Lets Encrypt on its own server --manual


#1

I have Lets Encrypt running on Ubuntu 14LTS in my DMZ. I have around 20 servers I want to issue HTTPs certificate for which isn’t a problem even though its running on a dedicated machine.
I just use the --manual flag: ./letsencrypt-auto certonly -d mydomain.mydomain.com --manual
This works fine; I copy the code to my server to verify and a cron job copys the certificates.

I just tried to renew a certificate with: ./letsencrypt-auto renew --dry-run --manual-public-ip-logging-ok
but it is asking me to copy a new code to my server for verification.

Why can’t it use the only code to verify against?
Surly if I no longer owned the domain the old code wouldn’t be there.


#2

Yes, each time you issue/renew a cert, the domain must be verified again.


#3

But why can’t it be verified using the same code I had to put in the webroot for it’s issue?


#4

It is required by CA-Browser.
You must verify your ownership of the domain.


#5

I get that but why does the verification code need to change. If I still own the domain it will point to a server and still be able to access the same code. If I no longer own it it wouldn’t be able to access it.

Am I missing something?
Is there another way around this?


#6

CA/B Baseline Requirements require a random component as part of the domain validation procedure. Keeping the same token permanently wouldn’t really be random.

Could you describe your environment with some more details? There’s probably a way to automate this, but it would depend on the specifics of your environment (server software, network layout, etc.)


#7

My DMZ is hosted in a VPC inside AWS; Lets Encrypt is running on a t2.nano instance and can connect to all other server. I have around 20 server running Amazon Linux 2015/16 which lets encrypt won’t run on.
This is the reason for it being on Ubuntu 14LTS and to also makes it easier to manage as some of these server work in a load balancer.
A couple of the servers have Apache VHosts and 2 or 3 are IIS but there not to important.

At the moment I use --manual and copy the code to the servers and the certificates are pulled by the servers via cron each night or when a new Auto Scaling Instance is created. This works without a problem; its just the renewals.

I have to many server to manual renew the all every 3 months.


#8

Here’s what I would do:

  • Your validation server, let’s call it validation.example.com, is where you’ll run the client.
  • All other web servers are configured to redirect all requests for http://server01.example.com/.well-known/acme-challenge/* to http://validation.example.com/.well-known/acme-challenge/* using a HTTP 301 redirect. This is fairly simple with a RewriteRule (and I’m sure there’s some equivalent for IIS).
  • When it’s time to issue a certificate for e.g. server01.example.com, you run the client on your validation server in standalone mode using --standalone-supported-challenges http-01 (webroot would work too, if you want to use dedicated web server software on that host).
  • The CA server will first request http://server01.example.com/.well-known/acme-challenge/{token}, receive a 301 redirect in response and follow the link to http://server01.example.com/.well-known/acme-challenge/{token}. The client will take care of serving the challenge token, and you get your certificate.
  • Renewal should be as simple as ./letsencrypt-auto renew. You can use the --renew-hook argument if you want to automate copying the certificates and keys to your other servers as well.

#9

Brilliant; thanks I will give that ago.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.