DNS01 Domain Challenge Behind NAT

I want to have 2 servers behind NAT (single IP address) to have certificates. Since I have a single IP, I can’t have both resolve to port 80 for a more “traditional” certbot. So, I was thinking about trying DNS01 challenges… but I’m not sure how it will work.

If I read correctly, it still has to validate the domain, which can only exist on one machine. For example I’d like certs for:

Machine 1

Machine 2

Machine 1 would work, because it’s challenge would be accepted because it has the primary domain, yes? How would machine 2 get it’s certs since it can’t have the primary domain on it?

Very likely (almost certainly) I’m confused about the way DNS01 works, but before I commit some time to a possible dead-end for my needs, I thought I’d ask the experts!

Thanks for any insight!

Are the two servers:
A. Act as one (redundantly)
B. Separate severs that will be running independently from each other

If “A”, then they should probably share the exact same certificate.
Which would help with continuity during fail-overs.
There are many ways to copy/share/sync files between to machines.

If “B”, then treat Machine 1 normally, and treat Machine 2 as a disconnected system.
DNS validation is probably the only way to go in this case.
Unless, Machine 2 can add/remove files from folders in Machine 1, then Machine 2 can still be treated like an ordinary system (but the challenge files will need to be placed on Machine 1 for access and validation through Machine 1).

If you are sure that you will need DNS authentication, then you will need to ensure that your ACME client can integrate with your DNS provider. I’ve never had to go that DNS route so I can’t offer much advice with that.

Let’s Encrypt mostly isn’t interested in the “primary domain”. It wants the applicant (you / the machine running Certbot asking for a certificate) to prove control over the exact name or names requested, the Fully Qualified Domain Name or FQDN.

So for machine 2 in your description, Let’s Encrypt wants to see proof you control www.example.com and me.example.com but it doesn’t care whether you have control over plain example.com because you did not ask for that exact name in the certificate.

For the DNS challenge what will happen is that a DNS record proving control is needed for each of the two names on each of the two certificates, for a total of four DNS records to be created every couple of months when renewing. These TXT records in DNS need to be visible from the public Internet, and ideally you would create them programaticly, ie software would do it for you, rather than you pasting things into a web form or whatever, because that will get old really fast.

1 Like

For the reasons that @tialaramex described, it also does not matter that the hosts that will use the certificates are behind a NAT for the DNS-01 validation method. For this method, unlike the other methods supported by Let’s Encrypt, the certificate authority doesn’t make an inbound connection to the hosts that the domain name refers to. Therefore, they don’t have to be reachable by the CA at all (or even have a publicly visible IP address) when using DNS-01.

Thanks, I thinking what would happen with automation when placing txt records and concerned that it would want to check the primary domain.

I’m now also thinking about waiting and seeing what might happen with wild cards in the v2 spec.

Just so you understand clearly before making a final decision:
Remember that even though wildcards are helpful and can make some things a lot easier, that ease comes at a cost; All systems using the same wildcard cert must use the same single private key.
Any compromise into any of those systems that exposes their wildcard private key would compromise the encryption of all other systems using that same private key.
Sometimes some systems may need to be completely separately secured.
Be sure to check if any of your systems need to meet compliance standards (like: PCI) before making changes.

True, but this purpose is for some home hobby systems used by family externally and my wordpress blog.

Pretty closely monitored by me. I’d rarely use a wildcard for something like the university systems I manage. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.