Converting from LetsEncrypt to self signed certificate for internal server


#1

Hi,

I set up Let’s Encrypt on an internal server used to run check_mk monitoring software. Given that this is an internal server, the work involved in making it available to verification each time we need to renew doesn’t seem worth it, so we’d like to move to using a self signed certificate.

Can someone explain how to go about converting from Let’s Encrypt to using a self signed certificate? We’re using ubuntu 16.04.1, and apache2.

Thanks,

Marc


#2

I should add that followed this tutorial (but used our fqdn rather than IP address):

I should also note that the default apache2 page loads properly, and that I can get a login page for check_mk. However, once I log in, I just get a blank page.

I tested this method on a test VM first, and everything worked. The only difference between the test VM and my production server is that I had installed Let’s Encrypt certificate on the production server (and hadn’t done so on the test VM).

Thanks,

M


#3

Hi Folks,

I was mistaken in my initial post. I recently retested installing a self-signed cert to a VM that was running check_mk, and discovered that it did not work properly. I hadn’t investigated it past the login screen when I posted previously.

I’ll work with the check_mk team on this, as the issue is more germane to SSL in general, rather than converting from Let’s Encrypt to self signed certs specifically.

Thanks,

Marc


#4

You can generate a self signed cert in one click at https://zerossl.com/free-ssl/#self as well. Works for IPs too (so no need to bother with domain names on internal servers).


#5

By the way, many people in this situation successfully use the DNS challenge type (especially supported by bash-based Let’s Encrypt clients but also by some others). In this case they don’t need to allow an inbound TCP connection to the internal server, as long as they can update their public DNS records.


#6

Thanks Schoen. Though this server has a record on our internal dns server,
that record isn’t known outside our organization.

Marc


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.