Consider the following network topology: I have a valid domain example.net, and I am using this domain as my “intranet” domain in a split-horizon config, i.e. I have an internal DNS server with all my intranet hosts, and an external one for the same domain, but without the internal hosts.
I’d like to be able to use the ACME HTTP-01 protocol on servers in my Intranet to deploy and update valid certificates for those internal machines. I’m OK with the names “leaking” through DNS and issuance logs, but I don’t want to open the internal machines to the Internet, so using HTTP-01 directly is not possible.
I can use DNS-01 for example.net with (for example) acme.sh to issue certs.
Is there a server/package/service that I could use to help deploy LE certificates to those internal machines? Ideally, there would be an ACME server I could point my internal machines to that knows how to do HTTP-01 challenges on the internal network, but use DNS-01 to issue certificates and pass them through to the actual client. Kind of an ACME proxy, so to speak.
Or is there another mechanism I could use that does not require extensive configuration on the internal machines? I do not want to use a self-signed cert or my own CA, and I want cert updates to be deployed without manual effort.
There was this post, which appears to be something like that. Although in German, apparently they have a free version for 10 servers, so IDK, maybe email the person.
The intentional design of ACME makes proxying it quite impractical, so I'm not sure quite how they managed it. At least, not without some accountkey-sharing shenanigans, which may count as "extensive configuration".
Yes, thank you, that sounds pretty much like what I’m looking for. Although I was hoping to find an open source solution.
As to how that works: the internal server appears as a standard ACME server including the HTTP-01 challenge, so internal clients simly talk to that instead of the LE server. The internal server then talks to LE to request the actual certificate as a client, using the DNS-01 challenge. Once it has received the cert, it delivers it to the client on the inside. From the viewpoint of the client, it’s receiving a cert from the proxy server, while to LE it looks like the proxy server is the client. At least that’s how I would implement it, and the product description appears to support that.
I am doing the following: One dedicated host with my ACME client on it, which talks directly to the external DNS server, so it is capable to generate any certificate for my DSN zones via fulfilling DNS-01 challenges. The certificate requests are coming from the intranet hosts to this ACME service host, the flow of the generated certificates are in the reverse direction.
I’m a little confused why you want to use ACME within your internal network (though I’m probably just not understanding quite what you’re asking). If you have a way to automate DNS updates for DNS-01 challenges, why can’t you just deploy acme.sh (or whatever other client you want) on your internal machines, and just have them manage their own challenges?
Many systems have ACME clients by now. Configuring an ACME client is much easier than setting up acme.sh (or similar) manually and integrating that with the respective system. Having an internal ACME server would make it trivial to have for example a Synology Disk Station manage its cert.
Additionally, deploying acme.sh to each and every system, including the necessary secrets to manage the DNS zone, creates a bigger surface for mistakes or worse. Limiting the DNS and cert manipulation to a single system reduces the surface, is easier to test, and can be monitored and audited much more easily.
How do the certs get requested from the hosts initially, and how are you deploying the generated certs to the machines? This is the part that I'm hoping to make easier for myself by having the hosts use an ACME client to handle all that.
Currently, I'm using custom shell scripts to push the certs via SSH, but I'd rather not have all that access into each and every machine from a central place (including sudo/root), and not all systems allow me to do that.
I am doing as well with SSH as you do. But not from the host which has the ACME service running, rather from a central server dedicated for the management of the systems.
I am not sure if this fits your needs, but we developed and open sourced an ACME client/certificate manager “Peter Sslers”. (https://github.com/aptise/peter_sslers)
It is either mit or bsd licensed. A single node is used to request and process the ACME provisioning, and other nodes in a LAN will speak to it via an API.
I recommend taking a look at pfsense. It is an open source BSD based system, it is ported with more features than you might need but you can enable only the features you want and leave the rest alone.
It is ported with "ACME Certificates" which is really acme.sh to create and renew certificates on an automated schedule. A post hook script can be created to distribute the certificates via ssh scp to all servers after each renewal...
you should consider using an altogether separate domain for this area or even multiple subdomains (one for each system/area).
In short, no overlapping certs and no overlapping credentials.
But I'm the paranoid type...
I would separate all unlike types with VLANs, firewalls, brick and mortar too (if possible).
And sometimes even the like types should be "separated"/firewalled from each other as well.
Did I mention that I'm paranoid? - LOL
There are also many companies that make low-cost hardware (single board computers less than US$200) which are aimed at pfsense and similar projects. netgate is one (i think they sponsor pfsense now); pcengines is another. it looks like soekris is out of business. those are the 3 names I can recall, but there are several companies of them.
Well, kind of open source. But if all you're going to do on it is run acme.sh and deploy certs from there, there's no need for a full-blown router distro to do it--just spin up a small VM with your preferred Linux flavor and run it there.
But though that's much simpler, it doesn't really do anything to facilitate the work flow OP's talking about, which seems like a fairly unique requirement.
