Setting up the built-in SSL encryption
This FAQ topic is only relevant for Awingu administrators, not end-users.
This FAQ topic concerns Awingu 4.3. If you are running a later version of Awingu, you can find the latest admin guide here.
If no external SSL offloader is available, Awingu can handle the SSL offloading (also referred to as SSL termination) internally. This FAQ topic will focus on Awingu generated certificates.
When using multiple Awingu nodes for high availability reasons, we recommend to use an external SSL offloader. Only when the internal SSL offloader is used, you need to upload or generate the certificates in Awingu via Global > Certificates. Once the first certificate is uploaded or generated, Awingu will start serving HTTPS on port 443. To enforce HTTPS, please refer to Connectivity Settings. The use of own certificates and SSL offloader is described in the admin guide.
Generating certificates automatically
If you do not own SSL certificates, you can use the Automatic option which will generate and configure SSL certificates provided by the free CA service of LetsEncrypt.
To generate certificates automatically, click on Add and provide following information:
- Certificate: Automatic
- Subject Names: the host name(s) you want to create certificates for (e.g. awingu.mycompany.com)
The generated certificates are valid for 90 days. After 60 days, Awingu will renew the certificate. Therefore, the public servers of Let’s Encrypt always need to be able to reach the Awingu appliance on port 80 and 443.
Following network requirements are needed in order to request and renew automatic certificates:
- Ports 80 and 443 of Awingu need to be accessible for the public servers of Let’s Encrypt through all provided subject names.
- Awingu needs to be able to reach the REST API of Let’s Encrypt directly (without the use of an HTTP proxy) through port 443 for *.api.letsencrypt.org.
Please note there is a rate limit of the number certificates per registered domains and the number of duplicate certificates. Those limits are described in the documentation of Let’s Encrypt. You can hit this limit easily if you use a subdomain of a service or cloud provider, like *.azure.com. Please use a subdomain you fully control.
Automatic SSL is only available for single node Awingu configuration or for multi node Awingu with only one Frontend service.
Redirect http to https traffic
The last thing to do is to enable the redirect feature that all incoming traffic to http (port 80) is redirected to https (443)
To enable this redirect you must be connected over https. So first logout of the Awingu environment and relogin over https.
Open the connectivity page (System Settings Global Connectivity) and change the SSL Offloader from “Optional HTTPS” to “Internal SSL offloading with enforced HTTPS”:
If you require more information about this topic, we’re happy to refer to our Awingu Admin Guide.