Firewall IIS Automation


#1

My webserver is behind a firewall that has IP-restricted services; we cannot open 80/443 to ALL.

What’s the easiest way to automate getting and renewing a cert? Is DNS-challenge my only option? If so, how do I automate it?


#2

The only way to avoid the DNS challenge would be to use some kind of split-horizon DNS, where you serve a different, publicly reachable IP address to the public, and validate the ownership through that IP. The public server might be something like a S3 bucket where you can upload the challenge file to.

That probably won’t be a good fit for many scenarios, so that leaves you with the DNS challenge. The steps for automation depend on your environment. Many DNS providers or DNS servers support some sort of API for this - something like RFC 2136 or a proprietary HTTP API. A number of ACME clients have added support for most of the popular DNS providers, see for example the provider list for the lego client. certbot has recently added automation for the DNS challenge with auth hooks. You’ll probably find scripts for popular DNS vendors all over the internet.

If none of those options work for your DNS, or if you’re not comfortable giving write access to your DNS to a number of servers (which makes sense!), you might also be interested in acme-dns. With that option, you’d run a second, separate DNS server solely for the purpose of solving ownership challenges, while your domain’s DNS would just have a static CNAME pointing to a hostname under that secondary DNS.

Edit: It seems I missed the “IIS” in the title. ACMESharp, a client for Windows and IIS, appears to have the concept of challenge handlers (or providers?), which sounds a lot like what you’d need for automation. It looks like the code contains one example for Cloudflare’s DNS API. I’m not really familiar with the client, but hopefully that’ll be of some use.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.