Central LE location different public servers


#1

Good Day, I was wondering if this is possible.

I have a central LE location for all my primary virtual machines and different public servers hosted with google cloud platform. Is it possible to generate the cert without the public ip and copy it to the google cloud platform?


#2

Yes, if you have DNS API access, you could use Let’s Encrypt’s DNS challenge and get the certificate.

Thank you


#3

Hi Steven, thank you for replying. Can you explain or point me in the right direction for this method?


#4

Hi @RiaanPre

you must use dns - 01 - validation.

Certbot has an option --preferred-challenges dns.

acme.sh supports more then 50 dns plugins.


#5

I found this from a quick google:

https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation

Busy implementing.


#6

2 years, 10 months ago

This is too old.

You have to create a dns txt entry _acme-challenge.yourdomain.com with a special value.

If your dns provider supports an API, it’s a simple API call.

Not really terrible.

And you don’t need a webserver, an open port 80 etc.


#7

We can’t give much specific information without knowing more about your setup, such as your domains, DNS service, OS, and if you’ve chosen to use a particular ACME client.

For example, Certbot has a Google Cloud DNS plugin now, but it’s not yet easy to install on all platforms.

https://certbot-dns-google.readthedocs.io/en/stable/


#8

I have setup the web server part a few years ago. Just struggled with machines not hosted on the same network in the case google cloud platform. But it is sorted now. I followed the instructions and created the txt entry. working like a charm now!


#9

Just remember that a new one will need to be used for each renewal, which is why we always suggest automating this with an API.


#10

a new text record on the dns server for every renewal?


#11

Yes, exactly. So automation is very important here.


#12

oh know that is not good. In that case. I use certbot on Centos 7, the DNS provider is cpanel based. Can you point me in the right direction documentation wise for a permanent automation setup?


#13

I don’t think that the cPanel Let’s Encrypt client supports wildcard certificates, but I think @_az has written one that does.

You can create a CNAME record like _acme-challenge.example.com IN CNAME _acme-challenge.otherdomain.net and then use, for example, the DNS alias mode in acme.sh in order to use the otherdomain.net API instead of the example.com API. The CNAME record itself can be static and doesn’t need to be updated for renewals; only the resource that it points to needs to be updated, and the CA will follow the CNAME for this purpose.


#14

Indeed it does, but I get the feeling that @RiaanPre doesn’t actually need a cPanel Let’s Encrypt client, just a way to perform DNS validation against a domain with its DNS hosted on cPanel.

To that end, I’ve created a simple auth hook that can be used with Certbot to achieve this in an automated manner:

Seems like it’s needed often enough that I may as well create it :smile: