SSL Certificates

The WBM on WAGO devices uses unsigned certificates, and requires the browser to allow an exception.
Has anyone found a way to install custom signed certificates to avoid this warning message?
If so, is there a service out there to manage/automate updating the certs on remote devices on a yearly basis (before they expire)?

Using http is not an option in some cases, because certain IT departments do not allow that any longer.

I am thinking something like Key Manager Plus over a VPN might be a solution…

On a related note, does anyone have instructions for creating SSL certificates using Lets Encrypt service?

1. Understanding Let’s Encrypt:

• Let’s Encrypt is a free and automated certificate authority (CA) that provides SSL/TLS certificates.
• It’s widely used for securing web servers, including IoT devices like your controller.

2. Prerequisites:

• Ensure you have a DNS-resolvable domain name that points to your controller’s public IP address. Let’s Encrypt will verify your domain ownership.
• You’ll need administrator access to your controller and the ability to install software.

3. Steps to Create Signed Certificates: a. Install Certbot:

• Certbot is a tool that simplifies the process of obtaining and renewing Let’s Encrypt certificates.
• Install Certbot on your local machine or a server that can communicate with your controller.b. Generate the Certificate:
• Run the following command to generate a certificate for your domain (replace <YOUR_EMAIL> and <your-domain.com> with your actual email and domain):

sudo certbot certonly \
  --manual --preferred-challenges dns \
  --email <YOUR_EMAIL> \
  --server https://acme-v02.api.letsencrypt.org/directory \
  -d <your-domain.com>

• Certbot will guide you through the DNS challenge process. You’ll need to create a DNS TXT record to prove domain ownership.c. Retrieve the Certificate Files:
• Certbot will save the certificate files (including the private key) in a directory (usually /etc/letsencrypt/live/<your-domain.com>).
• You’ll find files like cert.pem (certificate), privkey.pem (private key), and fullchain.pem (certificate chain).d. Configure Your Controller:
• Upload the certificate files to your controller.
• Configure your web server (e.g., Nginx, Apache) on the controller to use these certificates.
• Specify the paths to cert.pem and privkey.pem in your server configuration.e. Automate Certificate Renewal:
• Let’s Encrypt certificates expire after 90 days. Set up a cron job or systemd timer to automatically renew the certificates using Certbot:

sudo certbot renew

I dont think certbot will run on the WAGO Linux…

Hi Kurt,
There’s a docker version of certbot.
There are also a lot of ACME implementation :

I used acme.sh once.
But for all those solution note that you need an open https port and a DNS to be set up.
You can use CRON in order to update on a regular basis the certificates.
(Let’s encrypt certificates expires after 90 days)

Hello,

Has anyone successfully used Let’s Encrypt to generate and automatically update SSL certificates for OPC UA communication in a WAGO-based automation setup? If so, could you share any insights or recommendations on the process.

I’ve not tried with Let’s encrypt, and last time I tried with a PKI (self-signed certificate created with openssl) I wasn’t able to set it up. If you have any information I’m also interested !