New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Lets Encrypt behind firewall
DataIdeas-Josh
Member, Patron Provider
in Help
So being Lets Encrypt doesn't publish their IPs or FQDN for their bot.
I don't want to really leave open port 80 to the full web.
What other ways have people found the best route to do this?
Comments
DNS validation. I use acme.sh personally.
https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
That would probably be the issue.
This machine I'm trying to do this on is a proxmox box and it has certbot.
ACME, you got a script that is able to call the API of your nameservers, to add text records.
So LetsEncrypt can validate and hand you over a valid cert.
For example.
https://github.com/acmesh-official/acme.sh
No idea if certbot can do that though.
Certbot with DNS challenges is the way to go.
I'd also recommend looking into the DNS Alias feature which allows you to use a secondary domain and not expose your primary domain's DNS API details.
You are reading under TLS-ALPN-01.
Stick to DNS-01 and you are fine.
I use ACME to call CF domain API from a box behind a fw to issue wildcard certs. ACME will handle the DNS validation, and the box is not exposed to the internet at all.
https://github.com/acmesh-official/acme.sh/wiki/dnsapi
This is unrelated, but I had a similar situation with HAProxy and letsencrypt. I only have port 443 open and listened on by HAProxy to send traffic over TCP to my servers, with nothing on port 80.
After thinking about it for a while, I just ended up having HAProxy listen on 80 and redirect to https. Seems to work fine with letsencrypt at least.
Cloudflare tunnel would be good to solve your issue
Nginx Proxy Manager is also great
The issue is your domain provider. Someone like cloudflare has the most API support out of them all and it's trivial after getting your API credentials. With Namesilo, you often have to hack the script to delay longer than 15 minutes to validate since Namesilo updates every 15 instead of 0-5 minutes like better providers.
There's also just opening and closing the port using pre and post hooks or simply adding the commands to do that before/after in the cron renewal.
Yeah, redirecting to 443 works fine.
From the documentation: "Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443."
For all my web servers, they're all running haproxy, so they all just forward to a dedicated locked-down small VM that only runs certbot. This config near the top allows certbot to connect on port 80, but everything else is redirected to HTTPS:
at at the end:
The mail servers don't run web servers, so on those I just have a iptables rule for port 80 from the host to the mail VM on port 80, which is only used briefly when certbot is running (directly on the mail server).
Use dns method for verification instead.
I use DNS verification as well.
best practice
acme.sh in standalone mode? Then your port 80 would only be open during the verification process....
See: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert