Generate Let's Encrypt certificate from Endian GUI for non wildcard domain

Applies to Platform: UTM 5.1

Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

It's possible to generate certificate with Let's Encrypt directly from the Endian GUI. In order to accomplish that you must need to:

  • assure your firewall is up to date and your version of Endian OS is 5.1 or higher
  • DNS record type A that will associate your domain to your public IP
  • publish port 80 of your Endian appliance. No port forward on device behind the Endian appliance on port 80. The Endian must answer on all the request on port 80 directly

 Once all the above requirement are satisfied is possible to start with the certificate creation.


This tutorial is only valid for the generation of certificate with Let's Encrypt with non wildcard domain.

Certificate Creation

Navigate the GUI to the VPN > Certificates page.


Click on Add new certificate. In the new page select under the Action drop down menu the item with "Generate Let's Encrypt certificate".


The only mandatory fields are the Common name and the PKCS12 file password, with confirmation. All the other field are optional. In case one or more Subject alternative name is needed, is possible to select additional DNS/IP/mail and press Add for specify more.


The certificate common name you choose must match the DNS record you create.

Once all the field are set, press Add on the bottom of the form in order to save and generate the certificate

In case everything has been set in the correct way a confirmation message will be displayed on the board and the new certificate will be listed.


The certificate creation also create a new Certificate Authority that is automatically added to the available ones.


The created certificate will last for three months. At the ends of the three months an automatic script will try to renew the certificate. The renew will give three more months of validity but will works only if the requirements still satisfied. This mean that the Endian have the port 80 published and the DNS record type A is still pointing to your public IP address.


Is possible to see several information about the certificate by clicking onScreenshot_at_2018-10-31_10-38-35.png.





If the certificate creation fails, the possible causes are:

  • DNS record is not set correctly
  • the port 80 of the Endian is not published
  • incorrect common name entered

Please verify all those points and retry the creation.

In case of failure the GUI will show the following message:




Have more questions? Submit a request