Hi,
I hope it is ok to put my questions here. I try to explain my wanted scenario and am pretty exited about your responses.
We sell a security product with a https-based guest portal solution. I happen to learn, that many customers have problems getting a certificate into the portal which is trusted by their guests.
I thought maybe we could implement the API for “Let’s encrypt” on our appliance and build a GUI part where they fill in the domain and click a button. The appliance itself should then register a certificate from let’s encrypt only for the guest portal.
Do you think that is possible? Is it allowed to integrate the API in our product or are there licensing fare (in the end it is optional for the customer)?
Maybe someone could explain to me how the process of registration would take place, as I didn’t understand all steps until now. I appreciate it.
My understanding right now is the following:
- API is started via GUI which runs the script in the backend and provides a cronjob which updates the certificat e.g. every 2 month. The external domain might be test.com, so we would provide something like guest.test.com.
- “Let’s encrypt” checks the ownership of test.com against the external public IP used. A little addition. Normally our Server communication and all guests as well use NAT at the next Firewall, so the IP let’s encrypt would see is the external public address of the customer. Still the IP, domain and host entry for our portal appliance needs to be of the portal IP of the appliance.
- The certificate is provided to our appliance via API.
Is it correct, that there are no firewall rules needed, or is it necessary that lets encrypt has access (can build up sessions) to the appliance? If so I would like to raise a feature request saying, that the API provides the possible lets encrypt IPs and Ports that need to have access and on which port. It would be possible to display a message for that then.
I hope that I explained everything and hope to have found a good solution for our customers, so that the configuration and a safe portal is kids play in the future.
Additional Information:
My domain is: depends on customer
My operating system is (include version): Debian 8
My web server is (include version): Apache 2.2.22
My hosting provider, if applicable, is: depends on customer
I can login to a root shell on my machine (yes or no, or I don’t know): Yes - but for the future I want to have a GUI component. So the rest is done by the system.
Thanks a lot at all
Jochen