Installing certificate with HTTPS blocked

I know this question is brought up on regular basis. Our customer requires us to filter HTTP and HTTPS traffic to their IP subnet only. It is 24x7 application (running on AWS, but I don't think it matters - only in the sense that we have control over the infrastructure). Also, we have both a Linux box and a Windows box that both require certs.

Currently, we have maintenance every 6-8 weeks - we have workaround to renew the certificate. But we are about go into high-SLA production mode with (hopefully) zero downtime. Is there any guidance to renew certificates in such situation? maybe even on a different box - but obviously we can't redirect the domain either.

UPDATE: I initially mentioned that HTTP is blocked; but in fact, with DNS validation HTTP is not running at all. So, the question is only about 443 being blocked

I'm not quite following what your question is. If you use a DNS-01 challenge (which it sounds like you might be using?), then only the DNS server needs the server itself needs to be globally accessible. The host that the certificate is for doesn't need to be accessible. This is a pretty common approach for "internal" servers that aren't intended for general access.

If your DNS is in AWS (Route 53) as well, then most ACME clients have good support for automating the handling of the DNS challenge.

If you need to use HTTP-01 (or TLS-ALPN-01), then the server itself needs to be accessible globally while doing renewals. Some people with firewall requirements manage to script it so that the firewall is opened at the start of doing a renewal and closed again afterward. I don't know if your customer might be fine with that as a compromise. But usually for this kind of scenario the DNS-01 approach is easiest, even if you need the customer to delegate (CNAME) the _acme-challenge. name to you or use acme-dns or the like.

But regardless, in order to issue a certificate then the CA needs to ensure that you own the name as seen from everywhere, which means that somewhere you need to have one of ports 53, 80, or 443 open to the world. Most IT departments are most comfortable with 53 out of those options, for some reason.

2 Likes

for some reason I thought that even with DNS-01 challenge I have to have 443 open to the world. With your comment, and some other things that I am reading, it looks to me that it is wrong assumption...
That would be awesome - exactly what I need. I even see where I can put Route 53 credentials in CertifyTheWeb client. Now I need to figure out how to set it up on Linux.

2 Likes

The certbot client also has a Route 53 DNS plugin available. And other ACME clients for Linux probably do too.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.