Adding a Let's encrypt server in a offline network


#1

@jsha Hey there guys, i am trying to add let’s encrypt in to SNET, a offline network being run in Havana Cuba, since the network is not connected to internet, due to the lack of infrastructure and the expensive price of internet connectivity, the certificates being used in it are self signed, this is not a pretty looking picture i know, i might need help from you from time to time

Pardon my grammar, English ain’t my native language


Local CA config
#2

Hi @edopujol, it’s possible to get a certificate for a machine that isn’t reachable from the Internet using the DNS challenge method, as long as you can make changes to the DNS records for the domain in question. For example, if you wanted a certificate for server.example.cu but that machine wasn’t connected to the Internet, if you could create a DNS record for _acme-challenge.server.example.cu when requested by the certificate authority, you could obtain that certificate.

If that’s possible, it should work and there are several pieces of client software you could use to do this. If not, there’s probably no validation method that you can use to prove your control over the names in the certificate to Let’s Encrypt, so Let’s Encrypt will probably not be able to issue you the certificate that you need. (Another CA might be able to do so, for example using e-mail validation to the domain registration contacts that are listed in the whois database. But Let’s Encrypt doesn’t support this kind of validation.)


#3

thanks for the heads up


#4

Hi @edopujol,

Welcome to the Let’s Encrypt community! @jhalderm mentioned that you might be interested in running your own CA within SNET. You may be able to make use of Boulder, the server software we use to run Let’s Encrypt. If you’re interested, there are setup instructions to run it locally at https://github.com/letsencrypt/boulder/. Note that in order to run Boulder as a “real” CA (not local test mode), you will need to edit the default va.json config file (https://github.com/letsencrypt/boulder/blob/master/test/config/va.json) to change the dnsResolver setting to point to a DNS resolver within SNET. You will also want to remove the portConfig section of that config.

Feel free to post any questions you have!


#5

thanks for the input, i was talking whit @jhalderm a few hours ago, i already have all the files needed, i am going to tweak the files and try to run it on the SNET, will let you know how did it went


#6

Oh, I think I misunderstood what you were looking for. Based on @jsha’s reply it seems that you want to replicate the technology of Let’s Encrypt to make your own certificate authority within SNET. I was thinking that you wanted to have the existing Let’s Encrypt service issue certificates that users’ browsers would trust automatically, but for servers that are not regularly connected to the public Internet and that can’t be reached from outside of SNET.

I guess that both of these are possible (if the servers are using a domain name that you or their administrators control), but @jsha’s reply suggests that you’re looking for having your own CA, which would also require the SNET users to modify their web browsers by importing and trusting the CA’s root certificate.

Either way, good luck, and we’re happy to help you.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.