Best Practice for issuance with Amazon EC2 and VPN?


Hi, I have a phone server (PBX) hosted on Amazon EC2, and we have a VPN to access it on it’s private IP (172.x.x.x). Normally our public DNS ( points to the private IP, so that people in the company on the LAN can type the domain instead of the IP, and people outside the LAN/VPN won’t be able to contact it in any way.

Since I have to allow letsencrypt to verify my domain, do I need to:

  1. whitelist the public Amazon IP to allow letsencrypt’s IP as inbound
  2. then change the public DNS to point to the public Amazon IP
  3. initiate letsencrypt verification
  4. once I have the certificate, set the public DNS back to the private Amazon IP?

Or, is there any way that I can give letsencrypt my VPN credentials so that it can verify my public DNS while it’s pointing towards my private IP? That could save some hassle.


You can use DNS-based validation for your domain. All you have to do is create a TXT record - no need to change the A record at all.

The reference client currently doesn’t support DNS-based challenges, but many of the alternative clients do. Lego, for example, has a plugin for Route 53. The bash clients also support DNS-based challenges.


Thank you, I’ll check into that. Would I have to create a text record in every subdomain I want a cert for, or just main one?


It’s one TXT record for every FQDN/subdomain.


Cool, last question I think: will I still be able to automate renewals if I don’t have permanent access to edit the subdomain’s DNS records? Those are set on GoDaddy, and they don’t want me to have admin access to that because there’s no way to allow me access to only my subdomain, I’d have to have access to everything. Our webmaster would be fine to add the TXT record I need to validate once, but I don’t think they’d be willing to mess with it every 90 days.

I guess I’m asking if letsencrypt can “remember” that I proved I controlled the domain, as opposed to having to keep showing it with new DNS TXT records.


In theory, domain authorizations are valid for something like 9 months (meaning you could get ~1 year worth of certificates out of one successful validation).

Here’s the problem: I’m not aware of any clients making use of that - the ones I know all just go ahead and create a new challenge for every certificate, and that’ll result in a new token for your TXT record. So this might not really help you all that much, unless you want to roll your own client (though I could’ve missed one who already supports that, of course).

Another idea: Does GoDaddy support delegating a subdomain (i.e. setting separate NS records for, this is sometimes called a sub-zone)? That might allow you to move that subdomain to something like Route 53, where you could easily automate the challenge.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.