KB: 1069

Generate/Issue SSL certificate using Let's Encrypt

Problem Statement

End-user want to issue trusted SSL certificate using Let's Encrypt for FQDN that configured behind the Haltdos WAF to achive below operation

• Secure communication between client and WAF over public internet
• SSL certificate should be issued from trusted certificate authority
• Secure communication using strong SSL protocol and cipher suites
• Perform SSL Offloading for WAF inspection over HTTPs

Pre-requistics

• FQDN (Fully Qualified Domain Name) should be behind Haltdos WAF (for HTTP challenge) and accessible from public internet.
• Haltdos Console login with minimum READ_WRITE access.
• Connectivity based on challenge as follows
  • For HTTP challenge, no geo-filtering policy enforced on the FQDN public IP.
  • For DNS challenge, READ WRITE access to DNS console for create TXT record.

note

• For HTTP challenge, verify no Geo/IP blocking policy on the network and web application firewall to avoid failure of the verification request.

Let's Encrypt issue SSL certificate with validity of 3 months from the date of issue.

SUMMARY

---

1. Login to Haltdos Console
2. Create request to generate SSL certificate for FQDN
3. Choose Let'ts Encrypt challenge
4. Changes for HTTP challenge verification
5. Remove changes after challenge verification
6. Attach issued SSL certificate
7. Verify SSL certificate

---

Solution

1. Login into Haltdos Console.

   

   • Go to Stack > Resources > SSL Certificates

   

2. Create request to generate SSL certificate for FQDN

   • Go to Stack > Resources > SSL Certificate

   • Click on Add Certificate

   • Enter certificate information as follows

     1. Certificate Name: User friendly name of the SSL scertificate

     2. Certificate Domain: Enter (single or wildcard) FQDN of the SSL certificate.

        • Example haltdos.com, *.haltdos.com

     3. Scope: Select visibility of the SSL certificate to target resource such as FQDN or ALL.

   • Click on Let's Encrypt to generate certificate

   • Click on Order Certificate

   

   Note: Keep login session and SSL certificate tab to verify challenge.

 

3. Choose Let'ts Encrypt challenge

   • For DNS challenge, login to DNS console and issue provided DNS record.

     • Login to DNS console

     • Create TXT record with mentioned name and value.

     note

     TXT record should be create while exclusion root domain name.

     For example,
     TXT Record Name: _acme-challenge.example-xyz.haltdos.com
     TXT Record Value: P9-HvCoUm2058

     For this, we have to create DNS record as follows

     Record Type	Record Name	Record Value
     TXT	_acme-challenge	P9-HvCoUm2058

     DNS verification can be performed using command prompt or online DNS checker here.

     • For windows, use nslookup command

       nslookup -type=TXT _acme-challenge.example-xyz.haltdos.com

     • For Linux, use dig command

       dig TXT _acme-challenge.example-xyz.haltdos.com

     Once metioned record value is visible in the public DNS reponse, click on issue certificate. Go to Step 5

   For this demonstration, we will proceed with HTTP challenge. For this, we have to perform WAF policy changes to issue SSL certificate.

   note

   For wildcard domain, only DNS based verification supported

   

4. Changes for HTTP challenge verification

   For HTTP challenge verification, we have to create below changes

   1. Create Web Page with challenge response. To create web page, enter below information

      • WebPage Name - User friendly name
      • Scope - Choose scope of the content to listener

      Paste HTTP challenge content value in the web page and click on Save Changes.
      
      

   2. Create custom security profile in the MITIGATION mode

      Go to Apps > WAF > [Select Listener/FQDN] > Security Profiles

   3. Create custom security profile with below filter

      Property Name	Property Value
      Profile Name	SSL Challenge
      Profile Priority	0
      URI	^\/\.well-known\/
      Application Type	WEBSERVICE

   4. Click on Save Changes

      

   5. Click on Gear icon on the security profile named as SSL Challenge.

      • Disable Signature Validations

      • Change Operation Mode to MITIGATION

      • Click on Save Changes

      • Go to Rules > Firewall Rules

      • Create firewall policy as follows

        Property Name	Property Value
        Rule Name	SSL Challenge
        Rule Description	SSL Challenge
        Rule Priority	0
        URI	.*
        Method	ALL
        Rule Action	Send Custom Response
        Match Condition	Pattern Exists
        Match Pattern	.*

      • Click on Save Changes.

       

      note

      If Redirection policy exists for HTTP to HTTPs or external URL on WAF, perform below change

      Change Match URL parameter:

      ^http://example-xyz.hltdos.com/(.*)$

      to

      ^http://example-xyz.hltdos.com/(?!\.well-known\/)(.*)$

   6. Verify challenge , copy the URL from the Challenge page and open it in the browser.

   

   7. Click on verify challenge and wait for challenge completion.

     We have succesfully issued certificate from Let's Encrypt.

   

5. Remove changes after challenge verification

   • Remove configuration change or DNS record.

 

6. Attach issued SSL certificate

   Go to Apps > WAF > [Select Listener Name] > SSL Settings.

   • Update SSL certificate under SSL Settings of the listener and click on Save changes.

   

 

7. Verify SSL certificate