Let's Encrypt Certificates

Directory URL: Enter the URL of the Automated Certificate Management Environment (ACME) server in the Directory URL field and click Set Directory URL. The default URL is the Let's Encrypt production ACME server: https://acme-v02.api.letsencrypt.org/directory. This can be changed as needed. The LoadMaster supports API version 2 of the ACME protocol.

Email Address (optional): You can register for Let's Encrypt account by optionally entering your Email Address and clicking Register Account.

Account Key File: If you already have an existing Let's Encrypt account, you can upload the Account Key File by clicking the Choose File button. Navigate to and select the key file. You can retrieve the account key file from other ACME clients that you registered the account with (like Certbot).

Pass Phrase: Enter the passphrase associated with the certificate and click Upload Account Key to link to your existing account.

Once you have successfully registered or linked to your existing Let's Encrypt account, the Manage Let's Encrypt Certificates screen appears.

Renew Period

Let's Encrypt certificates are valid for 90 days. The Renew Period value specifies how many days in advance of certificate expiry you would like the certificate to be renewed. The Renew Period is an account-wide setting. Per-certificate renewal periods are not supported at this time.

The Renew Period is set to 30 days by default. Let's Encrypt recommends renewing certificates 30 days before expiry. Valid values for the Renew Period field range from 1 to 60 (days). The old certificates are replaced and assigned to the HTTPS Virtual Service when the renewal is successful.

You can click Delete ACME Configuration Parameters to remove the ACME account settings.

For more information and instructions, refer to the Let's Encrypt Feature Description.

Request New Certificate

Click Request New Certificate to request a new certificate from the Let's Encrypt CA.

All fields on the Request a New Certificate screen are optional except for Certificate Identifier and Common Name (and you must select a Virtual Service next to the Common Name field).

Certificate Identifier: Enter a unique identifier. The Certificate Identifier value must be unique for all certificates on the LoadMaster.

Common Name: Enter the FQDN of your web server. This is case sensitive. Certificates are only issued to valid hosting domains that you have control over. Select the Virtual Service that is used for this domain. This will be used for the validation challenge to prove ownership of the domain.

2 Letter Country Code: Optionally enter the two-letter country code. For a list of valid country codes, refer to the following page: https://www.digicert.com/kb/ssl-certificate-country-codes.htm. If using Let's Encrypt, the 2 Letter Country Code to Email Address fields are truncated.

State/Province: Optionally enter the state or province to include in the certificate. Enter the full name, for example New York (not NY).

City: Optionally enter the city to include in the certificate.

Company: Optionally enter the name of the company to include in the certificate.

Organization: Optionally enter the department or organizational unit that should be contacted regarding this certificate.

Email Address: Optionally enter the email address of the person or organization that should be contacted regarding this certificate.

Generate Elliptic Curve Request: Optionally enable or disable this option. If this is enabled, an Elliptic Curve request is generated instead of an RSA request.

Key Size: Select the algorithm size from the drop-down list. If you are generating an Elliptic Curve (EC) request, the Key Size drop-down is grayed out. The default size of 256 Bits is used for EC requests. If you are generating an RSA request, you can specify the Key Size.

SAN/UCC Names: Enter the Subject Alternate Name (SAN). This must be a valid domain. You can specify up to 10 SANs.

For every SAN you must select a HTTP/HTTPS Layer 7 Virtual Service (you can use the same Virtual Service). For each SAN you must prove your authority to the Let's Encrypt server. A HTTP/HTTPS Virtual Service must be already configured with the ability to add a SubVS (so it should not have any Real Servers added to the parent Virtual Service - but if there are existing SubVSs they can have Real Servers attached). For instructions on how to convert an existing Virtual Service with Real Servers attached to one with SubVSs with Real Servers attached, refer to the Let's Encrypt Feature Description.

Request Certificate: When you are finished setting the relevant fields, click Request Certificate to create a new certificate request using the specified data.

A list of issued certificates and related details are displayed at the bottom of the Let's Encrypt Certs screen. The HTTP Challenge VS(s) column lists the Virtual Service (or Services) that were used for the HTTP challenge. These are not the Virtual Services that the certificates are assigned to.

Once the certificate is issued successfully, it will be listed in Certificates & Security > SSL Certificates. You can then assign it to any HTTPS Virtual Service or use it as an administrative certificate.

When Let's Encrypt certificates are renewed, the Virtual Services that have the certificate assigned will be automatically updated with the renewed certificate.

Certificates are automatically renewed at the number of days specified in the Renew Period before the expiry date of each certificate. You can manually renew the certificate by clicking Renew Certificate.

You can also delete a certificate associated with the domain by clicking Delete Certificate.

You cannot delete or replace Let's Encrypt certificates from the SSL Certificates screen. You can only delete or replace Let's Encrypt certificates from the Let's Encrypt Certs screen. The Replace Certificate and Delete Certificate buttons are grayed out on the SSL Certificates screen for Let's Encrypt certificates.

How to Request a Wildcard Certificate

Click Request New Certificate to request a wildcard certificate from the Let's Encrypt Certificate Authority (CA).

The Common Name field supports the use of a wildcard character. For example, *.example1.com matches anything that ends in .example1.com. Once you enter a Common Name beginning with *., the DNS provider Select DNS API drop-down becomes available.

All fields on the Request a New Certificate screen are optional except for Certificate Identifier and Common Name. You must select a Virtual Service and DNS provider (including related credential parameters) next to the Common Name field.

For wildcard certificate validation, the DNS-01 challenge type is used. This requires the addition and removal of temporary DNS records. For automatic DNS record updates during wildcard name validation, you must select your DNS provider from the Select DNS API drop-down list. You must also set the access credential parameters for the selected DNS provider. The fields to fill out vary depending on the selected DNS provider.

When you are finished setting the relevant fields, click Request Certificate to create a new certificate request using the specified data. It can take approximately 25 seconds to generate the certificate request. If the request fails, you must fill out the form again.

A list of issued certificates and related details are displayed at the bottom of the Manage ACME Certificates screen.