Issue Let's Encrypt certificate for server not reachable from the internet?

a5s_s7r · February 26, 2018, 11:14am

Hello,
I have got some services running in docker containers, which an nginx reverse proxy in front of it, also running in a docker container.
Those services are internal once. Only reachable inside the company network, from outside only over a VPN. Which means, the front facing reverse proxy, which should do the SSL termination can not be reached from the internet.
If I understand correctly, the automatically renewal process only supports scenarios, where the server is reachable from the internet.

Is there a way to issue and update the Let’s Encrypt certificate behind a closed firewall, other than setting up a reachable host and tinker around with temporary SSH tunnels?

My domain is: otaya.cc

I ran this command:

It produced this output:

My web server is (include version): nginx 1.13.9

The operating system my web server runs on is (include version):
The latest docker image https://hub.docker.com/_/nginx/
alpine?
Running on a Ubunut 16.04 VM, if this matters somehow.

My hosting provider, if applicable, is:
Self hosted

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

_az · February 26, 2018, 11:27am

Yes, use the DNS challenge.

You can use the Route53 support in Certbot, or use e.g. Lexicon with Certbot, which also features Route53 support, or Lego, a standalone ACME client that supports many providers out of the box.

pip install certbot-dns-route53
AWS_ACCESS_KEY_ID=mykey AWS_SECRET_ACCESS_KEY=mysecret \
certbot --dns-route53 --installer nginx -d otaya.cc

If you are running in Docker, then you need to consider how you are going to persist the certificates and configuration (/etc/letsencrypt if using Certbot) between container restarts, since you will hit rate limit issues otherwise. It can sometimes be smarter to move the SSL termination outside of the container, or at least into a dedicated container that deals with the problem more elegantly (such as using Caddy or other "auto TLS" proxies).

a5s_s7r · February 26, 2018, 11:57am

Thaks _az,
I will dig through your suggestions and hope for the best

system · March 28, 2018, 11:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Letsencrypt renewals for separate server Issuance Tech	3	2245	July 24, 2016
How can I run certbot behind nginx proxy [within Docker] Help	18	5111	November 1, 2022
Docker container with nginx reverse proxy and letsencrypt proxy to other vms Help	5	3749	January 20, 2019
Certbot renew request through nginx reverse proxy Help	5	1155	June 29, 2022
Best way to Certbot-renew a certificate in a locked-down system Help	25	2531	April 3, 2023

Issue Let's Encrypt certificate for server not reachable from the internet?

I ran this command:

It produced this output:

Related topics