DataPower

 View Only
  • 1.  Dealing with Letsencrypt

    Posted Mon August 02, 2021 03:40 PM
    Hi.

    At a couple of customer sites I have some issues communicating with services that are using Letsencrypt for renewing certificates for TLS transport.

    Problem is that these Letsencrypt secured services automatically renew their host certificate and even sometimes the intermediate certificate. This makes my Validation Credential to break.

    Any suggestions on how to deal with this?

    Regards
    Thomas Berg

    ------------------------------
    Thomas Berg
    ------------------------------


  • 2.  RE: Dealing with Letsencrypt

    IBM TechXchange Speaker
    Posted Wed August 18, 2021 01:46 PM

    Hi Thomas,

    Have you checked out this redbook? It was recommend by one of our experts with this answer.   https://www.redbooks.ibm.com/redpapers/pdfs/redp4446.pdf

    Usually customers build their own solution to  automate certificate changes as DataPower doesn't support the letsencrypt feature to automatically update its certificates.
    For example, SOMA could submit config updates to DP to reflect new certs/keys. 

    Hope this helps!




    ------------------------------
    Stephanie Wilkerson
    IBM
    ------------------------------



  • 3.  RE: Dealing with Letsencrypt

    Posted Wed August 25, 2021 04:12 AM
    Thanks, Stephanie. I was hoping that there was another way of doing this -:) Will look into it redpaper and see how to automate this.

    Regards
    Thomas

    ------------------------------
    Thomas Berg
    ------------------------------



  • 4.  RE: Dealing with Letsencrypt

    IBM Champion
    Posted Wed August 25, 2021 05:47 PM
    What do you have in your Crypto Validation Credential?  Should be just the Root Certificate(s) from just the Certificate Authority(s) that you choose to trust for this connection. Certificate Validation Mode should be PKIX. The parent SSL Client Profile would then have "Validate server host name" set to Yes.   Now the SSL Server can renew their cert every day if they want, with new Intermediates if they want, with no action required on the SSL Client's (DataPower) side.

    ------------------------------
    Peter Potkay
    ------------------------------