< Knowledge Base

Use Let's Encrypt Certificate for your DDNS Domain

Published On: Sep 06, 2018 

Vigor Router support importing a Let's Encrypt certificate from its web user interface. It makes the process of generating, signing and importing the certificate very easy. This document will show how to apply a Let's Encrypt for the router's domain.

DrayOS models support importing a Let's Encrypt certificate from its web user interface since firmware version 3.9.0. It is only available for the DrayDDNS domain.

1. Register a DrayDDNS account for the router and use it at Applications >> Dynamic DNS Setup. Click View Log button at Applications >> Dynamic DNS Setup page for ensuring your DrayDDNS domain has updated successfully.

a screenshot of DrayOS

2. Go to Applications >> Dynamic DNS Setup, enter the DrayDDNS profile, and click Create at Let's Encrypt certificate.

a screenshot of DrayOS

3. It may take 2 or 3 minutes for the router to generate the certificate.

  a screenshot of DrayOS

4. When the process is finished, Vigor Router will pop up a message to ask if you would like to apply Let's Encrypt certificate for the SSL VPN/ HTTPS Server.

  • Click OK for now if you'd like to apply it to HTTPS server manually later.
  • Click Use this certificate for all my services if you'd like to apply it to HTTPS server now.

a screenshot of DrayOS

5. We can view the Let's Encrypt certificate via Certificate Management >> Local Certificate page. The certificate will be valid for 3 months.

a screenshot of DrayOS

6. You will see at SSL VPN >> General Setup page the Server certificate has changed to DrayDDNS – the Let's Encrypt certificate automatically.

a screenshot of DrayOS

7. When we access Vigor Router by its DrayDDNS domain name, we will see the HTTPS connection is marked Secure in the browser.

a screenshot of DrayOS

8. By enabling the Auto Update option in the DrayDDNS profile, the router will renew the certificate automatically when the certificate is almost expired.

a screenshot of DrayOS

 

 

This feature is available on Vigor3900 and Vigor2960 since firmware version 1.4.0.

1. Register a DDNS account for the router and use it at Applications >> Dynamic DNS Setup. Make sure DDNS updated successfully from Applications >> Dynamic DNS >> Status page.

a screenshot of Vigor3900

2. Go to Certificate Management >> Local Certificate, and click Let's Encrypt.

a screenshot of Vigor3900

3. Let's Encrypt Details window will show at the bottom of the page. Click Edit, then:

  • Select the DDNS Profile you want to use the certificate
  • Select "Enable" for Auto Update (so that the router will renew the certificate when the valid time is less than 30 days.)
  • Click Save for applying the settings.
a screenshot of Vigor3900

4. Click Yes on the pop-up window if you want to create Let's Encrypt certificate right now.

a screenshot of Vigor3900

5. The router will start negotiating with Let's Encrypt server. It will take a few minutes to generate and import the certificate

a screenshot of Vigor3900

6. Seeing the log Certificate IMPORT finished!! means the router has imported the Let's Encrypt certificate successfully.

a screenshot of Vigor3900

7. Click Refresh on the Local Certificate page, and we will see the Let's Encrypt Status shows OK.

a screenshot of Vigor3900

8. Go to System Maintenance >>Access Control >> Server Certificate, select the Let's Encrypt certificate we just created and click Apply to save the settings.

a screenshot of Vigor3900

9. Access the router's DDNS Domain by HTTPS, and we can see the HTTPS connection is recognized as Secure by the browser now.

Troubleshooting:

Below are some common error message and the solutions:

1. Domain verify failed
It means Let's Encrypt server cannot resolve the domain name that the router is applying. When seeing this message, please check if the DDNS has updated successfully.

2. Domain verify timeout
It means Let's Encrypt server cannot connect to Vigor Router's TCP port 80, which the server will connect when generating or revoking the certificate. Some ISP will block connection on TCP port 80 from other countries' IP, when seeing this message, please check the access on TCP port 80.

3. Failed to get acme server directory
It means Let's Encrypt server blocks the action because the IP connects too many times (The current limit is 10 times in 3 hours) When seeing this message, stop issuing the certificate from Vigor Router for some time.

4. Download certificate failed
It means Let's Encrypt server blocks the action because the domain name has issued the certificate too many times. (The current limit is 5 times a week) When seeing this message, please stop issuing the certificate from Vigor Router for some time.

If you cannot apply Let's Encrypt certificate successfully, please provide the following information to [email protected] for our analysis:

  • Logs in Let's Encrypt Details window
  • WAN packets captured by Packet Monitor with Interface ALL WANs when generating the Let's Encrypt certificate
  • Remote Access to your Vigor Router

Related Articles