In this KB article, I'd like to show you how you can use a Raspberry Pi to have a Let’s Encrypt certificate installed on your USG.
We will use an Apache server and the Let’s Encrypt add-on for Apache running on a Raspberry Pi to download a certificate for a certain domain name. We also will use the Pi to update this certificate.
We will export the certificate from the Pi and import it to the USG.
What is the use of a certificate?
With the certificate, you will get rid of the security warnings in your browser. Such as for HotSpot or SSL VPN.
- You need a domain name (DN) (for instance hotspot.hotel-mayer.de)
- If you don't have a static IP, you also have to make sure that your DN is kept up to date,
you could use the DDNS option form your USG: Configuration > Network > DDNS
- If you use your USG in a double NAT scenario, you need to make sure, that HTTP and HTTPS are forwarded to the USG
- You need to know how to use NAT in a proper way
- You need a Raspberry Pi and a SD card for the OS
- A PC with Tera Term or putty and WinSCP installed
- You need to know how to use the SSH terminal on the USG
- The USG has to be at least on FW version 4.30
- Setup the Pi and Apache
- Port forwarding
- Create and export the certificate
- Import the certificate to the USG
- Configure the HTTP to HTTPS redirect properly
1. Setup the Pi and Apache
In this scenario, we only need a command line-based OS for the Pi (Raspbian Stretch Lite)
please download it from the Raspberry Pi website and install it like described in the documentation.
1.1 Enabling SSH and change the password
Now you need to enable SSH. Therefore put the SD card in your computer and put an empty file named “SSH” in the root folder of the SD card.
Once the installation is completed, put the Pi in your network, start it and check, if you can reach it via SSH (for instance with Putty or Tera Term)
Recommendation 1: change the password as described here:
Recommendation 2: Make sure that the Pi will always get the same IP
USG Series - Reserve an IP for a device
1.2 Update the Pi and install Apache-Server
Now we can check for and install updates
sudo apt update && sudo apt upgrade --yes
Once this is done, we can install the Apache server
sudo apt install apache2 --yes
After the installation is finished you should be able to see the Apache's default webpage by browsing to the IP of the Raspberry.
Now its time to reboot the Pi
In the meanwhile, we will set the (temporary) port forwarding to the Pi
2. Port forwarding
In order to have the ports 80 and 443 open to the internet. Below you find how to do the necessary steps
2.1 Change HTTPS port of the USG to e.g. 8443
Now you can access the USG like this: https://192.168.1.1:8443
2.2 Configure port forwarding for HTTP and HTTPS
Please check if you can access your Pi's test-page from the internet
3. Create and export a certificate
Before we can have a Let's Encrypt certificate, we have to install the Let’s encrypt add-on for the Apache. It will help to do the certification of your domain name.
sudo apt install certbot python-certbot-apache --yes
3.2 Generating the first certificate
Now we will generate the first certificate:
sudo certbot --apache
You need to go through the form and fill it out properly. You will be asked if you like to permanently redirect it.
The certificate will be requested and automatically installed on the Apache server.
3.3 Exporting the certificate downloading the certificate
Now you can export the certificate with a time stamp.
sudo openssl pkcs12 -export -out /tmp/myusg_"$(date +"%Y-%m-%d")".p12 -inkey /etc/letsencrypt/live/[your_domain]/privkey.pem -in /etc/letsencrypt/live/[your_domain]/cert.pem
You need to enter a password. Please make sure that you remember the password, you will also need it for the import to the USG.
In order to get the certificate from the Pi, we need to change the access rights for the myusg_[date].p12 file.
sudo chmod 777 myusg[date].p12
Now you can get the file with WinSCP from the /tmp folder.
4. Import the certificate to the USG
4.1 Download and import the Let's Encrypt root and intermediate certificates
In order to the USG trusts the certificate we exported earlier, we have to import the root and intermediate certificates from Let's Encrypt:
Make sure that the certificates are saved as pem-file (for example letsencryptauthorityx3.pem).
Now on the USG, go to Configuration > Objects > Certificates > Trusted certificates and import the root and intermediate certificates.
4.2 Import and activate your certificate
On the USG go to Configuration > Objects > Certificates > My Certificates and import the certificate (You have to enter the password as well)
Go to Configuration > System > WWW under Server Certificate you can now choose your imported certificate.
5. Configure the HTTP to HTTPS redirect properly
5.1 Deactivate the NAT for the Pi
In order to have the ports 80 and 443 free again for the USG, you need to deactivate the NAT for the Pi. Go to Configuration > Network > NAT and find and deactivate the rules that are responsible for the NAT. Do not delete the rules, because you will need them later again.
5.2 Set the USG's HTTPS port back to 443 and set up the HTTP to HTTPS redirect
Go to Configuration > System > WWW and set the HTTPS port back to 443. Make sure that the HTTP redirect is enabled.
5.3 Get rid of the IP-address
Now the USG will use the imported certificate. The "problem" left is that the USG will redirect the HTTP to HTTPS like this:
This will, of course, create a certificate issue. To get finally rid of this message you need to open an SSH session to your USG and enter these commands:
Router> configure terminal
Router(config)# web-auth redirect-fqdn [your_domainname]
Now the redirect will look like this:
Congratulations, you now have a Let's Encrypt certificate running on your USG.
Renew the certificate
Let's Encrypt certificates are valid for 90 days. This means that you have to renew the certificate all three months.
1. Open HTTP and HTTPS ports to the Pi again
a ) change the HTTPS ports from the USG again (Point 2.1)
b ) Reactivate the NAT for HTTP/HTTPS for the Pi (Point 2.2)
2. SSH to the Pi and renew the certificate
Open an SSH session to your Pi and enter this command
sudo certbot renew
This will renew the certificate for another 90 days
3. Export and import the certificate
Now you just need to follow the steps in point 3.3
4. Update the certificate on the USG
Now you proceed with step 4.2
5. Change the ports back
Follow the steps in 5.1 and 5.2
Congratulations, you now have renewed the Let's Encrypt certificate on your USG.
Disclaimer: Please understand that this is only a description of how to have a Let's Encrypt certificate on your USG. If something is wrong with the Raspberry Pi, please understand that we can not give you support regarding any problem with the Pi!