Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): Ubuntu Server 20.04 LTS
I can login to a root shell on my machine (yes or no, or I don't know): yes
I hope this is in the right category, but I'm looking at using a LetsEncrypt certificate for a hardware SSL VPN appliance. Previously we've purchased certificates, but we're only going to be using this for a couple more months and we'd rather just use a LetsEncrypt certificate for that time. Am I able to temporarily point my domain to a VPS (I typically use Ubuntu 20.04), run certbot, export that certificate, then drop the certificate into my appliance? Is there any reason that shouldn't work? I didn't want to dive in until I had gotten some advice.
First thought:
You should be able to follow your plan as long as all pertinent hostnames are included in the certificate request. You could use DNS challenge to obtain a wildcard certificate that would work on your apex domain ( secure.na-link.com ) and subdomains ( *secure.na-link.com ). Or do an HTTP challenge and specify the appropriate domain/subdomain....
Second thought:
Take a look at the certbot instructions using your particular setup:
Without more info asked in the help form, It becomes difficult to give more help.
How do you usually get a certificate and load it into your appliance? If it's through DNS, you shouldn't need to point your domain to a VPS or anything, you should be able to just run certbot (or some other client) on whatever computer you want in manual mode for DNS challenges, update your DNS, and get your certificate to then manually install onto your appliance. Normally I wouldn't recommend manual intervention, but if you're not planning on renewing it again then it's probably not a big deal.
This is all assuming your appliance just needs a "normal" TLS Server Certificate, and not something more exotic.
We typically do it through our registar and manually install it in the appliance. This hasn't usually been my responsibility so I had to ask around to make sure how we've done it. I think for safety we're just going to renew it the same way we have already done one more time. Don't want to screw anything up.
I guess your best bet is use DNS authentication, possibly in manual mode. (Since you are only using couple of month, this manual overhead should not matter anyway). You do not even need to touch the A record of secure.na-link.com.
That is:
Run certbot (or whatever else ACME client), select DNS authentication and install the authentication key manually
set up a TXT DNS record _acme-challenge.secure.na-link.com with the authentication key ACME client instructs you to enter, in your DNS server (possibly your registrar).
Complete DNS authentication in certbot
Delete the TXT DNS record _acme-challenge.secure.na-link.com
Obtain the certificate and key and install into your VPN appliance
Many people find the HTTP-01 challenge easier to automate, but you can use a DNS TXT record just fine as well. The key is that you want to set up your system to automate whatever method you choose, ideally. But for your case of a short-term usage it probably works fine to just do it manually.
Oh, yeah, that's what I meant. I've done the typical automated challenge with CertBot many times on my regular web servers, but never really dug deeper than that.