Issue Let's Encrypt certificate for server not reachable from the internet?


#1

Hello,
I have got some services running in docker containers, which an nginx reverse proxy in front of it, also running in a docker container.
Those services are internal once. Only reachable inside the company network, from outside only over a VPN. Which means, the front facing reverse proxy, which should do the SSL termination can not be reached from the internet.
If I understand correctly, the automatically renewal process only supports scenarios, where the server is reachable from the internet.

Is there a way to issue and update the Let’s Encrypt certificate behind a closed firewall, other than setting up a reachable host and tinker around with temporary SSH tunnels?

My domain is: otaya.cc

I ran this command:

It produced this output:

My web server is (include version): nginx 1.13.9

The operating system my web server runs on is (include version):
The latest docker image https://hub.docker.com/_/nginx/
alpine?
Running on a Ubunut 16.04 VM, if this matters somehow.

My hosting provider, if applicable, is:
Self hosted

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


Encryption for internal server / no DNS entry
#2

Yes, use the DNS challenge.

You can use the Route53 support in Certbot, or use e.g. Lexicon with Certbot, which also features Route53 support, or Lego, a standalone ACME client that supports many providers out of the box.

pip install certbot-dns-route53
AWS_ACCESS_KEY_ID=mykey AWS_SECRET_ACCESS_KEY=mysecret \
certbot --dns-route53 --installer nginx -d otaya.cc

If you are running in Docker, then you need to consider how you are going to persist the certificates and configuration (/etc/letsencrypt if using Certbot) between container restarts, since you will hit rate limit issues otherwise. It can sometimes be smarter to move the SSL termination outside of the container, or at least into a dedicated container that deals with the problem more elegantly (such as using Caddy or other “auto TLS” proxies).


#3

Thaks _az,
I will dig through your suggestions and hope for the best :slight_smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.