Install IGEL Cloud Gateway (ICG) with Lets Encrypt

EUC
1

Installing the IGEL Cloud Gateway ( we will call it ICG from here on out), can be a daunting task, not because it is hard to install, it is because it relies heavily on secure certificates to be used during the install process. It is recommended to use a public Certificate Authority on your ICG, as they are trusted by most browsers out there today.

Me being so cheap, I wanted to see if there is a way I can leverage the free (trusted) certificates that are provided by Lets Encrypt. The site you are reading this post on is leveraging Lets Encrypt so we can serve all traffic securely over TLS (https://)

image

So, what do we need in order to get started?

  1. I am going to assume that you have the IGEL Universal Management Suite already installed, and configured correctly
  2. A server running a Linux OS. For this setup, I am going to create a pay as you go VPS to show the steps. In an enterprise environment, things would need to be configured with much more thought given to security (think DMZ, firewall rules, ports, etc).
  3. The binaries for the IGEL cloud gateway. This can be downloaded directly from the IGEL website. As of today, here is the link to the most current version (2.02.110)
  4. DNS A record pointing to the hostname of your ICG server.

As we are using Cloudflare for our DNS, it was a pretty straightforward exercise to add the needed A record which pointed to our VPS. We chose the hostname of icg.mybrokencomputer.net

image
image873×82 4.86 KB

Now we need to login to our Linux server to install the bits needed for Lets Encrypt to issue us some certificates

There are a few commands we need to run, and they should be run in this order.

sudo apt-get update
image

image

sudo apt-get install software-properties-common
image
image

sudo add-apt-repository ppa:certbot/certbot
image

image
image1025×103 4.59 KB

Hit enter to add
image
image1001×275 9.52 KB

sudo apt-get update
image
image

Now it is time to start adding the Lets Enncrypt software.

sudo apt-get install certbot
image
Now that it has been installed, we need to configure Lets Encrypt by running the install and answering a few questions.

sudo certbot certonly
image
image
We want to spin up temporary webserver (standalone), so we are going to choose option 1.
image
We are then offered the chance to enter an email address for urgent renewal issues of the cert. This is highly recommended in a production environment.

image
We then need to agree to the terms of service of using the Lets Encrypt server, so hit A to agree

image
You need to decide if you are willing to share your email address with the Electronic Frontier Foundation. A founding partner of the Let’s Encrypt project and the non-profit organization that develops Certbot.

Now we need to chose the domain that we plan to use for our IGEL Cloud Gateway. It is very important that you verify that your DNS is configured correctly, or this will fail. For our purposed, we are going to use icg.mybrokencomputer.net as our hostname
image
image

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for icg.mybrokencomputer.net
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/icg.mybrokencomputer.net/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/icg.mybrokencomputer.net/privkey.pem
    Your cert will expire on 2021-06-23. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: Additional Donation Information - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Now we have the certs we need. To verify, navigate to /etc/letsencrypt/live/yourdomainname/ and you should see your certificates.

image
image890×160 5.67 KB

We need to get a copy of those certificates onto our local machine, as they will need to be imported to UMS. I use filezilla to get the certs, but you can use whatever method works for you!

There are four certificates in total, each names something unique. Here is the explanation of what they are.

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used
without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at User Guide — Certbot 2.12.0.dev0 documentation.

OK, so now we have the certs, time to head to the UMS to begin the process of actually installing ICG

In UMS go to UMS Administration, Cloud Gateway Options. Here are we are going to import our root certificate from the certs we just downloaded by clicking on this icon in the top right.
image

The first cert we need is chain.pem, so let’s import that.

image
image1012×97 3.94 KB

OK, that looks good. We now need to right click on that certificate and choose

Import Signed Certificate
We then browse to the certificate location and choose cert.pem

image
image747×441 14.1 KB

Our cert chain should now look like this.
image
The final step in the certificate process is to import the decrypted private key. So right click on the cert, and choose

Import Decrypted Private Key
We are going to choose privkey.pem

image
image720×440 15.7 KB

image

Now we are ready to export the keystore.icg file that the ICG appliance really needs. We need to right click on the certificate and choose
Export certificate chain to IGEL Cloud Gateway key store format

image
image711×355 9.27 KB

Save the cert somewhere that it is easy to locate, as we will need it shortly.

We now need to navigate to UMS Administration and chose IGEL Cloud Gateway and choose

Install new IGEL Cloudgateway

image
image1678×149 11.5 KB

If you see something similar to the below, then you are on the right track.

image
image618×651 14.9 KB

Click next to continue

Accept the IGEL license agreement

image
image612×650 22.7 KB

Now we need to provide credentials to our ICG server, and the path to the .bin file that we downloaded earlier.

image
image616×649 11.2 KB

Hit next, and we are off to the races!

image
image611×653 9.68 KB

image
image618×650 7.58 KB

49 seconds! Not bad.

image
image614×650 10 KB

Configure a proxy server if you have one.

image
image615×651 12.4 KB

After all that, we are done!

image
image748×238 21.1 KB

2

Hi Barry,

Thanks for a very useful tutorial.

One question, at the end of the process, you are exporting the keystore.icg file but then not importing it enywhere - is this step actually required for anything?

Regards,

3

Hey @dawidbbn thanks for bringing this to my attention. Let me get this spun up again, and I will update the article.