Of all the topics our Support team addresses, questions about security are among the most common. One of the most common security topics is just how to acquire, configure, and install certificates. Certificates are used to verify and encrypt user connections to Ubersmith’s web interface, and can be used to secure incoming and outgoing email. Fortunately, the Internet Security Research Group has taken this complex issue and turned it into a ‘solved problem’ by way of Let’s Encrypt — a free, automated, and open Certificate Authority.
If “free” and “automated” caught your eye, you’re not alone. Purchasing a certificate from a traditional Certificate Authority can be an expensive endeavor. Also, the use of command line tools to generate a private key and certificate signing request — both needed before a certificate can be issued — can be difficult for someone without a technical background. But there’s good news: we’ve updated our deployment process and our installer to automatically request, install, and configure a Let’s Encrypt certificate for your Ubersmith installation. To accomplish this, we’ve leveraged a wonderful tool provided by the Electronic Frontier Foundation called “certbot”.
This may seem too good to be true: a free certificate, trusted by many browsers that will keep itself renewed? Well, there is little bit of legwork needed before Let’s Encrypt can issue a certificate. First, you must be able to prove your domain ownership to the Let’s Encrypt certificate provisioning service. The most common way to prove ownership is via an HTTP request to your Ubersmith host – referred to as a “challenge” in Let’s Encrypt’s terminology. Your Ubersmith installation will need a DNS ‘A’ or ‘AAAA’ record configured using the domain you plan to secure. This configuration step is usually only a concern for brand new installations. Further, incoming HTTP/HTTPS requests must be allowed from the Internet at large. Let’s Encrypt does not publish a list of source IP addresses that their validation challenge request will originate from, so unfortunately there isn’t a way to limit access via firewall rules.
If you have strict access requirements to your Ubersmith environment, and external HTTP access is not allowed, there are other means to prove your identity that may be more suitable. Be aware that Let’s Encrypt certificates expire every 90 days. This is different from other Certificate Authorities you may have worked with in the past. Fortunately, Ubersmith is configured to keep your certificates renewed using the “certbot” tool.
If you’re interested in having a Let’s Encrypt certificate issued for your new (or existing!) Ubersmith deployment, please get in touch with our Support department. Together we can help make your Ubersmith installation safer for you and your clients.