Skip to content

Using Let's Encrypt

By default, the Lantronix Control Center does not ship with an HTTPS certificate, which often results in a strongly worded browser warning when you connect to it for the first time. Customers may choose to install their own HTTPS certificate, but if that is not an option, Let's Encrypt can be used instead.

Requirements

Let's Encrypt is not intended for servers in a private network with no access to the public internet.

  • CC must have a publicly accessible IP address (direct, NAT, DMZ, etc.)
  • Ports 80 and 443 must be visible to the internet
  • DNS must be configured to resolve acme-v02.api.letsencrypt.org.
  • acme-v02.api.letsencrypt.org must be reachable

Configuration

Log into the CC and become root.

Edit /uplogix/embassy/data/www_csr.params and ensure the following properties are set. Make sure to replace the example host names shown below with the correct CC hostname and alternate hostnames, if any.

_csr_CN=hostname.example.com
_csr_san=hostname.example.com

Verification

Once configuration is complete, run the following command to generate and import the certificate for tomcat. Note the time and date when the command finishes.

[root@LantronixControlCenter ~]# /uplogix/embassy/scripts/acmeCertificate.sh www
Generating RSA private key, 4096 bit long modulus (2 primes)
.................................................................................................................................................................................................................................................................................................................................................++++
.......................................................................................................................................................................................................................................................................++++
Generating new 2048-bit key pair.
Parsing account key...
Parsing CSR...
Found domains: hostname.example.com
Getting directory...

If no errors are encountered, restart CC services.

[root@vCC-Eval ~]# ucc restart
Shutting down Lantronix MatchMaker: er:                      [  OK  ]
Stopped Lantronix MatchMaker.
Updating settings in /usr/tomcat/webapps/ROOT/WEB-INF/classes/database.xml
Updating settings in /uplogix/envoy/config/oracleDatabase.xml
Updating settings in /uplogix/envoy/../matchmaker/config/database.xml
Updating ehcache file
Starting Lantronix Control Center:                           [  OK  ]
Starting Lantronix Migration:                                [  OK  ]
Starting Lantronix MatchMaker:                               [  OK  ]

Once the CC has restarted, access the web interface using a browser and examine the certificate. Ensure the certificate is issued by Let's Encrypt. The Validity Period should approximately match when the acmeCertificate.sh script finished.

Renewing

Let's Encrypt certificates are only valid for 90 days. You can renew them manually or through a cron job.

Manually

To renew the certificate manually, simply run the /uplogix/embassy/scripts/acmeCertificate.sh script again.

[root@LantronixControlCenter ~]# /uplogix/embassy/scripts/acmeCertificate.sh www
Initializing crypto.
Generating new 2048-bit key pair.
Parsing account key...
Parsing CSR...
Found domains: hostname.example.com
Getting directory...

Automatically

You can automatically renew the certificate through the use of a script and cron.

Create a script in /root called renewCert.sh and add the following lines.

[root@LantronixControlCenter ~]# cat renewCert.sh 
#!/bin/bash
/uplogix/embassy/scripts/acmeCertificate.sh www

Make the script executable with the chmod command.

[root@LantronixControlCenter ~]# chmod +x renewCert.sh 

Run crontab -e and add the following line:

0 5 */90 * * /root/renewCert.sh > /dev/null 2>&1

You can verify the cron job has been added with crontab -l.

[root@LantronixControlCenter ~]# crontab -l
0 5 */90 * * /root/renewCert.sh > /dev/null 2>&1