • enter the domain under Value:
Banned	The ACME certificate has been revoked	Either it has been manually revoked, or it has lost its validity. For example, the ACME certificate expired and was not renewed.
Initializing	The verification of the ACME certificate is initiated	This can take several minutes. The status is updated regularly.
Deferred	The verification of the ACME certificate is postponed	Refreshing the status will take some time, since the limit of requests was already reached
Initialized	The ACME certificate is being verified	The verification of the ACME certificate is initiated

ACME certificates (Let's Encrypt)

Activate ACME service

Generate token

Renewal of ACME certificates

ACME Certificates

Add ACME certificate

Add Subject Alternative Name

Check configuration

Add SAN for external DNS zone

Creation of the ACME certificate

Status values