Do you support FREE SSL Certificates from Let’s Encrypt?

Yes, absolutely. There are no issues using their SSL certificates on our platform for Load Balancing or the Web Application Firewall. In fact, we already have the Let’s Encrypt Authority Intermediate certificate loaded into our repository and ready for your use.  You can upload certificates manually through our UI, or you can automate/script the entire process using our API. Here are some pointers to get you started.

First, a quick reference to the Let’s Encrypt documentation

Next, it’s important to note that automating SSL Certificate installation using our API is a multi-step process. This is true whether you use Let’s Encrypt or any other type of certificate. So the steps outlined below will work for anything.

You must of course obtain the certificate and key from Let’s Encrypt using their API first. We won’t outline how to do that here since there are a few different ways of going about that, especially when it comes to the ACME client implementation to validate domain control. We’ll just assume you have the cert and key and you’re now ready to start adding them to our platform.

Here are the steps along with links to the API documentation:

1. Upload the Key file
2. Upload the Certificate
3. Pair the Certificate and Key together
4. Link the cert/key pair to the intermediate
   (hint, the ID for the Let’s Encrypt Intermediate is 5CC5F029-23DB-4802-87F1-2316E9AA5DD8)
5. Attach the cert/key pair to your config/pack

That’s it!  Of course, every 90 days the Let’s Encrypt certificate will expire, so you will need to obtain a new one, upload it using the above process and remove the old. We recommend doing this a little earlier than 90 days to ensure you don’t have any issues. For the renewal process, we highly recommend the following process:

1. First, add the new key, cert, pair them and link to the intermediate as outlined in the 3 steps above. NOTE: If you generated a new key then you’ll upload the new key, of course. If you’re using the same key as before, you can skip uploading the key again and simply reference the prior one. In our opinion, why not generate a new key. It makes things more secure and somewhat simplifies the whole process.
2. Next, detach the old cert/key pair from the config/pack
3. Now attach the new cert/key pair to the config/pack
4. If successful, unlink the old cert/key pair from the intermediate
5. Delete the cert/key pair
6. Delete the certificate to clean things up
7. Delete the key to clean things up

Following the above renewal process results in near-zero impact to your SSL traffic. We highly recommend this process for two reasons. First, if your new certificate does not work after step 3 above, you can detach it and put the old one back. Secondly, if you detach the existing cert/key pair from your pack before uploading the new ones, you create a much greater downtime window.

Hopefully all of this helps you get started. We can’t help you write your code, but if you run into any issues, don’t hesitate to reach out to us. We’ll do our best to help you as much as we can!