Any way to "proxy" certificate nenewal through another machine?

Hello. We currently create LetsEncrypt certificates using a DNS challenge. We do not want every machine to be able to make DNS changes, so what we have been doing is having one locked down machine requesting and renewing the certificates, then using Puppet to distribute them.

What I'd really know to know is if there instead is some sort of ACME "proxy" where we can have each machine run certbot to request the certificate, but have the request happen on the central machine. Sort of like a private ACME server, but not using a private CA. I don't want to reinvent the wheel if something already exists that will do this.

Thank you.

1 Like

Have looked into whether acme-dns could solve your problem?

6 Likes

That looks very promising. I'm going to give it a try and see how it goes. Thanks.

3 Likes

I think acme-dns is an elegant solution indeed. However, if you want something else: CNAME RRs are followed (that's also how acme-dns works) and also NS RRs could be used. If you have e.g. multiple BIND instances running with their own hostname, you could also redirect the _acme-challenge to a single BIND and use the RFC 2136 protocol (e.g. using the certbot-dns-rfc2136 plugin) to get a cert.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.