Dear Team,
I am very new to Let's Encrypt and its functionalities. Kindly forgive me if some of my points are not making sense. We have a automation requirement as below. I am not sure how it is possible, but this is what i think. Kindly guide me.
We have an internal website rmz.config.net(accessible only from office network) there are different requirements lands to configure certificates for different different individual domains.
Lets say
test.example1.com
test.xyz.com
test.abc.com
test.foo.com etc..
User logins to the portal and configures a domain name Lets say "cmp.mdoamin.com"
The website send the details to an API server which handles the ACME client using Lego libraries
API server receives the userconfigs and using lego libs it sets the challenge and retrieves the challenge token/DNS and present to rmz.config.net Web UI and pauses the Lego
user uses the token and configures the challenge and acknowledging in the rmz.config.net portal.
Then API server resume the challenge using Lego libs and request Let's encrypt to issue certificate.
API server receives it and stores in a vault
this doesn't sound like usecase of public certiifcate: and what domain certificate want to cover?
1 Like
Please note that the token is one-time use only. Manually adding/removing challenge tokens is not recommended, especially as the certificates have a limited lifetime and renewing would require a new token to be added.
3 Likes
For internal sites/domains it's quite tricky to use HTTP domain validation with a public CA like Let's Encrypt, because they can't see into your network.
DNS domain validation is easier because they can see your public DNS (so you just have to create/update a TXT record for each domain, even if the actual hosts are all internal).
So correct me if I'm wrong, but you want:
- the user to sign in and request a cert for a specific domain/subdomain (one of several your organization controls)
- cert to be acquired on their behalf and stored in a secrets vault
- presumably then the user gets access to that specific secret and pulls the cert for use in their own system, and presumably they then pull the latest cert (latest version of the secret) on a regular basis.
You may be able to achieve much of that with Certify Management Hub (which I work on, and which is currently in alpha testing): https://docs.certifytheweb.com/docs/hub/ but you might need some custom UI for the user to initially request the cert, and I imagine there is an approvals process required there so people only request what they are entitled to. [and there may be other things out there that could also work]
You can definitely build this type of thing fully custom, where it would get complex is if you don't control these domains (they are customers domains etc).
4 Likes