Issue a certificate for private VM - possible solutions

Hello,
We had a UniFi controller installed on VM, that had it’s own public IP address, so there were no issue to get unifi.domain.com certificate.

Now, due to our internal company rules, we had to move controller to other VM, that is behind firewall, so it’s not accesable from internet anymore. I want to know, what possibilities we have to issue the unifi.domain.com certificate for new VM?

We cannot make a port forwarding on firewall, because port 80 & 443 is occupied by other VM which is using Let’s Encrypt certificate too.

Is it possible to still issue the unifi.domain.com certificate on the 1st VM (internet faced), and then we’ll just copy the certificate files to our internal unifi VM?

Or the DNS authentication is our last chance? Currently we cannot automate it (changing TXT records), because our domain holder doesn’t provide any API for it, but we’ll migrate to OVH soon, and most probably we’ll issue a wildcard certificate for whole domain.

1 Like

Hi @dwma

yes, that’s possible. A certificate knows nothing about the ip address or the environment you have used to create the certificate.

So you can create one certificate, copy it - and use it with different configurations.

That’s possible. Perhaps check acme.sh, there are a lot of dns providers supported.

1 Like

See Certificates for servers (and VMware ESX hypervisors etc.) behind firewalls for a product to enroll public certificates for internal servers via ACME.
(Disclosure: I work for the vendor ;-))

1 Like

Could the second VM reverse proxy requests under http://unifi.domain.com/.well-known/acme-challenge/ to the first VM?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.