Some links on using and updating Let’s Encrypt certificates for internal servers
Posted by jpluimers on 2022/02/01
Sometimes it is easier to have current and public CA signed TLS certificates for internal servers than to setup and maintain an internal CA and register it on all affected browsers (including mobile phones).
One of my reasons to investigate this is that Chrome refuses to save credentials on servers that have no verifiable TLS certificate, see my post Some links on Chrome not prompting to save passwords (when Firefox and Safari do) about a week ago.
Below are some links for my link archive that hopefully will allow me to do this with Let’s Encrypt (msot via [Wayback/Archive] letsencrypt for internal servers – Google Search):
- [Wayback/Archive] tls – Let’s Encrypt for intranet websites? – Information Security Stack Exchange: very interesting answers with quite different points of view. Great way to quickly get onto speed on this topic including this important bit:
Let’s Encrypt – and publicly trusted certificate authorities in general, due to Chrome’s requirements – submit all issued certificates to public certificate transparency logs. As such, you should not expect your intranet (sub)domain name to remain secret if you obtain a certificate for it. Your intranet’s security shouldn’t be dependent on keeping its domain name secret anyway.
- [Wayback/Archive] Let’s Encrypt Server Certificate via DNS Challenge – DEV Community implementing the [Wayback/Archive] DNS-01 challenge.
- [Wayback/Archive.is] acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
- An ACME protocol client written purely in Shell (Unix shell) language.
- Full ACME protocol implementation.
- Support ACME v1 and ACME v2
- Support ACME v2 wildcard certs
- Simple, powerful and very easy to use. You only need 3 minutes to learn it.
- Bash, dash and sh compatible.
- Purely written in Shell with no dependencies on python or the official Let’s Encrypt client.
- Just one script to issue, renew and install your certificates automatically.
- DOES NOT require
root/sudoeraccess. - Docker friendly
- IPv6 support
- Cron job notifications for renewal or error etc.
- [Wayback/Archive] Using Let’s Encrypt for internal servers – Philipp’s Tech Blog (in the mean time: to some 90-thousand!)
Content
- [Wayback/Archive] Using Let’s Encrypt with internal web servers (without DNS challenge) | Andy Gock
TL;DR
- Use internet facing domain on an internal network, I normally use subdomains for this.
- Domain must have a DNS A record pointing to a public facing web server so Let’s Encrypt can find it for the [Wayback/Archive] HTTP-01 challenge. This can be served as an empty site or just as a 404 response.
- Remote VPS uses [Wayback/Archive] certbot to renew SSL certificates as normal.
- Use a script like [Wayback/Archive] renew-letsencrypt-certificates.sh to copy the SSL certs from the remote machine to our local private machine. Run this as a cron job.
- [Wayback/Archive.is] renew-letsencrypt-certificates.sh
# renew-letsencrypt-certificates.sh DOMAIN [EMAIL] # # Copy Let's Encrypt SSL certs from a remote public facing web server to local filesystem # Look for changes, if any change, restarts the web service # Useful for using Let's Encrypt with local internal servers, with custom DNS. # Working "mail" command needed for email alerts
- [Wayback/Archive.is] Corollarium/localtls: DNS server for providing TLS to webservices on local addresses: insecure as everyone on the local LAN can download public and private keys
- [Wayback/Archive.is] Here’s another free CA as an alternative to Let’s Encrypt!
one of them being to manage certificates for all of my internal devices. My certificate management is nothing fancy, I just have a few bash scripts running via cron that obtain new certificates and deploy them locally on the server or SCP them to where they need to be on my network devices like my UniFi Dream Machine Pro or my UniFi Protect NVR. I’ve now added a random selection for which CA will be used so from now on, Let’s Encrypt won’t be my exclusive CA!#!/bin/bash set -e SERVERS=("zerossl" "letsencrypt" "buypass" "sslcom") /home/scott/acme.sh/acme.sh --issue --dns dns_cf -d homeassistant.scotthelme.co.uk --force --keylength ec-256 --server $(shuf -n1 -e "${SERVERS[@]}")If you’re using Certificate Authority Authorisation then don’t forget to set thessl.comvalue to let them issue certificates for your domain, but other than that, it’s easy! - [Wayback/Archive] Internal SSL Certs with Let’s Encrypt
…
Here’s what you’ll need:- 1.Register any DNS names that you’re generating certificates for and the entries need to point to public IP addresses that are accessible on TCP/443. However, the port only needs to be available while you’re requesting the certificate; it can be closed otherwise.
- 2.You’ll need a Linux system with nothing running on port 443 (or where you can temporarily stop the service using the port).
- 3.Finally, you’ll need the
letsencryptcommand; on Debian/Ubuntu it’s as simple asapt-get install letsencrypt.
…
I’ll walk through the process using this site – thesoloadmin.com – as an example.- 1.Assuming
letsencryptis already installed, I’ll stop the webserver temporarily to request the cert:systemctl stop nginx - 2.To renew all certificates located under
/etc/letsencrypt/liveyou would use the flagrenew. However, since I only want to renew a single certificate, I’ll be using thecertonlyflag (you would also use thecertonlyflag for a new certificate request). You’ll want to use the directory name under/etc/letsencrypt/live/as the domain name to renew; e.g. mine is thesoloadmin.com, although the certificate contains alternate names for thesoloadmin.blog, thesoloadmin.org, thesoloadmin.info, and thesoloadmin.net. The command to renew a single certificate is simply:letsencrypt certonly -d thesoloadmin.com. You’ll be prompted to either start a temporary webserver or place files in webroot directory; I always choose the temporary webserver option because it’s the easiest. The output from the command will be similar to the following:
…
It appreade later also as [Wayback/Archive] Internal SSL Certs with Let’s Encrypt – CodeProject.
Since I need this for ESXi:
- [Wayback/Archive.is] Let’s Encrypt SSL for ESXi
- [Wayback/Archive.is] Lets Encrypt and ESXi : homelab showing ESXi stores certificate information in
/etc/vmware/ssl/rui.{key,crt}using private key and fullchain respectively. - [Wayback/Archive] ESXi certificate using Let’s Encrypt – Server – Let’s Encrypt Community Support: consensus is to obtain the domain from outside ESXi, then transfer it using SSH/SCP.
- [Wayback/Archive] Wildcard certificate from Let’s Encrypt with CloudFlare DNS using the
dns-01challenge; this should also work with other DNS providers having an DNS API like GoDaddy or others from List of managed DNS providers – Wikipedia. - [Wayback/Archive.is] WayBack: LetsEncrypt Certificates for vCenter and PSC – Niner – AussieVoIP Wiki
- Via [Wayback/Archive] [ESX 6.7] Certificaat Web Client – Professional Networking & Servers – GoT on the
9r.com.ausubdomains of which the services seem to have vanished.
- Via [Wayback/Archive] [ESX 6.7] Certificaat Web Client – Professional Networking & Servers – GoT on the
- [Wayback/Archive] Let’s Encrypt ESXi VPS – Comprofix: seems outdated
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a Reply