Lets Encrypt behind firewall

DataIdeas-Josh

So being Lets Encrypt doesn't publish their IPs or FQDN for their bot.
I don't want to really leave open port 80 to the full web.
What other ways have people found the best route to do this?

Decicus

DNS validation. I use acme.sh personally.

rcy026

https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

DataIdeas-Josh

@rcy026 said:
https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

That would probably be the issue.

It’s not supported by Apache, Nginx, or Certbot, and probably won’t be soon.

This machine I'm trying to do this on is a proxmox box and it has certbot.

Neoon

ACME, you got a script that is able to call the API of your nameservers, to add text records.
So LetsEncrypt can validate and hand you over a valid cert.

For example.
https://github.com/acmesh-official/acme.sh

No idea if certbot can do that though.

tjn

Certbot with DNS challenges is the way to go.
I'd also recommend looking into the DNS Alias feature which allows you to use a secondary domain and not expose your primary domain's DNS API details.

rcy026

@DataIdeas-Josh said:

@rcy026 said:
https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

That would probably be the issue.

It’s not supported by Apache, Nginx, or Certbot, and probably won’t be soon.

This machine I'm trying to do this on is a proxmox box and it has certbot.

You are reading under TLS-ALPN-01.
Stick to DNS-01 and you are fine.

r0xz

I use ACME to call CF domain API from a box behind a fw to issue wildcard certs. ACME will handle the DNS validation, and the box is not exposed to the internet at all.

https://github.com/acmesh-official/acme.sh/wiki/dnsapi

homeos

This is unrelated, but I had a similar situation with HAProxy and letsencrypt. I only have port 443 open and listened on by HAProxy to send traffic over TCP to my servers, with nothing on port 80.

After thinking about it for a while, I just ended up having HAProxy listen on 80 and redirect to https. Seems to work fine with letsencrypt at least.

explicit

Cloudflare tunnel would be good to solve your issue

explicit

Nginx Proxy Manager is also great

TimboJones

@DataIdeas-Josh said:

@rcy026 said:
https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

That would probably be the issue.

It’s not supported by Apache, Nginx, or Certbot, and probably won’t be soon.

This machine I'm trying to do this on is a proxmox box and it has certbot.

The issue is your domain provider. Someone like cloudflare has the most API support out of them all and it's trivial after getting your API credentials. With Namesilo, you often have to hack the script to delay longer than 15 minutes to validate since Namesilo updates every 15 instead of 0-5 minutes like better providers.

There's also just opening and closing the port using pre and post hooks or simply adding the commands to do that before/after in the cron renewal.

rcy026

@homeos said:
This is unrelated, but I had a similar situation with HAProxy and letsencrypt. I only have port 443 open and listened on by HAProxy to send traffic over TCP to my servers, with nothing on port 80.

After thinking about it for a while, I just ended up having HAProxy listen on 80 and redirect to https. Seems to work fine with letsencrypt at least.

Yeah, redirecting to 443 works fine.

From the documentation: "Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443."

ralf

For all my web servers, they're all running haproxy, so they all just forward to a dedicated locked-down small VM that only runs certbot. This config near the top allows certbot to connect on port 80, but everything else is redirected to HTTPS:

acl url_certbot path_beg /.well-known/
http-request redirect scheme https if !{ ssl_fc } !url_certbot
use_backend certbot if url_certbot

at at the end:

backend certbot
  server certbot 192.168.x.x:8080

The mail servers don't run web servers, so on those I just have a iptables rule for port 80 from the host to the mail VM on port 80, which is only used briefly when certbot is running (directly on the mail server).

alt_

Use dns method for verification instead.

let_rocks

I use DNS verification as well.

tuc

@ralf said:
For all my web servers, they're all running haproxy, so they all just forward to a dedicated locked-down small VM that only runs certbot. This config near the top allows certbot to connect on port 80, but everything else is redirected to HTTPS:

acl url_certbot path_beg /.well-known/
http-request redirect scheme https if !{ ssl_fc } !url_certbot
use_backend certbot if url_certbot

at at the end:

backend certbot
  server certbot 192.168.x.x:8080

The mail servers don't run web servers, so on those I just have a iptables rule for port 80 from the host to the mail VM on port 80, which is only used briefly when certbot is running (directly on the mail server).

best practice

SGraf

@DataIdeas-Josh said:
So being Lets Encrypt doesn't publish their IPs or FQDN for their bot.
I don't want to really leave open port 80 to the full web.
What other ways have people found the best route to do this?

acme.sh in standalone mode? Then your port 80 would only be open during the verification process....

2) Standalone mode:

If you don't have a web server, maybe you are on a smtp or ftp server, the 80 port is free. you can use standalone mode. acme.sh has a builtin standalone webserver, it can listen at 80 port to issue the cert.

acme.sh --issue -d example.com --standalone

See: https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert