How to use Let’s Encrypt on a Barracuda Email Security Appliance

The Barracuda Email Security Appliances are really good at blocking spam, and while you can use the built in SSL certificate, it’s not really as good as having a real SSL cert for your appliance.

 

In order to use Let’s Encrypt, www.letsencrypt.org, certs, you will need to setup the entire process on a linux system that has the certbot installed. I won’t cover that because everyone on the internet has already done that for you [and with all the difference linux versions and flavors, it can vary]. For this post, we will assume you already have certbot installed on said linux VM or server.

 

You will have to manually request the certificate. It looks kind of like this:

In this case, I will use our barracuda at barracuda.networkxfla.com as the example:

certbot -d barracuda.networkxfla.com –manual –preferred-challenges dns certonly

This will require you to make changes to DNS buy adding a TXT record. Again, depending on whom you host your DNS with, you can ask them how best to add a TXT record. The “certbot” will show you what record it wants added, you will have to add it and certbot will continue on.

Lets Encrypt stores all the files in the /etc/letsencrypt/live/<fqdn-barracuda-box> directory on your Linux box you ran certbot on. For example, in our case, you would find them under /etc/letsencrypt/live/barracuda.networkxfla.com/ .

Now comes the real magic, you will need openssl installed in order to create the pkcs12 file:

/usr/bin/openssl pkcs12 -export -out /etc/letsencrypt/live/barracuda.networkxfla.com/barracuda-networkxfla-com.pfx -in /etc/letsencrypt/live/barracuda.networkxfla.com/cert.pem -inkey /etc/letsencrypt/live/barracuda.networkxfla.com/privkey.pem -certfile /etc/letsencrypt/live/barracuda.networkxfla.com/chain.pem -password pass:<somepasswordhere>

This takes the cert.pem, privkey.pem and chainfile.pem to create a PKCS12 file the barracuda will understand. You will need to copy the /etc/letsencrypt/live/<fqdn-barracuda-box>/<fqdn-barracuda-box>.pfx to a local PC you can access the barracuda from via a web browser.

Login to the Barracuda, select ADVANCED -> SECURE ADMINISTRATION. In the middle of the page is “TRUSTED (Signed by a trusted CA)”. On the “Add File”, select the pfx file we created above and download it into the Barracuda. The cert will upload and you will see where it needs a password. Click on the password and enter the password used above. You can now click on the [USE] button to get the Let’s Encrypt Cert to be put into use.

In order to get SMTP to use the new Let’s Encrypt certificate, you will need to restart the Barracuda Appliance.

Granted, this is NOT fully automatic, and yes, you need to manually do the work, but it’s not far off from what you would have to do to create a CSR and submit it to a CA to PURCHASE a cert. There’s talk about Barracuda supporting Let’s Encrypt, and do hope they will, but until then, you have a manual way to do this.