How To Install a Let’s Encrypt security certificate ™

Why ?

The Cortex uses SSL secure connections using a self-signed certificate. The use of such certificates is not recognized as being secure but as long as the Cortex is not compromised the connection is as secure as if the SSL certificate had been signed by a CA (certificate authority ).
Since browsers are sensitive to the fact that the Cortex uses a self-signed certificate it becomes annoying for users to always see browser warnings on connection. The first solution that comes to mind is to allow loading a certificate signed by a CA and that might be the best solution. However, an SSL certificate based on a domain name costs around US$49 per year while an SSL certificate based on the IP address (more secure) costs around US$300 per year. You also need a certificate per site which can become quite expensive.
We have chosen a solution which is not necessarily the simplest in all cases, but we believe that it will satisfy the majority of users concerned by this problem.

How ?

Let’s Encrypt is a free, automated and open source CA (certificate authority). It issues free SSL certificates based on the domain name. These certificates are valid for a period of 3 months.

For this to work, the Cortex must be accessible via the Internet using a domain name like cortex.yourorganization.com or cortex.dnsfree.net for example. If the Cortex has a fixed IP address, it is possible to purchase a domain name that will be linked to that IP address and it will cost you around US$10 or more, per year, per site. However, there are free services that will assign a domain name to the site where the Cortex is located, whether the site has a fixed or dynamic IP address. The Cortex, router, or on-site PC can be configured to communicate with the server of one of these dynamic DNS services, but you must first create an account on the website of that DNS service provider. The Cortex supports the following service providers: Dyn DNS (paid), No-IP (free or paid), OpenDNS (free or paid) and ClouDNS (free or paid).

Once the account is created with the chosen provider, simply go to System / IP Configuration / Dynamic DNS and fill out the form. It can take from a few minutes to 48 hours before the domain name is recognized by the DNS servers and it can be used to connect to the Cortex. You can check if the operation worked by looking at the Connection Status .

HTTP mode

This is the easiest mode to configure. Now that the Cortex is accessible via a domain name, it is possible to activate the option to use a Let’s Encrypt certificate. The easiest way is to configure it in HTTP mode (open port 36001).

In this mode, the Cortex is able to communicate with the Let’s Encrypt servers via port 36001 to show that the user has control of the Cortex web server. Thus, Let’s Encrypt will issue an SSL certificate that the Cortex will use. This certificate is issued for the domain and not for the IP address of the Cortex, or the site. Browsers which access the site using the domain will receive a certificate issued by a CA and there will be no more browser warnings. If a user accesses a Cortex directly via the Cortex IP address, the browser will indicate that there is a problem with the certificate and will display the usual sorts of warning messages about the certificate.

The advantages of this mode are that it is completely free and automatic, once configured. The disadvantage is that the certificate is not recognized when you want to use the internal IP address rather than the domain name.

Preparation for using ClouDNS

The following modes require the services of ClouDNS . The free plan can only be used for DNS Manual mode . For DNS Automatic mode you absolutely must use a paid plan. The cheapest, Premium S at US$1.95 per month, does the job very well and is enough for up to 25 different domains or sites. The Premium M service at US$4.95 per month is sufficient for up to 75 domains or sites while the Premium L service at US$14.95 per month offers support for up to 400 domains or sites!

You must start by creating a ClouDNS account and selecting the package of your choice. You can start with a free 30-day Premium S trial version. You must then enter the domain in the DNS zones.

If you use ClouDNS with a free domain name you must choose Free zone .

Following that, we then create the domain name and register it.

Next, you must access the DNS zone and add a type A entry. You simply enter the current IP address (Internet or external) of the site in Points to: and click Save.

You must now activate the new registration. To do this, you must click on the two arrows on the right, and then on Activate it .

If we want the certificate to be valid also in the local network, we must add a second type A record specifying the local IP address but we must not activate it !

Finally, we click once again on the two arrows of the Internet domain host and we copy the entire URL starting with https://. It will be required in the Cortex.

In the Cortex, you must go to System / IP Configuration / Dynamic DNS, activate Dynamic DNS and choose ClouDNS.net as the service provider. Then in the URL field:, we paste the address that was copied earlier and click Save. The connection status should change to Updated .

This is where you need to decide whether you will use DNS Manual mode or DNS Automatic mode because the operations that follow are different depending on the mode chosen.

DNS Manual mode

This mode is the least interesting to use, and therefore not recommended, because the user will have to carry out manipulations every 2 to 3 months to renew the certificate.

After having completed the section “ Preparation for using ClouDNS ” and after having verified that the domain is working, which can take from a few minutes to 48 hours, you must go to System / IP Configuration / SSL Certificates in the Cortex, check Use Let’s Encrypt certificate , choose the DNS Manual challenge and register the chosen domain.

Next, we click on Get Challenge and add the requested record(s) to ClouDNS . You must add a TXT type record with the domain name “_ acme-challenge” to the chosen domain (.demo1.dns-cloud.net in this example)  and enter the character string obtained during the Get Challenge in Point to: .

Finally, we wait about 2 minutes for the changes to be applied in the Internet and we press Get certificate . You should see the Status change and indication of the expiration date and time of the newly-obtained certificate.

This certificate will be valid for a period of 90 days and you will have to repeat this procedure to renew the certificate.

In summary, this method is very complicated to configure and requires user intervention every 2-3 months to renew the certificate, but it allows you to have a valid certificate on the Internet and in the local network.

Automatic DNS mode

This mode is the most interesting if you want a valid certificate on the Internet and in the local network but it requires a paid subscription to ClouDNS .

You must return to ClouDNS , click on API at the top in the black band and then  add a new API user .

After having completed the section “ Preparation for using ClouDNS , and after having verified that the domain is working, which can take from a few minutes to 48 hours, you must go to System / IP Configuration / SSL Certificates in the Cortex, check Use Let’s Encrypt certificate, choose the DNS Automatic challenge and fill in the First domain, API username and Password and select ClouDNS.net as the DNS Provider.

After saving the configuration you should see the Status change and indication of the expiration date and time of the newly-obtained certificate.

This mode is simpler to configure, it works autonomously and it allows you to have a certificate recognized on the Internet and in the local network but you must have a paid ClouDNS plan .

Was this article helpful?
Dislike 0
Views: 23

Leave a Reply