NetworkingWork

Let’s Encrypt Untangle!

Also known as “I want a free SSL Cert on my Firewall”

Untangle is a great firewall whether in use at home or at work (or at school) but to protect the web-gui with an SSL certificate you always had to buy a certificate in order for it to be automatically trusted. Untangle offers a self-signed cert option and this works fine for most cases, but in a shop environment where PDQ machines are being used and PCI DSS compliance comes into play this isn’t enough.

Thanks to Let’s Encrypt, SSL certs are now free – the EFF even provide a tool called CertBot to automate the process and make it as simple as possible. I wondered if i could somehow get one of these free certs on my Untangle install, turns out i wasn’t the first to think about this. Every guide i found online had something missing or was outdated. So i thought i’d publish the process that worked for me.

My Untangle setup already had a self-signed cert in place, and going through that process may mean that your fresh build may not work exactly the same, you might be missing an apache.pem file, or some other inconsistency. You should be able to work around that fairly easily, if not try generating an self-signed cert through the GUI first, then run through these instructions via SSH.

The SSH password is the same as your admin password, but the username is root not admin. Also, if you have not changed your password since the last upgrade or you just find that your password doesn’t work against SSH, reset your password in the GUI then return to SSH.

*This is unsupported by Untangle, however you are unlikely to break anything permanently by following this guide – but understand what each command is doing so you can back out if necessary. Apache refused to start for me several times whilst editing it’s config file, but don’t panic. Keep Calm & Check The Logs!

  • Install acme.sh
    • git clone https://github.com/Neilpang/acme.sh.git
    • cd acme.sh
    • ./acme.sh --install
  • Log Out from the SSH Session, and log back in
    • service apache2 stop
    • acme.sh --issue -d YOUR-DOMAIN-HERE --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please
  • You’ll be asked to add a DNS TXT Record to your domain, do this as per instructions in the script.
  • Run the command again, but with –renew on the end
    • acme.sh --issue -d YOUR-DOMAIN-HERE --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew
  • This will download the certs to your server, now to create a pem file that untangle can use.
  • Untangle has it’s cert here:  /etc/apache2/ssl/apache.pem we will create a new one, so you can revert if all fails.
  • Change directory to where your new certs are, and CAT them together
    • cd /root/.acme.sh/YOUR-DOMAIN-HERE
    • cat [YOUR-DOMAIN-HERE].cer [YOUR-DOMAIN-HERE].key > apache2.pem  (they will be called the name of your domain)
    • sudo cp apache2.pem /etc/apache2/ssl/apache2.pem
  • Add the new apache2.pem file to the uvm.conf apache config file
    • sudo nano /etc/apache2/sites-enabled/uvm.conf
    • Towards the bottom of this file, replace SSLCertificateFile /etc/apache2/ssl/apache.pem with SSLCertificateFile /etc/apache2/ssl/apache2.pem
    • service apache2 start

If it fails to restart, tail the logs to find out whats up.

    • tail /var/log/apache2/error.log

If all fails, revert the apache2.pem line in the uvm.conf files back to apache.pem and restart apache, all should revert.

If all has gone to plan you should now have a valid SSL cert in place when you refresh the GUI in the browser. For me i had to restart apache twice, before the new cert was picked up. Your mileage may vary.