Getting certificates for non-internet facing services

So I’ve been reading through a lot of things regarding LE and am ready to take the plunge.

However, on my initial test I’ve found that I need to verify each cert request that I make. This would be fine, but some of the web servers I would be wanting to cover are only accessible from specific external hosts.

I cannot seem to find any kind of contingency for this sort of situation. It would be useful for instance if I could have an external-facing server running the client that could handle the cert requests for any other hosts within our network.

Perhaps something like this is already available? Any pointers would be greatly appreciated.

You have a few options:

  1. Run configure all the servers to allow access to /.well-known/acme-challenge/ from any host.
  2. Run the client on 1 server and configure the others to reverse proxy requests for /.well-known/acme-challenge/ to that server, again from any host.
  3. Use one of the clients that supports the DNS-01 challenge.

The simple way to do this is pretty much what I have set up--DNS records point *.mydomain.tld to that external-facing server, it obtains certs for itself and certain internal servers (which it can validate, since all hostnames on my domain resolve to that server), and then it distributes the servers to (most of) the internal servers (for one of them, I just need to manually copy the cert over). If that DNS solution won't work for your situation, there's always the DNS challenge for domain validation. That isn't currently supported by the official client, but it is by some alternative clients--one that does support the DNS challenge is (

Here is the list of Alternate Clients. As danb35 says there are a number that support the DNS check. Certainly all the bash ones do.

I try and be very careful not to push my client over others. In this case though I’d suggest taking a look at the getssl client as it’s specifically written such that it can be run on one location and place certificates onto other servers ( providing you have SSH access to the other servers) in an automatic way. There is a plan I think for the official client to do this as well, but it doesn’t as yet.

Thanks all for the info.

With the DNS checking, does the domain name need to be resolvable from outside (i.e. by LE)? I run my own DNS service for our internal network, but any external hostnames are managed elsewhere out of my direct control.

The domain itself doesn’t need to be resolvable, but you’ll need to create a publicly-resolvable TXT record for every domain (with a token that’ll change with each renewal), so that’s probably still a problem if you don’t have access to your public DNS.

That depends what you mean by resolvable …

The authoritative nameserver for your domain needs to be reachable by LE. The domain itself could point to some 192.168.x.y internal address that can not be reached from the outside, but LE needs to be able to reach the primary nameserver for the domain - basically it provides a token that you need to add to that nameserver as a text field, and it then checks to confirm it’s there.

Does that answer the question ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.