Let's Encrypt™ certificate authority (CA)

You can use the Let's Encrypt™ CA to create trusted certificates for public domains. The Let's Encrypt CA uses an automated process to create, sign, validate, and renew the certificates. It issues X.509 certificates.

Create Let's Encrypt certificates

To create Let's Encrypt certificates, you must register with the Let's Encrypt CA. You can then generate certificate signing requests (CSRs) to request Let's Encrypt certificates. After the Let's Encrypt CA validates the CSR, it becomes a valid, trusted certificate and is available for use with SFOS features.

The Let's Encrypt CA must communicate with the firewall to validate the CSR. For this communication, the firewall temporarily creates a WAF rule. After the CA validates the CSR, the firewall deletes the rule. So, for the time the CSR is being validated, you may see a WAF rule on the Rules and policies page.

Requirements

The DNS records for all domains in the Let's Encrypt certificate must be public. They must resolve to the firewall's WAN IP address or an IP address routed to the firewall's interface, for example, via a NAT rule or routing for port 80. Use a public DNS checker such as DNS Checker to verify the domains.
The DNS records must resolve to the same IP address for all DNS providers. Avoid different resolutions based on location. Use a public DNS checker such as DNS Checker to verify that addresses for all regions are the same.
Only a single IP address must be in the DNS record. Multiple IP addresses in the DNS record only work if the IP addresses aren't the firewall's WAN IP address, but other firewalls that route HTTP traffic to the firewall.
HTTP port 80 must not be blocked by a firewall rule or upstream device, including GeoIP firewall rules.
Make sure no DNAT rules apply to the public IP address of the firewall's WAN interface on port 80 so that Let's Encrypt's validation request isn't sent to another device.
Make sure there are no SD-WAN routes that route outgoing HTTP traffic to another device that prevents it from reaching Let's Encrypt.
The Let's Encrypt CA is located in many countries, so make sure a GeoIP firewall rule doesn't drop traffic.

Restrictions

You can't use Let's Encrypt certificates for Remote access VPN, Site-to-site VPN, and the Chromebook SSO authentication service.
The firewall supports Let's Encrypt certificates only over IPv4.
During the Let's Encrypt CA validation period for any CSR, the web applications protected by WAF rules will be unavailable through the firewall.

Register with the Let's Encrypt CA

To register, do as follows:

Go to Certificates > Let's Encrypt.
Read the Let's Encrypt subscriber agreement and other terms and conditions. See Policy and Legal Repository.
Click Register account.

When you click Register account, you're acknowledging and agreeing to the Let's Encrypt subscriber agreement.

If the terms of the subscriber agreement change, you must click Register account again to continue to use the Let's Encrypt CA. If you don't register again, your existing certificates aren't renewed and you can't create new ones.

If the agreement changes, the firewall notifies you in the following ways:
- Sends an email notification to the administrator.
- Shows an alert message in Control center.

To deregister, click Deregister account.

Add a Let's Encrypt certificate

To add a Let's Encrypt certificate, see Request a Let's Encrypt certificate.

Automatic certificate renewal

Let's Encrypt certificates are valid for 90 days. The firewall sends a request to the Let's Encrypt CA to renew certificates expiring in less than 30 days. The Let's Encrypt CA then automatically renews these certificates.

Your existing certificates aren't renewed if you deregister with the Let's Encrypt CA.

Warning

Let's Encrypt certificates created with a dynamic IP address during the Early Access Program (EAP) might not automatically renew in the Generally Available (GA) build. Delete such certificates created during EAP and create them again.