Hello All,
I did search through the entire forum and found one post that was kind of applicable, not not entirely. I’ll give you all the TLDR:
-I own a domain through Google Domains;
-I have an A-Record on the Google Domains dashboard that redirects a subdomain to my firewall’s outside IP address;
-I have servers that live behind the firewall that should be able to run the ACME application (might need assistance with how to do this on either a windows or Debian linux box).
Given that my perimeter firewall is not a server that can run the ACME app, is it possible to run it on a server behind it and feed the CSR (certificate signing request) I generate on the firewall using a subdomain of the google domain I own via the server instead of the firewall itself? If not, are there other options available, since the firewall itself cannot upload the CSR to LetsEncrypt?
Question 2: How do I verify I own the domain if it has been purchased with something like Google Domains or GoDaddy?
Thanks for any help in advance!
hi @marugby123
A) Yes you can use your own CSRs with Certbot (the official clients). Other clients support user created CSRs as well.
You can review the range of clients here: https://letsencrypt.org/docs/client-options/
Most use cases don’t run the app on the firewall for various reasons.
There are 3 ways of verifying a domain
HTTP Challenge - upload a file to the root of your webserver
TLS Challenge - create a SSL Binding with a Self Signed Certificate
DNS Challenge - Create a TXT record in your DNS server
Andrei
Is it some actual appliance? For example, this is how Cisco ASA can be set up with LE cert using ZeroSSL: https://ip-life.net/cisco-asa-install-ssl-cert/
The device this would be installed on is a Fortigate. It does not offer the ability to use ACME (only SCEP). Looking into this further, I do not believe without a lot of struggle that this will be possible with LE.
If you can allow a web server behind the firewall to listen on port 80, you can use the HTTP-01 challenge (e.g. --webroot in Certbot). Then you can copy the certificate and private key onto the firewall. It might be annoying to have to repeat this every 90 days, though.