I need to install LE on a very secure server that doesn’t allow outside access.
Is it possible to add a UFW rule that will allow LE without having to open up the whole server on ports 80 and 443?
Thanks for your help
Lux
Yes and no. There’s no UFW rule, however you could instead opt for the DNS challenge type that doesn’t require Let’s Encrypt to connect to your server at all. As long as you’re able to update TXT records for your domain, you should be good to go.
I’ll have to read up on the DNS challenge. What about auto updates? Will they still pass through?
Thanks
Lux
I tried to install it by opening up the whole server and it worked fine.
I then tried to test it by reinstalling it and adding the --preferred-challenges dns certonly but got this message…
“None of the preferred challenges are supported by the selected plugin”
I’m on Debian 8 which is why I was using the webroot authenticator…
sudo certbot --authenticator webroot --installer apache
–webroot-path ‘/var/www/html’ -d ‘xxx.com’ --preferred-challenges dns certonly
Am I doing something wrong or is it just a limitation with Debian 8?
Thanks
Lux
Hi @luxint
dns challenge means, that you have to create a new dns txt entry
_acme-challenge.yourdomain.com
with a special value. So this is incompatible with --authenticator webroot. Your dns provider should support an API, so you can automate that. And you need a compatible certbot plugin.
Or check acme.sh, that client has a lot of dns pugins.
Thanks for the acme.sh recommendation. That definitely makes the whole things easier 
So the certificate is installed and the cron is active but I’m still not clear if it will be able to update with the limited access I have on the server. I’ve blocked virtually ALL outside traffic.
Any ideas if the cron/update will actually work with such a set up?
Thanks
Lux
As long as your server can initiate outgoing connections to the internet, or at least to Let’s Encrypt and your DNS provider, then it should be fine. There won’t be any incoming connections to handle.
Thanks for the help. I guess it should be OK then.
Lux
Did you run acme.sh on this server, so acme.sh was able to install the certificate?
Then it works.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.