Of all the topics our Support team addresses, questions about security are among the most common. One of the most common security topics is just how to acquire, configure, and install certificates. Certificates are used to verify and encrypt user connections to Ubersmith’s web interface, and can be used to secure incoming and outgoing email. Fortunately, the Internet Security Research Group has taken this complex issue and turned it into a ‘solved problem’ by way of Let’s Encrypt — a free, automated, and open Certificate Authority.
If “free” and “automated” caught your eye, you’re not alone. Purchasing a certificate from a traditional Certificate Authority can be an expensive endeavor. Also, the use of command line tools to generate a private key and certificate signing request — both needed before a certificate can be issued — can be difficult for someone without a technical background. But there’s good news: we’ve updated our deployment process and our installer to automatically request, install, and configure a Let’s Encrypt certificate for your Ubersmith installation. Further to that, we’re fine-tuning an Ansible playbook that will allow you to renew your certificate automatically.
This may seem too good to be true: a free certificate, trusted by many browsers that will keep itself renewed? Well, there is little bit of legwork needed before Let’s Encrypt can issue a certificate. First, your Ubersmith installation will need a DNS ‘A’ or ‘AAAA’ record configured for your Ubersmith installation. This is usually only a concern for brand new installations. Since Let’s Encrypt uses your domain for validation, there needs to be a DNS record for your planned or existing Ubersmith installation. Further, incoming HTTP/HTTPS requests must be allowed from the Internet at large. Let’s Encrypt does not publish a list of source IP addresses that their validation challenge request will originate from, so unfortunately there isn’t a way to limit access via firewall rules. That said, since most of our users have Ubersmith available for client access, this may not pose a problem. One other caveat about Let’s Encrypt certificates is that they expire every 90 days. This makes our Ansible renewal playbook crucial.
If you’re interested in having a Let’s Encrypt certificate issued for your new (or existing!) Ubersmith deployment, make sure you meet the requirements above and get in touch with our Support department. Together we can help make your Ubersmith installation safer for you and your clients.