10 days and 10 tips for Microsoft Tunnel Gateway: Day 6

by
post views: 326

Free TLS Certificates with Let’s Encrypt

Microsoft Tunnel requires a TLS certificate that is trusted by the connecting clients. It doesn’t have to be publicly trusted – an internal PKI cert works fine, as long as you deploy the root CA chain to devices via an Microsoft Intune Trusted Certificate profile.

In a lab, that’s extra work you can skip. Let’s Encrypt is free, already trusted by every iOS and Android device, and you can have a cert issued in under 10 minutes.

Lab/testing use only. Let’s Encrypt certs expire after 90 days and with this approach renewal requires manual DNS interaction each time. Don’t use this approach in production. Use internal PKI or a commercial cert with automated renewal instead.

Prerequisites:

  • A public DNS zone you control, with the ability to create/modify TXT records
  • Sudo access on the Ubuntu Tunnel server
  • Outbound internet access from the server (to reach Let’s Encrypt and apt repos)
  • An email address for Let’s Encrypt expiry notifications

Step 1 – Install certbot

sudo apt update
sudo apt install -y certbot

Step 2 – Request the certificate

sudo certbot certonly \
  --manual \
  --preferred-challenges dns \
  --key-type rsa \
  --rsa-key-size 2048 \
  --agree-tos \
  -m mab@imab.dk \
  --no-eff-email \
  -d tunnel.imab.dk

Step 3 – Complete the DNS challenge

certbot will display a token value and pause. Create a DNS TXT record at _acme-challenge.tunnel.imab.dk with that value.

Before pressing Enter, verify propagation from your Windows workstation:

nslookup -type=TXT _acme-challenge.tunnel.imab.dk 8.8.8.8
nslookup -type=TXT _acme-challenge.tunnel.imab.dk 1.1.1.1

Both resolvers must return the new value. Then press Enter to complete issuance.

Step 4 – Copy the certificate to Tunnel

sudo cp /etc/letsencrypt/live/tunnel.imab.dk/fullchain.pem /etc/mstunnel/certs/site.crt
sudo cp /etc/letsencrypt/live/tunnel.imab.dk/privkey.pem   /etc/mstunnel/private/site.key
sudo chmod 600 /etc/mstunnel/private/site.key

If the Tunnel server is already running, import the cert without reinstalling:

sudo mst-cli import_cert
sudo mst-cli server restart

Intune will reflect the updated tlsCert expiry within ~5 minutes of restart

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.