We have website (www.yyy.xxx.com) which is available in online or internet. We have created SSL certificate using the website(yyy.xxx.com) and used in the private network with the internal dns(Mapped with internal IP address).
Is it possible to automate SSL using CertBot. Please advise
One way or another, yyy.xxx.com needs to be in public DNS.
Either as a routable IP address for HTTP authentication (not suitable for you), or as a TXT record (_acme-challenge.yyy.xxx.com).
If you use a DNS host supported by a Certbot DNS plugin, or if you can write an authentication hook script that creates/updates that TXT record, you can automate renewal using the DNS challenge.
Thanks for your response. Our Internal website is hosted on Apache Http Server.Our Internal DNS Server and Web Server are running on separate machines(instances). Here We would like automate SSL Certificates on Internal Web Server using Certbot .
Please advise on below questions.
Is it possible to automate in Internal Web Server?
Do you want to intsall Certbot in DNS Server to make it work?
I don’t have familiar with DNS Challenge. Could you please provide the steps to do renewal using DNS Challenge?
public webserver set as stateless mode: and certbot with that acme account?
see this what a stateless mode is:
in shourt, an extenal web nginx server that will reply with fixed acme.account: - and internel server ask for that domain, so those two server doesn’t have to talk each other.
2020-08-04 10:06:51,836:DEBUG:certbot._internal.error_handler:Encountered exception:
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
2020-08-04 10:06:51,837:DEBUG:certbot._internal.error_handler:Calling registered functions
2020-08-04 10:06:53,611:ERROR:certbot._internal.error_handler:Encountered exception during recovery:
2020-08-04 10:06:53,611:ERROR:certbot._internal.error_handler:Encountered exception during recovery:
File “/usr/lib/python2.7/site-packages/certbot/_internal/error_handler.py”, line 125, in _call_registered
PluginError: Encountered error deleting TXT record: The peer didn’t know the key we used
PluginError: Encountered error deleting TXT record: The peer didn’t know the key we used
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
PluginError: Encountered error adding TXT record: The peer didn’t know the key we used
2020-08-04 10:06:53,613:ERROR:certbot._internal.log:Encountered error adding TXT record: The peer didn’t know the key we used
2020-08-04 10:06:53,613:ERROR:certbot._internal.log:Encountered error adding TXT record: The peer didn’t know the key we used
Assuming your tsig key is saved in my.key, replacing the 198.51.100.1 with the IP address of your external DNS server which is configured to receive DNS updates, and changing example.com to your domain, you could try something like:
nsupdate -k my.key <<EOF
server 198.51.100.1 53
update add _acme-challenge.example.com. 1 in txt "test value"
send
EOF
Thanks for your response. Our hosting company is already using http-01 challenge to automate the SSL on public website and the folder is not allowed for us to do http-01 challenge
You have another option: use a Let’s Encrypt certificate on the public website, but use your own CA on the internal server (is it a development server?) – you’d have to add its root certificate to the internal clients.