Configuring Internal Environment to Suit Externally Validated Domains


#1

Please fill out the fields below so we can help you better.

My domain is: ourcompany.be

I ran this command: none yet

It produced this output: none yet

My operating system is (include version): Windows 2012R2 / Linux Debian Jessie

My web server is (include version): TBD

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi, I’m trying to find out if Let’s Encrypt is suitable for a few different purposes and if so, how I can best set it up.

We have several domain names (ourcompany.be, .nl, .com, .eu, .net, …), most of them are just used to point to our externally-hosted website.
We can add/change DNS records (A, TXT, SRV, CNAME) at the domain provider’s website (only manually, I think)

We have 1 public IP-adres at our main office.
There is a DNS-entry for mail.ourcompany.be that points to our public IP.

I am wondering if I can use Let’s Encrypt certificates for these services:

  1. mailserver (internally, externally)
  2. time registration webservice
  3. field mobility platform services (externally)

In detail:

Our self-hosted mailserver is Kerio and runs on Windows 2012R2. Our employees can use Outlook (MAPI-alike via an Outlook-add-on called Kerio Outlook Connector), webmail or Thunderbird.
The mailserver supports self-signed certificates which we use until now. There are 3 certificates in use: mail.ourcompany.be (public), mailsrv.ourcompany.local and mailsrv (both private)
At the office, Outlook has been configured to connect to mailsrv, except for laptops which use mail.ourcompany.be
When at home, people can connect via their webbrowser to mail.ourcompany.be OR setup a VPN-session first and connect to either of the 3 server names (most use mailsrv as that is the shortest). Either way, in both cases Firefox complains about the certicificate because it is self-signed.

So: can I use LE to get decent certificates for our mailserver - for the public name (probably: yes) and for the private names (most likely: no?). I have read a bit about SAN on the certificates but I assume I cannot combine a public FQDN with a private hostname, or can I?

A possibility could be to use a LE certificate for the public FQDN and stick to self-signed certificates for the 2 internal names. I could teach our users to use the FQDN even when connecting through VPN, but I can’t deny them using the short name. I also need a certificate of some kind for it, otherwise free/busy info in Outlook stops working.

So, I am wondering if a Let’s Encrypt certificate is the way to go.

Additional info:

  • I have no idea which webserver Kerio uses to serve its webmail: as far as I can tell it is not stock Apache or nginx, nor IIS. I doubt I can change the configuration here for verification challenges.

  • both ports 80 and 443 are forwared to the Kerio mailserver (as are the typical mail ports)


We also have a working time registration system which is webbased. That one is a Linux Debian Jessie, running lighttpd.
Employess can use it in 2 different ways.

  • there are a few touchscreens in the office and factory running Firefox. Currently, all info is sent over http. Of course Firefox complains about this for the password fields.
  • while in the office, employees can connect to http://timesrv. Identical to the touchscreens, Firefox complains about the password fields.

As far as I know, this application cannot generate self-signed certificates. That would at least add to the security, but still lead to complains from Firefox.

Management would like the webinterface to be publicly available for our employees. How we will do that is still undecided: https://somename.ourcompany.be:someport (management’s perefered option) or VPN connection and https://timserv.
Port 80 is already in use by the mailserver, so just a public name without a port won’t even work.

Is there anything LE can help me with it this scenario?

  • if we use a public FQDN (probably yes), but even with a different port?
  • if we go for VPN + LAN name (then this scenario is similar to the mailserver scenario above)

For our field engineers, another third party will provide an app (Android / iOS) which will connect to a yet-to-be installed webserver, probably based on Microsoft IIS and Biztalk.
Possible scenario’s are:

  • publicly available webserver, requires certificates. According to their helpdesk the app will not accept self-signed certificates.
  • VPN-connection and http. No certificates needed.

So basically, we have 3 different scenario’s where certificates may or may not be helpful, or even required.
Ideally, for the mailserver this should cover both the public and the private names.
For the other 2 services, since they only need to be available to our own users, I would prefer VPN + a LAN private name if possible; or a VPN + FQDN if necessary.


Thanks for everybody who made it too the end. I apologize for the long text but found it difficult to explain the whole thing, especially because I don’t know much about certificates.

Given these 3 cases, is that something where LE can be useful for us, or am I better off with another solution?

I’ve read a few things about the verification process. I can make changes to the DNS-system at our domain name provider, but only manually.
I can set up a separate server (VM), Linux Debian or Windows 2012R2 and install Apache/nginx if that’s needed or helpful for the registration or renewal process.
Ports 80 and 443 are already taken, though.

Thanks,
Máximo


#2

Hi Maximo

A) Are you running a Domain Controller? If so look at Active Directory services for your internal aliases (mailsrv etc).
B) You should aim to have HTTPs on all your web services and firefox and other browsers will start popping up warning signs for HTTP connections
C) lighttpd can be configured to redirect and use SSL certificates (it is a web server after all) I would suggest that you enable SSL first and when this is working redirect to 443
D) Another option is to use CNAMEs. for example: timesrv has a record of timesrv.yourcompany.be. Internally this resolves to an internal IP while externally this resolves to a public IP
E) There is a range of challenges available. You should look at the DNS challenge in your case

You can tune your infrastructure to allow 3rd party certificates or use internal certificates

Another option which may be a bit more expensive is to use an CA which will let you sign your own certificates and become a certificate authority for your FQDN domains.

https://www.globalsign.com/en/certificate-authority-root-signing/

Andrei


#3

Hi Andrei,

A. Yes we have Domain Controllers and AD. The domain name in use ourcompany.local
Not sure how an alias would help me here, as ‘mailsrv’ would still point to mailsrv.ourcompany.local and not mail.ourcompany.be ?
B. Agreed. Even so, I still prefer https over VPN, rather than opening several ports in the firewall.
C. the server where the time mangement service is hosted (the lighttpd one) is maintained by a third party. While I can probably make changes to its configuration, I’d rather not do that unless absolutely necessary. So: changes after the certificate process is up and running: OK. Use if to get the certificate process up and running: preferably not.
D. Internally, timesrv = 10.20.30.215 = timsrv.ourcompany.local
Externally, it is timesrv.ourcompany.be
Can I get timesrv.ourcompany.be to resolve to an internal IP, without making changes to our internal DNS or AD?

Isn’t the ourcompany.local vs. ourcompany.be the problem in all 3 of my cases ?


#4

@maximo

A. Yes we have Domain Controllers and AD. The domain name in use ourcompany.local
Not sure how an alias would help me here, as ‘mailsrv’ would still point to mailsrv.ourcompany.local and not mail.ourcompany.be ?

My suggestions was: CNAMEs. for example: timesrv has a record of timesrv.yourcompany.be

Can I get timesrv.ourcompany.be to resolve to an internal IP, without making changes to our internal DNS or AD?

NO

Isn’t the ourcompany.local vs. ourcompany.be the problem in all 3 of my cases ?

Public CAs will no longer issue certificates for .local domains. This is why most companies use FQDN for domain names.

While I can probably make changes to its configuration, I’d rather not do that unless absolutely necessary. So: changes after the certificate process is up and running: OK. Use if to get the certificate process up and running: preferably not.

That is what the DNS challenge is for

I am going to jump of here. I have been involved with many of these projects. At this point I am seeing you make more reasons not to do this rather than taking on the challenge.

Andrei


#5

Let’s Encrypt will issue for a publicly-resolvable FQDN even if it has a private IP address, if you use the DNS-01 authentication method (making DNS changes in your DNS zone). In this method Let’s Encrypt does not need to connect directly to your server in order to issue the certificate.

Let’s Encrypt can never issue for a non-public domain, an IP address, or a domain name that can’t be verified in the DNS. In the latter case you might want to create an internal organizational CA that your clients trust.

Using a different port for the deployed application is fine, as long as the protocol is actually HTTPS, because the port number is not encoded, represented, or constrained in the certificate in any way.


#6

Andrei, my apologies if you feel offended. That was obviously not my intention.
It was however probably a bad idea on my part to try and get an answer in before I needed to go to a meeting - without giving enough thought to your answer and my own reply.
I’ll try again tomorrow when I’m back at work

@schoen, I’ll get back to you too.

Just to make sure: I do appreciate all efforts to help me. Even if it turns out not the best or chosen solution (that doesn’t depend on me alone, I have bosses too :wink: ) I am still grateful for any attempt to help or clarify.


#7

Due to unforeseen circumstances I had to let this rest for a while, but I would like to give it a go again.

I have made a bit of progress I think.

I have made a few changes to our local DNS setup (ourcompany.local)

  • I could not find a way to create a CNAME record for mail.ourcompany.be (external name) to make that point to mailsrv.ourcompany.local (internal name). On Windows 2012R2 CNAME is a synonym for Alias. All I could do was create a New alias (CNAME) …, but that way the result was always name1.ourcompany.local that pointed to name2.ourcompany.local. There was no way to enter something like ourcompany.be, so that was of no use to me.
    Maybe the definition of CNAME is diiferent on Linux or Mac or … but this is Windows (2012) I have to deal with
    That probably contributed to the confusion I had with Andrei’s answer.
  • Apparently (after consulting the Microsoft forums) the solution is to create a new DNS zone named mail.ourcompany.be, and create 1 blank Host (A) record in it pointing to the IP-adres of the internal server.
    Seems like a strange way of achieving what I wanted, but it seems to work.

So, now, when I’m in the office I can ping mail.ourcompany.be and the reply comes from the internal IP-adres of mailsrv.ourcompany.local
When I’m outside the reply comes from our public IP-adres.

Which is how it should be, right?

I have done the same for all other hosts that should get a certificate.

Now, for the actual certificates, what would be the best way to proceed? It’s especially the update process I’m concerned about. I would like to get this as automated as possible.

Port 80 and all ports for https are forwarded in the firewall to our mailserver.
I can temporarily (manually) forward them to another internal webserver on a Virtual Machine for the sole purpose of creating/updating the certificates
OR
I can manually update the public DNS-records at my domain provider.

I understand that I have to do either of them manually again when I need to renew the certificates?
Or is their a better way?
What would be the smartest thing to do?


#8

What name are you planning for people to access the services under?


#9

Yup and apologies for making it sound trivial. I forgot about DNS Zones on Microsoft DNS servers and how tricky they can be.

I understand that I have to do either of them manually again when I need to renew the certificates?
Or is their a better way?
What would be the smartest thing to do?

If you are confident in PowerShell I would install the ACMESharp Library as it allows you to script the certs the way you want. Have a look at example code here: https://marc.durdin.net/2016/11/automating-certificate-renewal-with-lets-encrypt-and-acmesharp-on-windows/

Otherwise have a look at this client - New Windows client - ZeroSSL as Win32/Win64 binaries

Andrei


#10

That would be mail.ourcompany.be for the mailserver for people outside our office who are using the webmail.
Internal webmail users can technically use either of mail.ourcompany.be or mailsrv.ourcompany.local or mailsrv
All of those will work, but I’ll encourage them to use the first since that is the one that will have a nice certificate and the last 2 won’t.

Existing outlook configs still have mailsrv, and that can stay the way it is for now.
I’ll use mail.ourcompany.be for new configs though.

I may have to add mail.ourcompany.com (and a few other mail.ourcompany.xxx like .nl and .de) if/when we transfer the mail handling to our mailserver at the headoffice. But if I read it correctly, I can add more than 1 servername/domainname to the same certificate. Physically all mail.ourcompany.xxx will point to same server hosted at our headoffice.


#11

No worries. I am glad you mentioned it, because I never even realized it could be done. If I had known about it, I would have set up the outlook clients with the public name rather than the private name or the private hostname.

[quote=“ahaw021, post:9, topic:31357”]If you are confident in PowerShell …[/quote]Sadly, that’s not the case. Learning Powershell is still on my to-do list, but right now, I have zero experience with it.

I’ll take a look at both links you provided

Now I just need to work out which challenge works best for me?

  • I have asked our registrar (who also runs the DNS servers) if there is a possibility to update the DNS records other than manually via their web interface. I expect the answer to be negative.
  • Other than that, contrary to what I wrote before, I can temporarily forward port 80 to another server, and probably permanently once the certificate is in place. Would that open more possibilities for different challenges?

I found another topic which I bookmarked where someone use the redirect rules on Apache or nginx to

  • satisfy the HTTP-challenge
  • redirect everything else to https
    The redirect http to https would certainly be nice since right now all our user just use plain http

I am still pondering it that would be helpful (especially if I can also use it for the LE-challenge) or if it would only make things more complicated.

I thinks I need to read up a bit, starting with the links you provided and a few I bookmarked and get to the experimenting phase next.


#12

Just an observation: I see both clients on the links you provided are for Windows.
Is that because I mentioned having Active Directory, or is that because you think these are best for my situation?
If the former: I also have Linux machines (Debian) and I have more freedom to add additional machines or services on existing machines than for Windows.

EDIT: I have quickly browsed the zerossl.com webpage, and I can see there are various other use cases than Windows alone.
Will check this more in detail when time and work permit. The instructions there seem to be fairly detailed, that’s nice :slight_smile:


#13

Thanks for the ZeroSSL link. That’s a great resource.

I think I have it working now.

At first I tried the Windows client, but unfortunately I got an error during the install.
I contacted the author of ZeroSSL and he has adapted his instructions a bit to cope with the error (failure on the logging module).
While I was stuck, I installed a Debian VM with the Linux client, and I got that one working.

So now, I have a VM with Apache and the ZeroSSL client which

  • accepts requests for the ACME challenge (http)
  • redirects http requests to https (and a different server thanks to the port forwarding in our firewall)
  • has a cron job that automates renewal and sends me a mail when one or more of the certificates have been renewed

I think that covers pretty much everything I needed or wanted.

Thanks for your help!


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.