The automatic certificate renewal relies on the REST API of Let's Encrypt.
Mind that this option is only available for a single node environment.

Awingu checks once or twice a day whether certificates should be renewed.


There are two main requirements:

  • The Awingu appliance must be able to connect to the Let's Encrypt servers (acme-v02.api.letsencrypt.org  - TCP port 443).
    Verify this outgoing connectivity by running a tcpscan.


     
  • The Let's Encrypt servers also need to be able to fetch some data (ACME Challenge) from the Awingu appliance. Let's Encrypt will connect to the public IP address of the Awingu appliance on TCP ports 80 and 443. These port numbers can not be altered.

    The internal SSL offloading with enforced HTTPS can still be enabled on the Awingu appliance ( System Settings > Global > Connectivity ) so all other incoming requests will be redirected and will use HTTPS.

     

When troubleshooting, make sure there are also no geo-restrictions in place on the organization's firewall and that any port forwarding (destination NAT) on the firewall is done correctly. Unfortunately at this point Let's Encrypt doesn't offer a list of IPs that could be whitelisted.