Let’s Encrypt

Systems which can be accessed from the Internet such as web servers and mail servers require a certificate signed by a certificate authority (CA). In the past, such certificates were very expensive. Let’s Encrypt makes it possible to issue SSL/TLS certificates to receive valid certificates for the Internet free of charge and automatically.

All the while, the certification entity keeps the administrative efforts required on the part of the users as low as possible by allowing the HTTPS server to request certificates autonomously with minimal configuration.

The generated certificates can be integrated in Apache, Dovecot, and Postfix automatically with the app and also used for SSL/TLS-encrypted communication with other services.

Further special features of Let’s Encrypt include the fully automated process for the issuing and validation of a requested certificate on the one hand and the complete transparency throughout the transactions, which renders abuse very difficult, on the other.

Functions based on the ACME protocol

Let’s Encrypt’s function is based on the Automated Certificate Management Environment (ACME) protocol, which the Internet Security Research Group (ISRG) developed especially for the Let’s Encrypt project. It is based on JSON and HTTPS, plus it has already been implemented in a wide variety of types and a large number of clients.

ACME and Let’s Encrypt – Creation and validation of pairs of keys

In the first step, the ACME client generates an “authorized pair of keys” together with the Let’s Encrypt server for the respective domain, which is authorized to request or return a certificate for this domain. To do so, the client creates a certificate signing request (CSR), signs it with its key, and sends it to Let’s Encrypt. In the second step, the pair of keys is validated with the help of a challenge.

Creating secure certificates in UCS with the Let’s Encrypt client

In the Let’s Encrypt app, Univention offers a largely automated integration of a Let’s Encrypt client. Following the installation of the app in UCS, you only need to use the app settings in the App Center to enter the desired domains and configure the use of the certificate in Apache, Dovecot, and Postfix.

A cron job installed at the same time automatically updates your certificate every 30 days to ensure that there is always a valid certificate on your system.

The “acme-tiny” client used was not created by Univention and the app only operates on the server on which it is installed. This must be accessible from the Internet via the desired domain.

The following services are already integrated:

• Apache
• Postfix
• Dovecot