Is let's encrypt certs valid for public servers only?

sblantipodi · November 3, 2023, 8:38am

Hi,
is there a way to use the let's encrypt certificates on a DMZ network?

Most backend servers are behind a DMZ and are not connected to the internet.

How can we use let's encrypt automatic renew if we don't have internet on that servers?

Thanks.

orangepizza · November 3, 2023, 8:53am

DNS-01 challenge or a dummp webserver on public side for get cert for it?

rg305 · November 3, 2023, 8:54am

There is a difference between:

getting/renewing a certificate
using a certificate

To answer your question:
"Is let's encrypt certs valid for public servers only?"
No.

You could have some other system get, and renew, the cert(s) and then:

place the cert(s) where the systems in the DMZ can reach them
place the cert(s) directly into the servers in the DMZ

If there is no Internet IP for the names, you may have to use DNS authentication.
If you are going to use DNS authentication, you might as well get a wildcard cert.
[if one single wildcard can cover all the names in the DMZ - that simplifies things]

sblantipodi · November 3, 2023, 8:56am

certificates are meant for security,
how can I copy a certificate from a public server to a DMZ one in a secure and automatic way?

what is your suggestion?

thanks for the help, I appreciate it.

rg305 · November 3, 2023, 9:01am

No one said you have to use a server that can be accessed from the public Internet to obtain a cert.
You can, but you don't have to.
HTTP authentication is the simplest method of validation and easiest way of obtaining a cert.
But there is a more secure way: using DNS authentication.

orangepizza · November 3, 2023, 9:03am

not sure those server can even call le server outbound
probably can but you can't sure someone's server config

sblantipodi · November 3, 2023, 10:06am

is there some guides that shows me how to use DNS Auth? thanks!!!

rg305 · November 3, 2023, 10:10am

It depends on the ACME client and your DSP.