| Chapter 6. Automated Certificate Management Environment (ACME) | ||
|---|---|---|
 |  | |
| Chapter 6. Automated Certificate Management Environment (ACME) | ||
|---|---|---|
| | | |
Table of Contents
ACME is an automated mechanism for communicating with certificate authorities (CAs) to issue and renew digital certificates. It is described in RFC 8555 and most commonly used with LetsEncrypt - a non-profit CA run by the Internet Security Research Group.
The FireBrick requires digital certificates to provide various services, for example HTTPS access to the FireBrick user interface
and IPSec
.
If ACME is configured, its certificates are used wherever appropriate.
Renewal happens automatically, but you can lock down when this happens (e.g. to a particular time of day) by setting an acme-profile.
The first step in acquiring a LetsEncrypt certificate is to ensure the FireBrick can be accessed via port 80 on a public IP address using a proper public hostname. Once you have done this, simply add the hostname to the acme-hostname field, and your email address in the acme-terms-agreed-email field, in the system config. This will cause an automatic ACME certificate issue using Let's Encrypt, adding private key pairs for the letsencrypt.org account and the domain and then adding the certificate and any intermediate certificates.
If you don't specify an email address, the FireBrick will assume you are attempting to use an existing account, which is usually not desirable. However, if this is what you intend see Section 6.1.3.3 for further instructions.
acme-terms-agreed-email field you are indicating that you agree to the terms and conditions of the Certificate Authority being used.
This may include them publishing a list of certified domain names, and sending emails for changes of terms, etc.
There are many things that could stop ACME working. The user interface (System/Certificates page) shows the progress of the process. We recommended you set log-acme in the system-settings config, so that you're made aware of any problems in automatically renewing certificates (we generally use the email option). There's also a log-acme-debug setting to allow more detailed logging of the process.
As per the recommendations for setting up firewall rules, you don't generally need to firewall traffic to the FireBrick itself, but instead you can use the allow and local-only controls on various FireBrick services. If you do firewall (either on the FireBrick itself or externally) you will need to allow port 80 access to the FireBrick's public IP even when the services are set to HTTPS only, so as to allow the ACME process to validate your FireBrick.
There are 2 types of keys involved in the ACME process, one for the account and the other for the domain. If you do not load your own keys, the FireBrick makes keys internally. But if you wish to load your own private keys, and allow ACME renewal of certificates, you can do this from the FireBrick user interface on the System / Certificates page.
The keys need to have a name in the same way as the automatically generated keys, i.e. one for the account with the CA, e.g. letsencrypt.org and one matching the hostname for the certificate. If such keys exist then they are used instead of making new keys when requesting a certificate. At present these must be RSA keys.
The automatic generation of keys can also be disabled by setting acme-account-keygen and acme-domain-keygen to "false". This can help to ensure you're definitely using the keys you have uploaded.
The certificate generation / upload process is explained more in Section 14.1.4.
If you wish to use a provider other than LetsEncrypt this can be set up by specifying their directory in the acme-directory option.
If you have an existing account that you wish to reuse (rather than automatically creating a new one) then you will need to upload your account key.
You will likely also want to disable acme-account-keygen to prevent the FireBrick trying to create a key for you.
acme-terms-agreed-email field the FireBrick will send requests specifying the intention to reuse an existing account and will fail if one has not been set up.
By default, during the ACME update process, the FireBrick will allow port 80 TCP connections (temporarily bypassing the allow settings) but only for the special ACME validation URL and only for the few seconds needed to validate your device. This means access to the config pages always respects the allow and trusted settings at all times, even if accepting TCP port 80 briefly for one specific ACME URL. This feature can be disabled, but may stop the automatic certificate renewal process from working.
In addition, if a profile is set up as a control switch, and named as fb- followed by the certificate authority, e.g. fb-letsencrypt.org then this profile is activated at the start of the validation phase, and deactivated at the end. This can be used (with care) to allow specific firewall rules during certificate renewal.
| | | |
| 5.8. Using Profiles |  | Chapter 7. Interfaces and Subnets |