Let's Encrypt uses a challenge-based protocol. You must prove that you have control over the FQDN for a certificate to be issued successfully. Progress Kemp supports the HTTP-01 method for the challenge. This means that Let's Encrypt will try to access the Virtual Service (potentially multiple times from multiple vantage points). Refer to the following page for further details on the Let's Encrypt HTTP-01 challenge: Challenge Types. Below is a description of the automatic steps performed by the LoadMaster after you request a new certificate. These steps are all performed automatically by the LoadMaster. This makes the process easy and no server-side modifications are required.

  1. The LoadMaster sends a request for the certificate.
  2. A token must then be placed in a specific location in the web server. That is what the Virtual Service that is selected when requesting a new certificate is used for. The challenge is served by the HTTP/HTTPS Layer 7 Virtual Service. Let's Encrypt provides a filename.
  3. The path of the token file is included in the Match String of a content rule that is automatically created.
  4. The LoadMaster automatically creates a SubVS in the Virtual Service selected.
  5. The content rule is automatically assigned to this SubVS. This content rule will have first precedence. The Virtual Service is served through an error page (200 OK).
  6. After the certificate issuing process is complete, the content rule and SubVS that were automatically created to perform the challenge are automatically deleted.