Create a cert for a DMZ server, on a nonstandard port

I have a public address (say www-mydomain-org), however the firewall redirects this to an internal server www-dmz-mydomain-org). In my case the redirect is to a non-standard port 12345 so I accessing www-mydomain-org:12345 which forwards the request to www-dmz-mydomian-org:2345. So I need a cert for www-mydomain-org, however the internal server on which I want a cert only knows of it’s self as www-dmz, and due to policies can not even access www (in fact no internal dmz server has access to the public address). Thus I have

www-mydomain-org : external IP (of FW) : port 12345
www-dmz-mydomain-org : internal IP (lets say say 10.120.12.12) : port 2345

www-dmz.mydomain-org is accessed externally via www-mydomain-org and port 12345.

How do I generate a cert for www.mydomain.org:12345?

I thought I’d use certonly, but even then I get unable to connect to host (makes sense as I active reject connection to the public IPs from the DMZ and the port is non-standard as well.

Thanks,
ERIC

FYI: sorry about using - but otherwise it thinks of the name as links.

Currently, the domain you want to acquire a certificate for needs to be accessible from the public internet either on port 80 via HTTP (http-01 challenge) or on port 443 via HTTPS (tls-sni-01 challenge) whenever you want to issue or renew a certificate.

In the near future, Let’s Encrypt will also support the dns-01 challenge type, where you can solve the ownership challenge by creating a certain DNS record for your domain. There’s no ETA for this AFAIK, other than “hopefully soon”. This will allow you to acquire certificates without opening any ports, as long as you can modify the DNS records for your domain.

Thanks, I’ll waiting till then as that would be an acceptable solution.

ERIC

A post was split to a new topic: Cert for a dmz server with dns-01 validation