October 14, 2021
The Rumpus Let's Encrypt feature makes getting LE certificates about as simple a process as we can make it, but underneath there is quite a bit going on. If you are having trouble with the Rumpus Let's Encrypt function, understanding what is happening behind the scenes can help diagnose problems.
During each phase (setting up an account, verifying accounts, issuing or revoking certs and renewing certs) your Rumpus server is communicating with the Let's Encrypt service to perform the task. This is done over an encrypted channel, and Rumpus handles all of the particulars involved in setting up requests and parsing the responses from the LE database.
Issuing/Renewing a certificate through LE is the most complicated of these tasks, because in order for LE to issue the cert, it needs to confirm the authenticity of the server. Here's how that works, in a simplified nutshell:
Step 1: Rumpus connects to the LE service and requests that LE confirm the authenticity of the server.
Step 2: LE responds to Rumpus with a key file that is generated specifically for the transaction. The key file is placed in a "well-known" location within Rumpus' content area and is made available via the HTTP service.
Step 3: LE issues a separate HTTP request (on the default Web port 80), essentially the same as any standard Web browser would do to access some Web content on the server. The request is for the key file in the well-known folder.
Step 4: Rumpus handles the LE HTTP request using the regular Web service that powers the Web File Manager, and responds with the key.
Step 5: The LE service matches the key file returned via the HTTP request to the one it generated in step 2 to confirm that the HTTP service at your domain name is in fact the same service that made the original certificate request started in Step 1.
Step 6: With the HTTP service confirmed, LE generates the certificate and sends it back to Rumpus on the original encrypted channel.
Step 7: Rumpus saves the certificate locally and installs it in the needed location when you use the "Install Certificate" function.
In order for this to work, Rumpus MUST be providing unencrypted HTTP service on port 80. If some other Web server is responding on port 80, then the process will fail, because that other Web service won't have the ability to send the key file back to LE to confirm the service in step 4.
So, while Rumpus makes obtaining LE certificates very easy, there is one big requirement. When clients from outside your network access the "http://" url of your Rumpus server, Rumpus must be the HTTP service that is sending the response, directly to the client. All of this must occur on the HTTP default port 80, and any intermediate processes, including HTTP redirectors, proxies and firewalls, or other network devices that monitor and manage HTTP activity may all cause the process to fail.
Note that DNS may present a similar problem. If your domain name is set up to resolve to a 3rd party domain name service, then redirect to your actual site, you will have the same problem. Domain services will sometimes use this technique in order to provide security or other features, but it is incompatible with how HTTPS and Let's Encrypt verification function.
As always, please contact us at support@maxum.com if you have questions or require additional support.