Is let's encrypt certs valid for public servers only?

Hi,
is there a way to use the let's encrypt certificates on a DMZ network?

Most backend servers are behind a DMZ and are not connected to the internet.

How can we use let's encrypt automatic renew if we don't have internet on that servers?

Thanks.

1 Like

DNS-01 challenge or a dummp webserver on public side for get cert for it?

3 Likes

There is a difference between:

  • getting/renewing a certificate
  • using a certificate

To answer your question:
"Is let's encrypt certs valid for public servers only?"
No.

You could have some other system get, and renew, the cert(s) and then:

  • place the cert(s) where the systems in the DMZ can reach them
  • place the cert(s) directly into the servers in the DMZ

If there is no Internet IP for the names, you may have to use DNS authentication.
If you are going to use DNS authentication, you might as well get a wildcard cert.
[if one single wildcard can cover all the names in the DMZ - that simplifies things]

4 Likes

certificates are meant for security,
how can I copy a certificate from a public server to a DMZ one in a secure and automatic way?

what is your suggestion?

thanks for the help, I appreciate it.

No one said you have to use a server that can be accessed from the public Internet to obtain a cert.
You can, but you don't have to.
HTTP authentication is the simplest method of validation and easiest way of obtaining a cert.
But there is a more secure way: using DNS authentication.

2 Likes

not sure those server can even call le server outbound
probably can but you can't sure someone's server config

2 Likes

is there some guides that shows me how to use DNS Auth? thanks!!!

1 Like

It depends on the ACME client and your DSP.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.