Due to the internet outage in Iran, which has now lasted for more than 35 days, we are facing many challenges within Iran’s infrastructure.
One of these challenges is the issuance and renewal of SSL certificates for servers hosted in Iran. These servers neither have external connectivity to communicate with Let’s Encrypt APIs to request certificate issuance or renewal, nor can Let’s Encrypt servers reach them via HTTP or DNS to validate HTTP challenges or DNS challenges.
Given that this issue has significantly disrupted the process of activating SSL certificates in Iran, I kindly request that you provide a solution that would allow us to perform the verification process for servers in Iran.
My suggestion is that, if possible, a local instance of Let’s Encrypt APIs, along with challenge verification services, be deployed on servers in Iran. Since these servers are connected within the country’s internal network, this setup could enable the issuance and renewal of SSL certificates for Iranian servers.
As a member of the Let’s Encrypt community, I am willing to provide the necessary servers and infrastructure in Iran for this purpose, as well as take responsibility for supporting and maintaining them.
If the Let’s Encrypt community and its development and maintenance team are also willing to collaborate on this initiative, we would be very grateful, as it would resolve the issues faced by many people.
If you’d like to investigate running a CA inside your country, our software is open-source and you can run it.
But the software alone is only a relatively small part of the work involved in running a CA, and we are not going to be able to assist with this, or provide support.
We are not intending to set up or operate a Certificate Authority (CA). Our goal is simply to have a way to validate and issue free Let’s Encrypt certificates for servers hosted in Iran.
The main challenge is that servers hosted in Iran currently cannot complete the required validation process due to the lack of external connectivity. Therefore, we are looking for a solution or mechanism that would allow the validation (challenge verification) and certificate issuance process to work within Iran’s network constraints, while still relying on Let’s Encrypt as the issuing authority.
We would greatly appreciate any guidance or suggestions you may have for enabling this.
In order for Let's Encrypt (or any other CA) to issue a certificate, they need to ensure that the domain is controlled by the requester worldwide (since the certificate can be used worldwide). So even if they did want to host infrastructure within Iran (which would probably be rather challenging audit-and-control wise), connectivity within only that one country isn't enough to demonstrate that control.
The public WebPKI is just not designed for cases where only a subset of the Internet is accessible.
If you are able to do so and don't want to use dns-persist-01 in the future, you can use a reverse proxy to connect to the Let's Encrypt servers. Set the Host header field to your reverse proxy's domain name and the links should be changed to be for your reverse proxy.