This is a question about using certbot for auto renewal in the following situation:
Lets say we have domain www.contoso.com and also a fortigate firewall 60D running FortiOS 6.04 (7 not available on this device).The fortigate is the gateway for a dynamic IP for the main office so we have got the foritagte setup to register contoso.foritddns.com to resolve the changing dyamic IP.
There is a webserver for the website but its hosted elsewhere (not on premise).
The workgroup computers are on a Azure AD domain - there is no on premise server. I want to setup a SSL VPN but need to get certbot running for the cert renewals.
Now could this be done with a VMWare Ubuntu workstation running behind the firewall? Dont worry about uploading the cert to the Fortigate - there is a script for that, I just need to automate the renewal - but the cert bot download tool asks question about the www server which I dont know the answer too.
I presume I also need a way to verify ownership of the DDNS domain (which I cant change the records?)
I am assuming if I setup a Ubuntu 20.04 VM to host cert bot, I would also need a web server on the VM to host the cert for ownership verification as well?
Maybe. Yes, you must demonstrate control of the domain name to get a cert. For this, the two most common ways are the DNS challenge or HTTP challenge.
Port 80 must be open in the firewall to receive the HTTP challenge. Certbot has a standalone option to be the webserver only to process these challenges. It saves the trouble of setting up nginx or Apache for example. The URL format of these challenges from the Let's Encrypt servers to you is always the same so if your firewall allows you could allow just that format instead of all URLs inbound on port 80.
For DNS challenge you need to update a TXT record value in the DNS zone. There are various plug-ins for DNS providers to automate this. See the certbot docs for list. Another acme client acme.sh supports many more DNS providers. You can add the TXT record manually but this becomes tedious quickly as the certs expire in 90 days and recommendation is renew after 60 days (maybe 75) to allow time to recover from problems.
Right - I like the sound of not having to setup my own webserver.
So I should download certbot and use the embedded webserver.
Is the verification a onetime step, or must the verification be repeated everytime the renewal happens?
Who hosts your DNS nameservers (self hosted, Azure, AWZ Route 53, GoDaddy etc)? For general purpose certificates when http challenges may be problematic, DNS validation is sometimes easier - it just depends on how your actual DNS for your domain is hosted.