Let's Encrypt / ACME¶

WireBuddy includes a built-in ACME client for automatic SSL certificate management with Let's Encrypt.

Overview¶

The ACME module provides:

🔐 Automatic Certificates: Request and renew Let's Encrypt certificates
🔄 Auto-Renewal: Certificates renew automatically before expiry
📋 HTTP-01 Challenge: Domain validation via HTTP
🗂️ Certificate Management: View, download, and revoke certificates in the UI

Quick Setup¶

Prerequisites¶

Domain Name: Must point to your server's public IP
```
# Verify DNS
nslookup vpn.example.com
```

Port 80 Accessible: Let's Encrypt needs HTTP access for validation

# Test from external network
curl http://vpn.example.com/.well-known/acme-challenge/test

WireBuddy Running: Must be accessible on port 8000 (or configured port)

Enable ACME¶

Navigate to: Settings → ACME

Enable ACME: Toggle ON
Domain: Enter your domain (e.g., vpn.example.com)
Email: Contact email for Let's Encrypt notifications
Terms of Service: Accept Let's Encrypt ToS
Click Request Certificate

Certificate Issuance¶

Progress indicators:

Account Registration → Registering with Let's Encrypt
Order Creation → Requesting certificate
Challenge Setup → Preparing HTTP-01 challenge
Validation → Let's Encrypt checking domain
Certificate Issuance → Downloading certificate
Installation → Installing certificate

On success: ✅ Certificate issued and installed

HTTP-01 Challenge¶

WireBuddy validates domain ownership via HTTP-01 challenge:

How It Works¶

WireBuddy requests certificate from Let's Encrypt
Let's Encrypt provides a challenge token

WireBuddy serves token at:

http://yourdomain.com/.well-known/acme-challenge/TOKEN

Let's Encrypt fetches the URL to verify ownership
On success, certificate is issued

Reverse Proxy Configuration¶

If using a reverse proxy, ensure .well-known/acme-challenge passes through:

CaddyNginxTraefik

vpn.example.com {
    reverse_proxy localhost:8000
}

Caddy handles ACME automatically. Disable WireBuddy ACME if using Caddy's.

server {
    listen 80;
    server_name vpn.example.com;

    location /.well-known/acme-challenge/ {
        proxy_pass http://localhost:8000;
    }

    location / {
        return 301 https://$server_name$request_uri;
    }
}

# Traefik handles ACME automatically
# Use Traefik's ACME instead of WireBuddy's

Recommendation

For production, let your reverse proxy (Caddy, Traefik) handle ACME automatically. Use WireBuddy's ACME only if running directly exposed or reverse proxy doesn't support ACME.

Certificate Management¶

View Certificates¶

Settings → ACME → Certificates

Domain	Issued	Expires	Status	Actions
vpn.example.com	2026-03-01	2026-05-30	Valid	[Download] [Revoke]

Download Certificates¶

Click Download to get:

fullchain.pem - Certificate + intermediate certificates
privkey.pem - Private key (keep secure!)
cert.pem - Certificate only
chain.pem - Intermediate certificates only

Revoke Certificates¶

Click Revoke to invalidate a certificate immediately.

Use cases:

Private key compromised
Domain no longer used
Migrating to different certificate

Warning

Revoking a certificate will break HTTPS access until a new certificate is issued.

Automatic Renewal¶

WireBuddy automatically renews certificates 30 days before expiry.

Renewal Process¶

Check: Daily check for certificates expiring <30 days
Renew: Request new certificate using same process
Replace: Install new certificate
Reload: Reload web server (no downtime)
Notify: Log renewal (optional email notification in future)

Manual Renewal¶

Force renewal before automatic schedule:

Settings → ACME → [Select Certificate] → Renew Now

Troubleshooting¶

Challenge Failed¶

Error: Challenge validation failed

Causes:

Port 80 blocked: Firewall or ISP blocking HTTP

# Check if port 80 is accessible
curl http://yourdomain.com/.well-known/acme-challenge/test

DNS not pointing to server:

# Verify DNS
nslookup yourdomain.com
# Should match your server's IP

Reverse proxy misconfigured: Not forwarding .well-known/acme-challenge
WireBuddy not running on port 80 or proxy not forwarding

Solutions:

Open port 80 in firewall
Wait for DNS propagation (up to 48 hours)
Check reverse proxy configuration
Temporarily disable proxy and try direct

Rate Limits¶

Let's Encrypt has rate limits:

Limit	Value
Certificates per domain	50 per week
Failed validations	5 per hour
Duplicate certificates	5 per week

Error: too many certificates already issued

Solution: Wait one week or use a subdomain (e.g., vpn2.example.com)

Email Notifications Not Received¶

Let's Encrypt sends emails for:

Certificate expiry (if renewal fails)
Important announcements

If not receiving emails:

Check spam folder
Verify email in Settings → ACME → Email
Update email if outdated

Certificate Not Installing¶

Error: Certificate issued but installation failed

Solutions:

Check WireBuddy has write permissions to data/certs/

Check logs for errors:

docker compose logs wirebuddy | grep -i acme

Manually install certificate (see below)

Manual Certificate Installation¶

If automatic installation fails, install manually:

Download certificate files from UI

Copy to data/certs/:

cp fullchain.pem data/certs/yourdomain.com_fullchain.pem
cp privkey.pem data/certs/yourdomain.com_privkey.pem

Restart WireBuddy:
```
docker compose restart wirebuddy
```

Alternative: External ACME Client¶

If WireBuddy's ACME doesn't work, use an external client:

Certbot¶

# Install Certbot
sudo apt install certbot

# Request certificate (standalone mode)
sudo certbot certonly --standalone -d vpn.example.com

# Certificates stored in /etc/letsencrypt/live/vpn.example.com/

Then configure your reverse proxy to use those certificates.

Caddy¶

Caddy handles ACME automatically:

vpn.example.com {
    reverse_proxy localhost:8000
}

Run Caddy - it will automatically request and renew certificates.

Best Practices¶

Security¶

Keep private keys secure (never share privkey.pem)
Use strong file permissions:
```
chmod 600 data/certs/*_privkey.pem
```
Rotate certificates if private key compromised
Use HTTPS-only after certificate is installed

Monitoring¶

Monitor certificate expiry dates
Set up external monitoring (e.g., cron job checking expiry)
Enable renewal notifications (future feature)

Backup¶

Backup certificates:

tar czf certs-backup-$(date +%Y%m%d).tar.gz data/certs/

Store backup securely (encrypted).

Staging Environment¶

For testing, use Let's Encrypt staging:

Settings → ACME → Advanced → Use Staging

Benefits:

Higher rate limits
No impact on production rate limits
Useful for testing configuration

Staging Certificates

Staging certificates are not trusted by browsers (invalid certificate warning). Use only for testing.

Next Steps¶

Security Best Practices - HTTPS configuration
Configuration - Force HTTPS in WireBuddy
Reverse Proxy Setup - Production setup