Auto Let'S Encrypt Renewal on Private Network using CertBot

Dear Team,

We have website (www.yyy.xxx.com) which is available in online or internet. We have created SSL certificate using the website(yyy.xxx.com) and used in the private network with the internal dns(Mapped with internal IP address).

Is it possible to automate SSL using CertBot. Please advise

Thanks
Kumar

One way or another, yyy.xxx.com needs to be in public DNS.

Either as a routable IP address for HTTP authentication (not suitable for you), or as a TXT record (_acme-challenge.yyy.xxx.com).

If you use a DNS host supported by a Certbot DNS plugin, or if you can write an authentication hook script that creates/updates that TXT record, you can automate renewal using the DNS challenge.

1 Like

Dear Sir/Madam,

Thanks for your response. Our Internal website is hosted on Apache Http Server.Our Internal DNS Server and Web Server are running on separate machines(instances). Here We would like automate SSL Certificates on Internal Web Server using Certbot .

Please advise on below questions.

  1. Is it possible to automate in Internal Web Server?
  2. Do you want to intsall Certbot in DNS Server to make it work?
  3. I don’t have familiar with DNS Challenge. Could you please provide the steps to do renewal using DNS Challenge?

Thanks
Kumar

Does your domain have an external DNS server?

You need to be able to apply a change to the DNS zone which is publicly visible.

public webserver set as stateless mode: and certbot with that acme account?
see this what a stateless mode is:


in shourt, an extenal web nginx server that will reply with fixed acme.account: - and internel server ask for that domain, so those two server doesn’t have to talk each other.

Dear _az,

We have here two DNS Server. One DNS Server is publicly visible and One is Private DNS Server.
Could you please provide the steps and details.

Thanks

If the internal web server could perform dynamic DNS updates against the external DNS server, then you could try use https://certbot-dns-rfc2136.readthedocs.io/en/latest/ to issue certificates.

Dear _az,

Thanks for your response. We followed the instructions in the documentation (https://certbot-dns-rfc2136.readthedocs.io/en/latest) and encountered error below.

Please advise us how to solve this issue

2020-08-04 10:06:51,836:DEBUG:certbot._internal.error_handler:Encountered exception:
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
2020-08-04 10:06:51,837:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-08-04 10:06:53,611:ERROR:certbot._internal.error_handler:Encountered exception during recovery:
2020-08-04 10:06:53,611:ERROR:certbot._internal.error_handler:Encountered exception during recovery:
File “/usr/lib/python2.7/site-packages/certbot/_internal/error_handler.py”, line 125, in _call_registered
PluginError: Encountered error deleting TXT record: The peer didn’t know the key we used
PluginError: Encountered error deleting TXT record: The peer didn’t know the key we used
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
2020-08-04 10:06:53,613:ERROR:certbot._internal.log:Encountered error adding TXT record: The peer didn’t know the key we used
2020-08-04 10:06:53,613:ERROR:certbot._internal.log:Encountered error adding TXT record: The peer didn’t know the key we used

The DNS server rejected the DNS update with a BADKEY error code. Basically, the nameserver is not configured to accept updates from that key.

It could help to first confirm that you can use the key to perform a DNS update using the nsupdate command.

Once that works, you can try use the same key in the RFC2136 plugin.

Dear _az,

I did not have experience with nsupdate. Could you please provide any guidance to test with nsupdate

Thanks

Assuming your tsig key is saved in my.key, replacing the 198.51.100.1 with the IP address of your external DNS server which is configured to receive DNS updates, and changing example.com to your domain, you could try something like:

nsupdate -k my.key <<EOF
server 198.51.100.1 53
update add _acme-challenge.example.com. 1 in txt "test value"
send
EOF

Dear _az

Thanks for your advise on nsupdate. I am getting below error , when run the nsupdate command.

NSupdate Command:
nsupdate -k Kkeyname.+165+42652.key testingnsupdate2.txt

Error:
TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

Could you please advise on above error?.. Thank you so much for your help
Thanks
Kumar

This all comes down to how you configured your nameserver. You have not shared those details so I don’t really have any advice.

You can probably just use the http-01 challenge. Have you tried? (I assume there is only one webserver, that has an internal and an external IP)

How did you create the certificate for the other domain? (www.yyy.xxx.com and yyy.xxx.com are two different domains, as far as SSL is concerned).

Once you have a certificate for the domains you need the IP (internal or external) is irrelevant, only the domain name needs to be correct.

Dear 9peppe,

Thanks for your response. Our hosting company is already using http-01 challenge to automate the SSL on public website and the folder is not allowed for us to do http-01 challenge

Thanks

So you have two separate webservers.

You have another option: use a Let’s Encrypt certificate on the public website, but use your own CA on the internal server (is it a development server?) – you’d have to add its root certificate to the internal clients.

Dear _az,

Hosting team confirmed that they already added DNS records as below.

_acme-challenge.www.xxx.com. 300 IN TXT “kauezwhcn745njsf…adowerß22”
_acme-challenge.xxx.com. 300 IN TXT “uqiwo97634bsncös…90237j2k812”

But, We have error, when we run nsupdate after adding dns records

Nsupdate command=nsupdate -k Kkeyname.+165+42652.key testingnsupdate2.txt

Error=TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADKEY)

testingnsupdate2.txt details:
server xx.xx.xx.xx 53
update add _acme-challenge.xxxx.com. 1 in txt “test value”
send

Could you please advise us how to solve this issue.

Thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.