Let's encrypt certificate not auto-renewing (4372422)

With the need of securing the traffic and data of the SMA adding a SSL certificate is a highly recommended action but there might be occasions were a CA root cert is not available and adding a Self-Signed cert is not enough, reason why on version 13.0 Let's Encrypt SSL Integration was introduced in order to provide a free integrated alternative for SSL certificates.

The Let's Encrypt SSL certificate only last for 90 days so it needs to be renewed when it gets expired.

The SMA has a built-in script that runs on the backend days before the expiration day comes in, but in some situations it may fail to renew, causing the box to be unable to auto-renew the SSL cert.

For the auto-renewal process to work, the traffic via port 80 needs to be allowed on the Firewall (at least few days before the certificate is going to expire) so the cert validation can be successful and get the certificate renewed. After the certificate is renewed then it can be redirected to 443 only if desired but as per Let's encrypt documentation:

The HTTP-01 challenge can only be done on port 80. 

This information is visible in the information icon (Mario block) on the SSL settings:

For any security concerns regarding this situation, obtaining a SSL certificate from a well-known CA is always a preferred option.

Instructions on how to enable Let's Encrypt certificate from scratch can be found here .

For additional questions on this please contact KACE Support