Use Let's Encrypt Certificate for your DDNS Domain

Vigor Router supports importing a Let's Encrypt certificate from its web user interface. It makes the process of generating, signing and importing the certificate very easy. This document will show how to apply a Let's Encrypt for the router's domain.

DrayOS models support this feature since firmware version 3.9.0. However, it's only available for the DrayDDNS domain - the free Dynamic DNS service provided by DrayTek.

1. Register a DrayDDNS account for the router and use it at Applications >> Dynamic DNS Setup. (visit the article Activate DrayDDNS Service for a Free Hostname for detailed instruction) Click View Log button at Applications >> Dynamic DNS Setup page for ensuring your DrayDDNS domain has updated successfully.

a screenshot of DrayOS DDNS Log

2. Go to Applications >> Dynamic DNS Setup, enter the DrayDDNS profile, and click Create at Let's Encrypt certificate.

a screenshot of DrayOS DDNS Acount setup

3. It may take 2 to 3 minutes for the router to generate the certificate.

a screenshot of DrayOS generating certificate

4. When the process is finished, Vigor Router will pop up a message to ask if you would like to apply Let's Encrypt certificate for the SSL VPN/ HTTPS Server.

  • Click OK for now if you'd like to apply it to HTTPS server manually later.
  • Click Use this certificate for all my services if you'd like to apply it to HTTPS server now.
a screenshot of DrayOS certificate logs

5. We can view the Let's Encrypt certificate via Certificate Management >> Local Certificate page. The certificate will be valid for 3 months.

a screenshot of DrayOS local certificate page

6. You will see at SSL VPN >> General Setup page the Server certificate has changed to DrayDDNS – the Let's Encrypt certificate automatically.

a screenshot of DrayOS SSL VPN General Setup page

7. When we access Vigor Router by its DrayDDNS domain name, we will see the HTTPS connection is marked Secure in the browser.

a screenshot of a browser opening Vigor2862's web management page, and it shows secure HTTPS connection at the address bar

8. By enabling the Auto Update option in the DrayDDNS profile, the router will renew the certificate automatically when the certificate is almost expired.

a screenshot of DrayOS DDNS account setup

This feature is available on Vigor3900 and Vigor2960 since firmware version 1.4.0.

1. Register a DDNS account for the router and use it at Applications >> Dynamic DNS Setup. Make sure DDNS updated successfully from Applications >> Dynamic DNS >> Status page.

a screenshot of Vigor2960 DDNS Status

2. Go to Certificate Management >> Local Certificate, and click Let's Encrypt.

a screenshot of Vigor2960 Local Certificate page

3. Let's Encrypt Details window will show at the bottom of the page. Click Edit, then:

  • Select the DDNS Profile you want to use the certificate
  • Select "Enable" for Auto Update (so that the router will renew the certificate when the valid time is less than 30 days.)
  • Click Save for applying the settings.
a screenshot of Vigor2960 applying for Let's Encrypt certificate

4. Click Yes on the pop-up window if you want to create Let's Encrypt certificate right now.

a screenshot of Vigor2960 applying for Let's Encrypt certificate

5. The router will start negotiating with Let's Encrypt server. It will take a few minutes to generate and import the certificate

a screenshot of Vigor2960 applying for Let's Encrypt certificate

6. Seeing the log Certificate IMPORT finished!! means the router has imported the Let's Encrypt certificate successfully.

a screenshot of Vigor2960 finished applying for Let's Encrypt certificate

7. Click Refresh on the Local Certificate page, and we will see the Let's Encrypt Status shows OK.

a screenshot of Vigor2960 Local Certifiacte status

8. Go to System Maintenance >>Access Control >> Server Certificate, select the Let's Encrypt certificate we just created and click Apply to save the settings.

a screenshot of Vigor2960 Access Control Setup

9. Access the router's DDNS Domain by HTTPS, and we can see the HTTPS connection is recognized as Secure by the browser now.

a screenshot of a browser opening Vigor2960's web management page, and it shows HTTPS connection is secure
Troubleshooting:

Below are some common error message and the solutions:

1. Domain verify failed
It means Let's Encrypt server cannot resolve the domain name that the router is applying. When seeing this message, please check if the DDNS has updated successfully.

2. Domain verify timeout
It means Let's Encrypt server cannot connect to Vigor Router's TCP port 80, which the server will connect when generating or revoking the certificate. Some ISP will block connection on TCP port 80 from other countries' IP, when seeing this message, please check the access on TCP port 80.

3. Failed to get acme server directory
It means Let's Encrypt server blocks the action because the IP connects too many times (The current limit is 10 times in 3 hours) When seeing this message, stop issuing the certificate from Vigor Router for some time.

4. Download certificate failed
It means Let's Encrypt server blocks the action because the domain name has issued the certificate too many times. (The current limit is 5 times a week) When seeing this message, please stop issuing the certificate from Vigor Router for some time.

If you cannot apply Let's Encrypt certificate successfully, please provide the following information to [email protected] for our analysis:

  • Logs in Let's Encrypt Details window
  • WAN packets captured by Packet Monitor with Interface ALL WANs when generating the Let's Encrypt certificate
  • Remote Access to your Vigor Router

Published On: 2018-09-06 

Was this helpful?