Bypass http or dns challenge while using certbot

Hi, I would like to implement certificate renewal automation through Let's Encrypt and certbot. However, due to some constraints on my proprietary application side the http challenge or dns challenge can't be implemented.
Can you pls help to suggest how can I get this done. My architecture is such that a centralized server will have certbot installed to generate certificates and push the certificates to the proprietary application servers (40 nodes).
Looking forward to hearing from you

If you can't complete either the DNS or the HTTP challenge, you'll need to use a different CA.

It's not clear to me what you're really looking for. Are you looking for a globally-valid certificate using public DNS names? If so, you need to prove control globally, and if it's from a central place you'd probably want to use the DNS challenge. If your current DNS server is hard to automate, you may be able to delegate the challenge record to a special-purpose DNS server like acme-dns.

On the other hand, if you're just looking to secure some internal-only communication between proprietary systems, you'll probably find it much easier to make your own private CA (loading your private CA public key into your systems' trust stores), rather than using a public CA like Let's Encrypt.

Dear Peter, Thanks for your response. I want to stick to Let's Encrypt and Certbot but would like to bypass any challenges such as http or dns while automating certificates renewal. Architecture is as follows:
Virtual Machine (CertBot) -- Ansible -- Proprietary Application where Virtual Machine has certbot installed talking to Let's Encrypt, Ansible helping to push Certificates to the Proprietary application 40 nodes.
Hope this is clear now. Can you suggest how can I generate certificates without any challenges such as http or dns.

Regards,
Harshit

No, it's not really clear what you're trying to do, if you want to get a public certificate without proving that you control the name. That's what a public certificate is, a certification that the holder of the private key could prove that they controlled a domain name. You either don't need public certificates, or you do need to prove that you control the name.

Again, the answer to this is to use a different CA. Let's Encrypt will only issue certificates following completion of one of the available challenges.

Now, once you've obtained that cert--quite possibly on a different system than the one on which you'll be using it--you can copy it wherever else you like. But you must successfully complete a challenge to receive a cert.

okay, thanks.

Even with other CAs, one would need to prove control over the domain using one of the CA/B-approved methods. And methods other than the HTTP or DNS challenge are probably even harder to automate.

If your environment doesn’t support HTTP or DNS challenges, you still have options for automating Let's Encrypt certificate renewal. You can use ACME challenges that do not require HTTP or DNS, such as:

1. TLS-ALPN-01 Challenge:

The TLS-ALPN-01 challenge allows you to prove domain control over port 443 (HTTPS), without requiring access to HTTP (port 80) or DNS updates.

Here’s how the TLS-ALPN-01 challenge works:

• The Let's Encrypt CA connects to your server on port 443 (HTTPS).
• You present a self-signed certificate with a specific ALPN (Application-Layer Protocol Negotiation) extension, which proves control of the domain.

This method works well in environments where HTTP is blocked or DNS management is not available.

Steps to Automate Renewal with TLS-ALPN-01:

1. Ensure port 443 (HTTPS) is open: Since the TLS-ALPN-01 challenge uses HTTPS, make sure that this port is accessible and not blocked by firewalls.

2. Use Certbot’s TLS-ALPN Plugin: Certbot supports the TLS-ALPN-01 challenge with the certbot command-line tool.

   • Install the TLS-ALPN plugin (if it’s not already installed):

     sudo apt install python3-certbot-apache  # For Apache
     sudo apt install python3-certbot-nginx   # For Nginx
     

   • Use the following command to request a certificate using the TLS-ALPN-01 challenge:

     certbot certonly --preferred-challenges tls-alpn-01 -d yourdomain.com
     

3. Automate the Renewal:
   You can set up a cron job to renew certificates automatically using the --preferred-challenges tls-alpn-01 option:

   Example cron job for automatic renewal:

   0 0,12 * * * certbot renew --preferred-challenges tls-alpn-01 --quiet
   

4. Configure Hooks (if needed):
   If your server requires any specific actions after renewal (like restarting services), you can use the --deploy-hook option to run a custom script:

   certbot renew --preferred-challenges tls-alpn-01 --deploy-hook "/path/to/reload-script.sh"
   

2. Use an External ACME Client with EAB (External Account Binding):

If your environment does not support any of the standard challenges (HTTP, DNS, TLS-ALPN), you can also explore the use of External Account Binding (EAB) with other ACME clients. This might be an option if you are using a custom or private CA.

In an EAB environment, you authenticate using credentials provided by the CA, rather than domain validation through HTTP, DNS, or TLS challenges. This method is less common, and you would need to use an ACME client that supports it.

Recap of Options:

1. TLS-ALPN-01: Uses port 443 (HTTPS), and doesn't require HTTP or DNS. You can automate it via Certbot.
2. EAB: If your environment supports External Account Binding with a custom ACME server, you can use this option, though it requires additional setup and specific ACME clients.

Are you guys aware of this?

That looks like typical AI-generated garbage.

Yes, TLS-ALPN-01 allows you to validate control using port 443 instead of port 80, and some ACME clients support it, but Certbot doesn't. If you can expose port 443 and not 80 for some reason, then you could use some other ACME client that uses TLS-ALPN-01 in order to get your certificates, sure. The documentation lists the three types of challenges that Let's Encrypt supports and their pros and cons:

And as we were saying, you may be able to use some other CA that supports validating some other way (email to domain contact or whatever), which is harder to automate. But once you've validated, some other CAs do support you getting the certificates themselves through ACME with an account set up, configuring EAB between your ACME client and your CA.

You haven't really stated why validating control over your name in the usual automated ways aren't working for you, which makes it hard to give you much guidance.

The TLS-ALPN-01 challenge has similar, but even more strict, network requirements than the HTTP-01 challenge. You need to have port 443 open and it cannot be proxied. The TLS termination must be made directly to the ACME client, and the ACME client must have support for that challenge type (which certbot does not). Any service like Cloudflare that acts as the edge TLS endpoint will cause the TLS-ALPN-01 challenge to fail. This includes your own reverse proxy, if you have one.

Own reverse proxy like NGINx to be used for TLS-ALPN-01??

Challenges can't be used as I am unable to access the proprietary application webserver configuration files. Also, DNS we are using is partner hosted.

If the reverse proxy is the ACME client, and it supports TLS-ALPN-01, it will be able to handle the challenge. If the reverse proxy is the TLS termination endpoint and the ACME client is behind it, it will never see the challenge.

which ACME client supports TLS-ALPN-01?

Based on the limitations you describe, the Let's Encrypt certificate authority is not going to be an option for you.

I use TLS-ALPN-01 with Apache mod_md on hosts that are not behind Cloudflare. I don't know what other ACME clients offer that challenge type.

Yes, if your ports are accessible, you can use a reverse proxy that handles getting and using the certificates in front of your tough-to-manage system. I'd recommend Caddy which handles certificates automatically; it may be just what you're looking for.

You still might be able to use something like acme-dns, if you can get the "partner" to delegate the _acme-challenge name to your systems. But if you can put something like Caddy (or nginx) in front of your web server, that's probably the easiest route.

You still might be able to use something like acme-dns, if you can get the "partner" to delegate the _acme-challenge name to your systems.

with certbot?

Yes, you can use a certbot plugin that interfaces with acme-dns. So you're running acme-dns on your system, which is just a special-purpose DNS server for handling the challenges, and certbot sends messages to it to tell it what TXT records to serve.