All servers in my workplace have egress blocked. Is it possible to have a bastion Letsencrypt server for cases like these? Which approach is the simplest, recommended one? TIA!
Apart from the obvious (setup an HTTP proxy), there was this interesting product posted last year: Certificates for servers (and VMware ESX hypervisors etc.) behind firewalls . Might be worth a look.
5 Likes
@Fastidious Hello!
The short answer is yes. If you have a domain name. DNS would be a good method to prove your control and/or ownership over the domain. Your “bastion” server could obtain a wildcard certificate and distribute copies of the certificate to the rest of the servers via your own scripts.
How this is accomplished is another matter based on your operating system of choice and client chosen to obtain the certificate(s), etc.
Look at some of the options available here…
And consider the ACME client …
Much depends on your dns provider and how your DNS records are configured.
Lots More info is required from you to be able to say much more than “Yeah it can be done”.
BTW @_az suggestion is how i have chosen to do it. (with ACME client) 
Hope this helps
Rip
5 Likes
@Fastidious - i find the question interesting – what do you mean by a bastion server? If egress is blocked from all servers should the machine running the Let’s Encrypt client be allowed to communicate?
If so how do you deal with the change?
We use Azure Bastion (which is likely not the bastion you are referring to ) quite a bit so i am trying to figure out what your architecture / approach is
Cause the suggested approaches above negate the need for an egress block rule
If a proxy is allowed outside comms then why wouldn’t all the servers use it?
Andrei
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.